Bug #87664
closed
fe_login password reset link is double encoded
0%
Description
The link to reset the password in the mail sent to the user has double encoded keys:
The brackets are encoded as %255B and %255D instead of %5B and %5D.
The 2 places where the link is encoded are:
1. \TYPO3\CMS\Felogin\Controller\FrontendLoginController::generateAndSendHash Line 465
$link = $this->pi_getPageLink($this->frontendController->id, '', [
rawurlencode($this->prefixId . '[user]') => $user['uid'],
rawurlencode($this->prefixId . '[forgothash]') => $randHash
]);
2. \TYPO3\CMS\Frontend\ContentObject\ContentObjectRenderer::getTypoLink Line 5573
if (is_array($urlParameters)) {
if (!empty($urlParameters)) {
$conf['additionalParams'] .= HttpUtility::buildQueryString($urlParameters, '&');
}
} else {
$conf['additionalParams'] .= $urlParameters;
}
This results in a link like:
https://www.domain.com/passwort-reset?tx_felogin_pi1%255Bforgothash%255D=1549484728%7Cd6227774d0afb681a4545755636cc779&tx_felogin_pi1%255Buser%255D=12345&cHash=dc1119c6ac03edaa552a1bb3b5100ed6
instead of
https://www.domain.com/passwort-reset?tx_felogin_pi1%5Bforgothash%5D=1549484755%7Cc4bae072f8d1befd832a75bcb2553905&tx_felogin_pi1%5Buser%5D=12345&cHash=605d05836ede389d767bc518a8c2cfea
I think the rawurlencode of the keys in the FrontendController is superfluous.
Updated by Nico de Haen about 5 years ago
- Related to Bug #87349: FELogin - password recovery / forgot link added
Updated by Georg Ringer about 5 years ago
- Status changed from New to Needs Feedback
this has been fixed with #87153, take a look at https://review.typo3.org/#/c/59155/
is this still relevant for you?
Updated by Georg Ringer about 5 years ago
- Related to Bug #87153: Reset password in the `felogin` not working added
Updated by Nico de Haen about 5 years ago
No I didn't see the fix, due to the generic subject in the resolved issue (I was looking for password reset link)
So please close this
Updated by Georg Ringer about 5 years ago
- Status changed from Needs Feedback to Closed