cloudstack-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Ian Forde <ifo...@marketo.com>
Subject Re: cloudstack user password requirements
Date Wed, 10 Dec 2014 22:44:45 GMT
(Seems like I have character encoding issues of my own.)

The characters that AD allows but CS doesn’t are the greater than (>) and
less than (<) characters.  Hope the previous message wasn’t too garbled
for decipherment…

  -I

On 12/10/14, 2:37 PM, "Ian Forde" <iforde@marketo.com> wrote:

>Following up on thisŠ
>
>It¹s via the UI.  We¹re using LDAP authentication with Active Directory as
>the backend, where AD allows Œ<Œ and Œ>¹ but Cloudstack apparently
>doesn¹t.  We¹ve disabled connection security on LDAP and used tcpdump to
>verify that CS is mistakenly encoding those characters before sending them
>off to AD.  Could this be an unintended artifact of the XSS defensive code
>(maybe CLOUDSTACK-2936)?  Right now we¹re looking at telling folks to
>change their passwords if they¹ve got either of those characters in their
>password.  And if there are other characters that get encoded, we don¹t
>know what they are yetŠ
>
>Help?
>
>
>On 12/10/14, 2:31 PM, "Yiping Zhang" <yzhang@marketo.com> wrote:
>
>>
>>
>>On 11/3/14, 4:22 PM, "Demetrius Tsitrelis"
>><Demetrius.Tsitrelis@citrix.com> wrote:
>>
>>>Is that a password which is being used by the API directly or via the
>>>UI?
>>> I think the UI has a text sanitization function which tries to HTML
>>>encode the "<" and ">" characters as a first-line cross-site scripting
>>>defense.
>>>
>>>-----Original Message-----
>>>From: Yiping Zhang [mailto:yzhang@marketo.com]
>>>Sent: Monday, November 03, 2014 2:14 PM
>>>To: users@cloudstack.apache.org
>>>Subject: cloudstack user password requirements
>>>
>>>Hi,
>>>
>>>By chance, we found out that CS user password can not contain "<" or ">"
>>>characters,  what other characters are illegal in user's password
>>>string?
>>>We are not able to find any documents on the subject.
>>>
>>>Thanks
>>>
>>>Yiping
>>
>

Mime
View raw message