samigo test password does not validate special characters

Description

If a samigo test’s password contains special characters like “>”, students are unable to start the test when entering the correct password.

what’s happens is that the password is being stored in the database (in SAM_ASSESSACCESSCONTROL_T and SAM_PUBLISHEDACCESSCONTROL_T) as e.g. “hello&gt”, but when the student enters “hello>” the passwords don’t match.

  1. should the password’s special characters be converted to html entities?

  2. should the password be stored as an encrypted password?

  3. depending on #1, if yes, the pwd from the database needs to be converted to plaintext before comparing or the student’s entered pwd needs to be converted to html entities

Activity

Show:

Andrea Schmidt March 12, 2024 at 9:34 PM

Verified on 23x: https://qa23-maria.nightly.sakaiproject.org/, build: 6d1f04d4
22x: https://qa22-mysql.nightly.sakaiproject.org/, build: 085e3777

Tested with several special characters and also tested with an incorrect password.

Christina Schwiebert March 1, 2024 at 9:20 PM

Verified on Trunk - https://trunk-maria.nightly.sakaiproject.org/, build cacfaef2. Test & Quizzes passwords with special characters matched and allowed the student to complete the test.

Automation for Jira February 23, 2024 at 8:45 AM

A pull request has been created, "SAK-49079 samigo test password does not validate special characters", you can see it at https://github.com/sakaiproject/sakai/pull/12396

Miguel Pellicer January 12, 2024 at 1:01 PM

Hey, this fixes the password validation on output, but I think the issue happened on input, password were encoded, I supposed because a XSS vulnerability.

I feel the existing behavior is wrong, we shouldn’t encode the input, and we shouldn’t escape the output. Unfortunatelly, we have hundreds of entries with the encoded password, so your patch fixes our case, thank you.

Earle Nietzel July 11, 2023 at 2:45 PM

Core call reviewed on 7/11/23 and decided that his is not a security issue.

While saving the password is incorrect (bug) it is not giving undue access.

Fixed

Details

Priority

23 Status

QA Verification Pass

22 Status

Verified

21 Status

Please Merge

Components

Assignee

Reporter

Created July 3, 2023 at 8:55 PM
Updated March 12, 2024 at 9:34 PM
Resolved February 29, 2024 at 10:16 PM