cloudstack-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Ian Forde <>
Subject Re: cloudstack user password requirements
Date Wed, 10 Dec 2014 22:44:45 GMT
(Seems like I have character encoding issues of my own.)

The characters that AD allows but CS doesn’t are the greater than (>) and
less than (<) characters.  Hope the previous message wasn’t too garbled
for decipherment…


On 12/10/14, 2:37 PM, "Ian Forde" <> wrote:

>Following up on thisŠ
>It¹s via the UI.  We¹re using LDAP authentication with Active Directory as
>the backend, where AD allows Œ<Œ and Œ>¹ but Cloudstack apparently
>doesn¹t.  We¹ve disabled connection security on LDAP and used tcpdump to
>verify that CS is mistakenly encoding those characters before sending them
>off to AD.  Could this be an unintended artifact of the XSS defensive code
>(maybe CLOUDSTACK-2936)?  Right now we¹re looking at telling folks to
>change their passwords if they¹ve got either of those characters in their
>password.  And if there are other characters that get encoded, we don¹t
>know what they are yetŠ
>On 12/10/14, 2:31 PM, "Yiping Zhang" <> wrote:
>>On 11/3/14, 4:22 PM, "Demetrius Tsitrelis"
>><> wrote:
>>>Is that a password which is being used by the API directly or via the
>>> I think the UI has a text sanitization function which tries to HTML
>>>encode the "<" and ">" characters as a first-line cross-site scripting
>>>-----Original Message-----
>>>From: Yiping Zhang []
>>>Sent: Monday, November 03, 2014 2:14 PM
>>>Subject: cloudstack user password requirements
>>>By chance, we found out that CS user password can not contain "<" or ">"
>>>characters,  what other characters are illegal in user's password
>>>We are not able to find any documents on the subject.

View raw message