When using a password with special characters, the value is not url decoded causing an inconsistency in the password strength reporting. The front end will tell you it's strong, while the back end tells you it is not strong.

CommentFileSizeAuthor
#1 2358005-password_strength-ajax-urldecode_1.diff460 bytesfunkym

Comments

funkym’s picture

funkym commented
Status: Active » Needs review
StatusFileSize
new 2358005-password_strength-ajax-urldecode_1.diff460 bytes
greggles’s picture

greggles
he/him
Primary language English
Location Denver, Colorado, USA
commented
Status: Needs review » Reviewed & tested by the community

I tested this by doing:

1. Keep 7 as the minimum password length
2. Attempt to set my password to "12345 " with a single space on the end which gets urlencoded to %20
3. Observe that "Is shorter than 7 characters" goes away after I type the space which is not valid
4. Hit submit and notice the inconsistent error message "Password must contain at least 7 alphanumeric (letter or number) characters."

Applied patch and in step 3 the "Is shorter than 7 characters message" sticks around until I actually hit 7 characters.

RTBC from my perspective.

greggles’s picture

greggles
he/him
Primary language English
Location Denver, Colorado, USA
commented

This one is fairly straightforward, but conflicts with #2393873: Use current account rather than global $user in user_profile_form. I guess I suggest applying that one if first and I can reroll this one (or it's easy to manually apply).

  • coltrane committed cc29fb4 on 7.x-1.x authored by funkym 
    Issue #2358005 by funkym: Ajax callback checking strength of url encoded...
coltrane’s picture

coltrane
he/him
commented
Status: Reviewed & tested by the community » Fixed

Passes tests and works well so committed. Thanks!

Status: Fixed » Closed (fixed)

Automatically closed - issue fixed for 2 weeks with no activity.