Closed Bug 896652 Opened 11 years ago Closed 11 years ago

Special chars (eg umlauts) in password break xmpp login

Categories

(Thunderbird :: Instant Messaging, defect)

23 Branch
x86_64
Windows 8
defect
Not set
normal

Tracking

(Not tracked)

RESOLVED FIXED
Thunderbird 26.0

People

(Reporter: klemens, Assigned: florian)

Details

Attachments

(1 file, 1 obsolete file)

Login to a xmpp account with the correct password fails when the password contains an umlaut (eg. ä).
Instead an error is displayed in the account list: "Fehler: Nicht autorisiert (Wurde ein falsches Passwort eingegeben?)" (English ~ "Error: not authorized. (Have you entered a wrong password?)")
There is no output in the developer console.

The login works with the same account and password using Miranda, Pidgin and Gibberbot. The server is running prosody 8.2.

Could be related to Bug 713295.
I remember fixing this in a different bug for accentuated characters in Facebook passwords. For these passwords to work on Facebook chat (which is using the same XMPP implementation), I ensured the passwords were treated as UTF8 strings during hashing; and I know Pidgin is broken for connecting to Facebook chat when a password contains accentuated characters.
So in that bug I fixed the encoding for the DIGEST-MD5 auth method. Maybe the server here is using PLAIN (likely if the connection is encrypted)?

A debug log would be helpful to be sure, but I'm afraid a debug log would contain the password :-(.
The server is actually mine and encryption is enforced using START_TLS. Thus the authentication is always PLAIN.
Because I am not the only user, I would rather not disable the encryption (and then wireshark the traffic). So is there a way to create such a log in Thunderbird?
If this it not possible, I am going to setup a local server instance and create a complete log there.
Thunderbird unfortunately only dumps to the error console, in about:config (Tools > Options > Advanced > General > "Config editor...") search for "loglevel" and change the purple.loglevel pref. (I don't remember exactly what it's called.)

Now when you connect a lot of stuff should be output into the error console (Tools > Error console) showing the sent/received stanzas. You can copy & paste via the context menu (unfortunately only one at a time...)
(In reply to klemens from comment #4)
> The server is actually mine and encryption is enforced using START_TLS. Thus
> the authentication is always PLAIN.

Ok, if the authentication is PLAIN, I have never tested special characters in passwords and I wouldn't be surprised if something doesn't work.

I wanted the debug log mostly to check if PLAIN was used.

> Because I am not the only user, I would rather not disable the encryption
> (and then wireshark the traffic). So is there a way to create such a log in
> Thunderbird?

There are ways (and it's even easier from Instantbird), but if we are sure the problem is with PLAIN, what we'll need next to fix the bug is a test account with special chars in the password. It shouldn't be difficult to get one.
Ok, setting purple.debug.loglevel to 1 worked well:

For a user "thundertest" with password "abcö" the following PLAIN auth request is sent:
<auth xmlns="urn:ietf:params:xml:ns:xmpp-sasl"
mechanism="PLAIN">AHRodW5kZXJ0ZXN0AGFiY/Y=</auth>

The base64 decodes correctly, but as assumed to ASCII instead of UTF-8.
Attached patch Patch (obsolete) — Splinter Review
I don't have a test account, but with the attached patch the base64 value becomes AHRodW5kZXJ0ZXN0AGFiY8ODwrY= for the user "thundertest" / password "abcö" data from comment 7.

Can you confirm if this is the value sent by other XMPP clients?
Attachment #779810 - Flags: review?(clokep)
AHRodW5kZXJ0ZXN0AGFiY8ODwrY= does not seem correct. It utf-8-decodes to "\0thundertest\0abcö" which looks like utf-8 read as ASCII and encoded as utf-8 again.
The correct value should be "AHRodW5kZXJ0ZXN0AGFiY8O2" (according to Miranda and a successful login). This utf-8-decodes nicely to "\0thundertest\0abcö".

You can use the account thundertest with the same domain as my e-mail for testing if you want.

Btw, according to RFC 4616 the username should also be encoded as utf-8.
Attached patch Patch v2Splinter Review
This gives the AHRodW5kZXJ0ZXN0AGFiY8O2 result, I got confused during my testing, sorry.
Attachment #779810 - Attachment is obsolete: true
Attachment #779810 - Flags: review?(clokep)
Attachment #779838 - Flags: review?(clokep)
Checked into Instantbird: http://hg.instantbird.org/instantbird/rev/1aea1bdc6663
Assignee: nobody → florian
Status: UNCONFIRMED → ASSIGNED
Ever confirmed: true
https://hg.mozilla.org/comm-central/rev/eccad2d6c1d0
Status: ASSIGNED → RESOLVED
Closed: 11 years ago
Keywords: checkin-needed
Resolution: --- → FIXED
Target Milestone: --- → Thunderbird 26.0
You need to log in before you can comment on or make changes to this bug.