Skip to content
This repository has been archived by the owner on Oct 26, 2022. It is now read-only.

password in resetPassword() not URL encoded #1

Open
dgerhardt opened this issue Jul 7, 2016 · 2 comments
Open

password in resetPassword() not URL encoded #1

dgerhardt opened this issue Jul 7, 2016 · 2 comments

Comments

@dgerhardt
Copy link
Member

@Rillke (thm-projects/arsnova-mobile#66):

I'd like to apologize for reporting here as it is a customization issue; it seems to be impossible for me to get an account at https://git.thm.de

In https://git.thm.de/arsnova/arsnova-customization/blob/master/src/main/webapp/account.html#L280 it seems you send the new password not url encoded. Users may type %20 or similar in their passwords and do not expect they have to fill a white space at next login time.
To mitigate this issue, I suggest e.g. copying jQuery.post. It takes care of this and a lot more, e.g. the issue reported in thm-projects/arsnova-backend#36

On arsnova.eu, there is additionally (b.) the issue that the reset button is greyed out and (c.) you are redirected to https://arsnova.thm.de/blog/ after logging in.

Steps to reproduce on arsnova.eu:

Go to https://arsnova.eu/mobile/
Press Dozent/in
Press ARSnova
Register and reload this page (F5).
Click "Passwort vergessen" and get a reset link
Open the reset link from your inbox
You can fill in passwords now but you can't submit the form. (b.) Fill in no%20Space as the new password in both fields.
Open a DOM inspector and remove the disabled attribute from the submit button. Submit the form.
Now enter your e-Mailaddress and no Space as the password (a.) and submit.
You end up at https://arsnova.thm.de/blog/ (c.)
@dgerhardt
Copy link
Member Author

Thank you for reporting this issue.

it seems you send the new password not url encoded.
[...]
On arsnova.eu, there is additionally (b.) the issue that the reset button is greyed out and (c.) you are redirected to https://arsnova.thm.de/blog/ after logging in.

(a) and (c) have been fixed.
Regarding (b): The button was only disabled if the password contained URL-encodable characters?

@Rillke
Copy link

Rillke commented Jul 8, 2016
edited
Loading

I can't reproduce (b) anymore but are still redirected to https://arsnova.thm.de/blog/ when coming from the password-reset link which is sent by e-Mail after switching to the log-in form and doing the log in.

I guess this is because https://arsnova.eu/ redirects there and the reset password link contains no redirect target. It looks like this: https://arsnova.eu/thm/account.html?action=resetpassword&[email protected]&key=someChars

Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@Rillke @dgerhardt