Open
Bug 1349188
Opened 9 years ago
Updated 9 years ago
POST /rest/user does not create password for new user when a password is specified as an URL parameter
Categories
(Bugzilla :: WebService, defect)
Tracking
()
UNCONFIRMED
People
(Reporter: cmigliorini, Unassigned)
Details
(Whiteboard: [sec-insecure-third-party-site-reviewed])
User Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_12_3) AppleWebKit/602.4.8 (KHTML, like Gecko) Version/10.0.3 Safari/602.4.8
Steps to reproduce:
> Create user 'toto2@sidetrade.net'
curl -H "Content-Type: application/json" --data '{"email":"toto2@sidetrade.net", "full_name":"toto", "password":"%ù%ù1234"}' 'http://bugzilla/rest/user?login=cto@sidetrade.com&password=CTO$PASSWORD1'
> try to login as toto2@sidetrade.net
curl 'http://bugzilla/rest/login?login=toto3@sidetrade.net&password=%ù%ù1234'
Actual results:
> Login failed.
{"documentation":"https://bugzilla.readthedocs.org/en/5.0/api/","error":true,"code":300,"message":"The login or password you entered is not valid."}
> A look at the database shows that the "password" field for login toto2@sidetrade.net in "profiles" is '*'.
Expected results:
> login succeeded
{"id":5,"token":"5-3lhmlSw3ue"}
> Workaround : using an api_key or calling /rest/login first works.
> Possible cause: URL 'password' field and JSON 'password' field collide.
|
Reporter | |
Updated•9 years ago
|
Component: Bugzilla-General → WebService
|
|
Reporter | |
Comment 1•9 years ago
|
||
oops. This
> > try to login as toto2@sidetrade.net
> curl 'http://bugzilla/rest/login?login=toto3@sidetrade.net&password=%ù%ù1234'
should read
curl 'http://bugzilla/rest/login?login=toto2@sidetrade.net&password=%ù%ù1234'
|
||
Comment 2•9 years ago
|
||
I'll take a look at this -- it should work.
But I'd recommend against using username/password for REST and instead make use of API keys.
Whiteboard: [sec-insecure-third-party-site-reviewed]
You need to log in
before you can comment on or make changes to this bug.
Description
•