[TYPO3-core] Re: RFC#13662: Bug: rsaauth doesn't work with special characters (like ä ü ö § ) in password

[Steffen Gebert]

Am 12.08.10 19:43, schrieb Steffen Ritter:
>
> BT entry: http://bugs.typo3.org/view.php?id=13662
>
> Branches: 4.3, 4.4, trunk
>
> Problem:
> The JS Libaries RSA-auth uses are only of the first 127 ASCII chars.
> Therefore ö ä ü § etc won't work.

+1 by reading and testing on 4.4

Before committing, I'd like to have Dmitry's "GO".

Attached is a tiny patch, which adds devlog entries while changing the 
PW and login (only works with the salted MD5 method) and helps you 
debugging this issue.

While debugging, I didn't see a difference with Komodo/xDebug, so I 
outputted the MD5 of the passwords (which differed, although passwords 
looked the same). In devlog, the entry while Login even gets truncated 
after the first special char.

So the problem (without the patch) is:
* password is set correctly (compare MD5 of your password to the 
outputted), which seems reasonable as it's transmitted in clear-text (as 
Steffen said)
* special char is encoded wrong while login, because only there rsaauth 
is used, so login fails

With the patch
* no changes to existing passwords needed - they're correct
* existing passwords with umlauts, which e.g. already worked with with 
lockSSL, should now also work / still work with rsaauth

What I currently dislike
* rsaauth adds the JS files by adding <script> tags. That's why there is 
no ?mtime parameter and browser is not forced to use the updated files. 
But this has nothing to do with this patch - I'll try to find a way 
adding them through the PageRenderer.

So thanks for your intense investigation, Steffen!

Kind regards
Steffen

-- 
Steffen Gebert
TYPO3 Core Team Member
-------------- next part --------------
A non-text attachment was scrubbed...
Name: 13662_debug.diff
Type: text/x-diff
Size: 952 bytes
Desc: not available
URL: <http://lists.typo3.org/pipermail/typo3-team-core/attachments/20100812/d85e987f/attachment.diff>