[BlueOnyx:21496] Re: 5209R Initial Setup Issue

[Larry Smith]

Really old topic, but just wondering if anything more has
been done to reduce the number of "Forbidden" characters
in the password???  

Have run into an issue where we are
importing a site from another provider (netsol) and many
of the passwords have the at (@) sign in them.  Would 
really like to import them all as-is so the users do not
have changes to make.

Or is there a way I can "allow" the at sign for the import
(and their passwords work on this server for now).

-- 
Larry Smith
lesmith at ecsis.net

On Mon May 2 2016 16:56, Michael Stauber wrote:
> Hi Lee,
>
> > It appears that CodeIgniter is failing on a '!' in any password set.
> > I've tried with an alternative character and it's been successful.
>
> I just gave it a whirl myself and found a couple of interesting
> problems. For starters: The "admin" password was way more lenient in
> allowing special characters than the MySQL field. That shouldn't be.
> Both should ideally accept the same passwords. Although it's a good
> practice to use a different password for MySQL than for the root/admin
> of a box.
>
> After some more digging I then found that the regular expression we use
> to validate passwords is way more permissive than what our architecture
> actually can handle with ease. Partially this is due to the octal
> storage of complex ASCII characters in CODB and partially this is due to
> limitations of how we talk to CCEd.
>
> Example: Password has a space. You can set a password with a space via
> the GUI, as the regular expression allowed it. But the actual login
> where PHP talks with CCEd via the cce.so PHP module? It uses a syntax
> like this:
>
> auth admin password
>
> Without escaping the password like putting it into quotation marks. So a
> password with a space (or more) would only get interpreted until the
> first space happened:
>
> auth admin partial-password rest-of-pw-after-space
>
> The alternative CCE.php class escapes passwords and uses something like
> this:
>
> auth admin "password"
>
> So spaces would be allowed as the whole password is properly escaped.
> But cce.so is 5-7x faster, so we rather use that one instead of the CCE
> PHP class. Which means: No more spaces in passwords allowed. :p
>
> So one by one I worked myself through the ASCII table to find out which
> chars we can use and which not. It boils down to this:
>
> Forbidden:
> whitespace plus the following: "&'/<>?@[/]^_`{|}~
>
> Allowed:
> Anything alphanumeric plus: !#$%()*+,-.:;=
>
> The list of forbidden characters could be shorter. But the limitations
> are not all CCEd/CODB related. Some of them are due to the XSS filter of
> CodeIgniter, others due to issues with Perl Handlers and lastly some are
> due to our cce.so PHP module. Most of it ought to be fixable in the
> longer run.
>
> Hence I'll do the following for now:
>
> 1.) Publish an updated sausalito-cce*, base-mysql and base-alpine which
> reflects the above code changes. When entering passwords it'll complain
> if the password contains any unsupported character. Hence you'll
> immediately know if your entered password will work or not. More
> importantly: It'll only let you set a password that actually can be used
> in the login page to log back in to the server.
>
> 2.) Morel long term: Fix the architectural problems in the various parts
> of BlueOnyx that prevent usage of all/most of the currently forbidden
> characters in passwords.
>
> I'll try to publish the interim updates today. I'll also have to roll up
> a new 5209R ISO to make sure people who don't run YUM updates don't
> immediately run into this (fixed) problem and get a bad first impression.