samigo test password does not validate special characters
Description
Activity

Andrea Schmidt March 12, 2024 at 9:34 PM
Verified on 23x: https://qa23-maria.nightly.sakaiproject.org/, build: 6d1f04d4
22x: https://qa22-mysql.nightly.sakaiproject.org/, build: 085e3777
Tested with several special characters and also tested with an incorrect password.
Christina Schwiebert March 1, 2024 at 9:20 PM
Verified on Trunk - https://trunk-maria.nightly.sakaiproject.org/, build cacfaef2. Test & Quizzes passwords with special characters matched and allowed the student to complete the test.

Automation for Jira February 23, 2024 at 8:45 AM
A pull request has been created, "SAK-49079 samigo test password does not validate special characters", you can see it at https://github.com/sakaiproject/sakai/pull/12396

Miguel Pellicer January 12, 2024 at 1:01 PM
Hey, this fixes the password validation on output, but I think the issue happened on input, password were encoded, I supposed because a XSS vulnerability.
I feel the existing behavior is wrong, we shouldn’t encode the input, and we shouldn’t escape the output. Unfortunatelly, we have hundreds of entries with the encoded password, so your patch fixes our case, thank you.
Earle Nietzel July 11, 2023 at 2:45 PM
Core call reviewed on 7/11/23 and decided that his is not a security issue.
While saving the password is incorrect (bug) it is not giving undue access.
Details
Details
Priority
Affects versions
Fix versions
23 Status
22 Status
21 Status
Components
Assignee
Reporter

If a samigo test’s password contains special characters like “>”, students are unable to start the test when entering the correct password.
what’s happens is that the password is being stored in the database (in SAM_ASSESSACCESSCONTROL_T and SAM_PUBLISHEDACCESSCONTROL_T) as e.g. “hello>”, but when the student enters “hello>” the passwords don’t match.
should the password’s special characters be converted to html entities?
should the password be stored as an encrypted password?
depending on #1, if yes, the pwd from the database needs to be converted to plaintext before comparing or the student’s entered pwd needs to be converted to html entities