Bug #67699
closed
Inconsistence in allowing spaces in passwords
100%
Description
For backendusers, spaces are allowed in passwords. Login works fine with a password that has spaces in it.
For frontendusers, the spaces are stripped by the TCA ('eval' => 'nospace') before salting. The frontendlogin however does not strip the spaces so it is not possible for the user to log in with the password that was set through the backend. The backend provides no warning suggesting the password was not saved as it was put in.
I'd expect the same processing wether you are trying to log in or are setting a new password through the backend. This way the password will always work as it is typed in.
Updated by Daniel Goerz over 8 years ago
- Assignee set to Daniel Goerz
- Target version set to next-patchlevel
- TYPO3 Version changed from 6.2 to 8
- Complexity set to no-brainer
Updated by Gerrit Code Review over 8 years ago
- Status changed from New to Under Review
Patch set 1 for branch master of project Packages/TYPO3.CMS has been pushed to the review server.
It is available at https://review.typo3.org/47542
Updated by Gerrit Code Review over 8 years ago
Patch set 1 for branch TYPO3_7-6 of project Packages/TYPO3.CMS has been pushed to the review server.
It is available at https://review.typo3.org/47544
Updated by Daniel Goerz over 8 years ago
- Status changed from Under Review to Resolved
- % Done changed from 0 to 100
Applied in changeset 9fee5dab08dae1a4513814a4eb7ce92704a2b09c.
Updated by Arne Uplegger about 8 years ago
The getLoginFormData-Function from AbstractUserAuthentication Class in file typo3/sysext/core/Classes/Authentication/AbstractUserAuthentication.php:1296 (TYPO7.6.10) will TRIM all spaces from the loginData, including the password at uident and uident_text.
So even if you modify the TCA you'll have no luck with your spaced-passwords.
One needs to skip the TRIM for "uident" / "uident_text".
We also have users with spaced-passwords (from TYPO3-extern systems (ldap)) so it would be nice to fix this.
Updated by