SuiteCRM/SuiteCRM-Core
2
0
Fork 0
mirror of https://github.com/SuiteCRM/SuiteCRM-Core.git synced 2025-08-29 08:17:18 +08:00
Code Issues Projects Packages Activity Actions

Fix #611 - [Legacy] Handle special characters in password authentication

Browse source 
Users with passwords containing special characters like <, >, ", ' could not authenticate due to HTML encoding applied during password storage but not during login verification. This prevents legitimate users from accessing their accounts and requires password resets.

Resolve by using RAW_REQUEST data before XSS processing in legacy password forms to ensure consistent character handling between password storage and authentication verification.
This commit is contained in:
Moises E. Puyosa 2025-07-29 11:03:21 -05:00
parent 1ac4f6d699
commit 6f9c6d2dae
3 changed files with 13 additions and 5 deletions
Download patch file Download diff file Expand all files Collapse all files

5
public/legacy/modules/Users/ChangePassword.php
View file

@ -53,7 +53,10 @@ if (isset($_POST['saveConfig'])) {
} else {
$record = $_POST['record'];
$focus->retrieve($record);
if (!$focus->change_password($_POST['old_password'], $_POST['new_password'])) {
global $RAW_REQUEST;
$oldPassword = $RAW_REQUEST['old_password'] ?? $_POST['old_password'] ?? null;
$newPassword = $RAW_REQUEST['new_password'] ?? $_POST['new_password'] ?? null;
if (!$focus->change_password($oldPassword, $newPassword)) {
SugarApplication::appendErrorMessage($focus->error_string);
SugarApplication::redirect('index.php?action=ChangePassword&module=Users&record=' . $record);
}

3
public/legacy/modules/Users/Changenewpassword.php
View file

@ -105,7 +105,8 @@ if (!empty($_REQUEST['guid']) && !empty($_REQUEST['key'])) {
}
if (!$expired) {
$password = $_POST['new_password'] ?? '';
global $RAW_REQUEST;
$password = $RAW_REQUEST['new_password'] ?? $_POST['new_password'] ?? '';
$usr = new user();
$errors = $usr->passwordValidationCheck($password);
// if the form is filled and we want to login

10
public/legacy/modules/Users/User.php
View file

@ -711,10 +711,14 @@ class User extends Person implements EmailInterface
$this->savePreferencesToDB();
if ((isset($_POST['old_password']) || $this->portal_only) &&
(isset($_POST['new_password']) && !empty($_POST['new_password'])) &&
global $RAW_REQUEST;
$oldPassword = $RAW_REQUEST['old_password'] ?? $_POST['old_password'] ?? null;
$newPassword = $RAW_REQUEST['new_password'] ?? $_POST['new_password'] ?? null;
if ((isset($oldPassword) || $this->portal_only) &&
(isset($newPassword) && !empty($newPassword)) &&
(isset($_POST['password_change']) && $_POST['password_change'] === 'true')) {
if (!$this->change_password($_POST['old_password'], $_POST['new_password'])) {
if (!$this->change_password($oldPassword, $newPassword)) {
if (isset($_POST['page']) && $_POST['page'] === 'EditView') {
SugarApplication::appendErrorMessage($this->error_string);
SugarApplication::redirect("Location: index.php?action=EditView&module=Users&record=" . $_POST['record']);