Uploaded image for project: 'Moodle'
  1. Moodle
  2. MDL-25174

Quotes in passwords prevent login after upgrade to Moodle 2.0

    XMLWordPrintable

    Details

    • Type: Bug
    • Status: Closed
    • Priority: Major
    • Resolution: Fixed
    • Affects Version/s: 2.0
    • Fix Version/s: 2.0
    • Component/s: Authentication
    • Labels:
      None
    • Affected Branches:
      MOODLE_20_STABLE
    • Fixed Branches:
      MOODLE_20_STABLE

      Description

      To reproduce (you will need a 1.9 and a 2.0 installation to compare)..

      In the 'validate_internal_user_password' function in lib/moodlelib.php add an echo or similar to display the password as it is inside this function. Login to each Moodle in turn with a password that contains double quotes and a manual user (no need to be the real password for that user).

      If, for example, the password was pa"ss"word (with the quotes), the echo in the validate function in 1.9 will display....

      pa\"ss\"word

      The same thing in 2.0 will produce

      pa"ss"word

      Presumably the same thing happens when the password is created or changed. However the result is that a password with quotes that worked in 1.9 will fail after an upgrade to 2.0. As many people will be using non-alphabetic characters in their passwords (as recommended) this is likely to be a serious issue for upgraders. The only reason it isn't a blocker is that password recovery should get you out of trouble!!

        Attachments

          Activity

            People

            Assignee:
            skodak Petr Skoda
            Reporter:
            howardsmiller Howard Miller
            Tester:
            Nobody
            Participants:
            Component watchers:
            Adrian Greeve, Jake Dallimore, Mathew May, Mihail Geshoski, Peter Dias
            Votes:
            0 Vote for this issue
            Watchers:
            0 Start watching this issue

              Dates

              Created:
              Updated:
              Resolved:
              Fix Release Date:
              24/Nov/10