95535 - Password reset issues tokens w/ "&" in them, URL not escaped

Status: RESOLVED FIXED

(Bugzilla :: Bugzilla-General, defect)

Description

[Dave Miller [:justdave]]

I requested a password reset on one of the landfill installs and got this: 
(you'll have to ignore the fact that someone forgot to set the baseurl in
editparams)

Notice that the token on the end of the URL contains a & in the token, and it
didn't get escaped in the URL.

Date: Wed, 15 Aug 2001 18:26:16 -0700
From: bugzilla-daemon@landfill.tequilarista.org
To: dave@intrec.com
Subject: Bugzilla Change Password Request

You or someone impersonating you has requested to change your Bugzilla
password.  To change your password, visit the following link:

http://cvs-mirror.mozilla.org/webtools/bugzilla/token.cgi?a=cfmpw&t=V&l*Cv0w

If you are not the person who made this request, or you wish to cancel
this request, visit the following link:

http://cvs-mirror.mozilla.org/webtools/bugzilla/token.cgi?a=cxlpw&t=V&l*Cv0w

Comment 1

[Dave Miller [:justdave]]

*** Bug 95536 has been marked as a duplicate of this bug. ***

Comment 2

[Dave Miller [:justdave]]

Attachment: run the token through url_quote()

Comment 3

[Dave Miller [:justdave]]

The attached patch fixes this, rather than restricting the token characters, by
running the token through url_quote(), so the URL still works.  I tested this in
theory my url_quoting the token in the URL in the above email and successfully
changed my password with it.

Comment 4

[Myk Melez [:myk] [@mykmelez]]

Makes sense not to limit the characters that can appear in tokens.  I'm a little
worried that it might confuse people to see tokens with escape characters if
they ever have to type a token into a web form rather than clicking a link
containing the token, but right now I can't think of any situation in which that
would occur, so it doesn't make sense to worry about it.

r=myk

Comment 5

[Dave Miller [:justdave]]

checked in.

Comment 6

[Dave Miller [:justdave]]

Moving to Bugzilla product