You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@cloudstack.apache.org by Ian Forde <if...@marketo.com> on 2014/12/10 23:37:22 UTC
Re: cloudstack user password requirements
Following up on thisŠ
It¹s via the UI. We¹re using LDAP authentication with Active Directory as
the backend, where AD allows Œ<Œ and Œ>¹ but Cloudstack apparently
doesn¹t. We¹ve disabled connection security on LDAP and used tcpdump to
verify that CS is mistakenly encoding those characters before sending them
off to AD. Could this be an unintended artifact of the XSS defensive code
(maybe CLOUDSTACK-2936)? Right now we¹re looking at telling folks to
change their passwords if they¹ve got either of those characters in their
password. And if there are other characters that get encoded, we don¹t
know what they are yetŠ
Help?
On 12/10/14, 2:31 PM, "Yiping Zhang" <yz...@marketo.com> wrote:
>
>
>On 11/3/14, 4:22 PM, "Demetrius Tsitrelis"
><De...@citrix.com> wrote:
>
>>Is that a password which is being used by the API directly or via the UI?
>> I think the UI has a text sanitization function which tries to HTML
>>encode the "<" and ">" characters as a first-line cross-site scripting
>>defense.
>>
>>-----Original Message-----
>>From: Yiping Zhang [mailto:yzhang@marketo.com]
>>Sent: Monday, November 03, 2014 2:14 PM
>>To: users@cloudstack.apache.org
>>Subject: cloudstack user password requirements
>>
>>Hi,
>>
>>By chance, we found out that CS user password can not contain "<" or ">"
>>characters, what other characters are illegal in user's password string?
>>We are not able to find any documents on the subject.
>>
>>Thanks
>>
>>Yiping
>
Re: cloudstack user password requirements
Posted by Ian Forde <if...@marketo.com>.
(Seems like I have character encoding issues of my own.)
The characters that AD allows but CS doesn’t are the greater than (>) and
less than (<) characters. Hope the previous message wasn’t too garbled
for decipherment…
-I
On 12/10/14, 2:37 PM, "Ian Forde" <if...@marketo.com> wrote:
>Following up on thisŠ
>
>It¹s via the UI. We¹re using LDAP authentication with Active Directory as
>the backend, where AD allows Œ<Œ and Œ>¹ but Cloudstack apparently
>doesn¹t. We¹ve disabled connection security on LDAP and used tcpdump to
>verify that CS is mistakenly encoding those characters before sending them
>off to AD. Could this be an unintended artifact of the XSS defensive code
>(maybe CLOUDSTACK-2936)? Right now we¹re looking at telling folks to
>change their passwords if they¹ve got either of those characters in their
>password. And if there are other characters that get encoded, we don¹t
>know what they are yetŠ
>
>Help?
>
>
>On 12/10/14, 2:31 PM, "Yiping Zhang" <yz...@marketo.com> wrote:
>
>>
>>
>>On 11/3/14, 4:22 PM, "Demetrius Tsitrelis"
>><De...@citrix.com> wrote:
>>
>>>Is that a password which is being used by the API directly or via the
>>>UI?
>>> I think the UI has a text sanitization function which tries to HTML
>>>encode the "<" and ">" characters as a first-line cross-site scripting
>>>defense.
>>>
>>>-----Original Message-----
>>>From: Yiping Zhang [mailto:yzhang@marketo.com]
>>>Sent: Monday, November 03, 2014 2:14 PM
>>>To: users@cloudstack.apache.org
>>>Subject: cloudstack user password requirements
>>>
>>>Hi,
>>>
>>>By chance, we found out that CS user password can not contain "<" or ">"
>>>characters, what other characters are illegal in user's password
>>>string?
>>>We are not able to find any documents on the subject.
>>>
>>>Thanks
>>>
>>>Yiping
>>
>