Uploaded image for project: 'Blesta Core'
  1. Blesta Core
  2. CORE-3856

DirectAdmin: Passwords truncated in welcome email

    Details

    • Type: Bug
    • Status: Closed
    • Priority: Major
    • Resolution: Fixed
    • Affects Version/s: 4.12.0-b1
    • Fix Version/s: 4.12.0
    • Component/s: Modules
    • Labels:
      None

      Description

      When a new DirectAdmin account is created, the password will be truncated in the welcome email at the point a < character is detected.

      For example, if the password is:

      N{,e<E|7OC?V

      The following will be included in the welcome email:

      N{,e

        Activity

        admin Paul Phillips created issue -
        admin Paul Phillips made changes -
        Field Original Value New Value
        Rank Ranked higher
        admin Paul Phillips made changes -
        Sprint 5.0.0 Sprint 1 [ 118 ]
        admin Paul Phillips made changes -
        Rank Ranked lower
        Hide
        admin Paul Phillips added a comment -

        Question.. will this impact other modules?

        Show
        admin Paul Phillips added a comment - Question.. will this impact other modules?
        jonathan Jonathan Reissmueller made changes -
        Rank Ranked higher
        Hide
        jonathan Jonathan Reissmueller added a comment - - edited

        The answer is yes. This has to do with email Html parsing, not DirectAdmin. This does only apply to passwords with a '<' however.

        https://www.blesta.com/forums/index.php?/topic/13357-directadmin-activation-email

        Show
        jonathan Jonathan Reissmueller added a comment - - edited The answer is yes. This has to do with email Html parsing, not DirectAdmin. This does only apply to passwords with a '<' however. https://www.blesta.com/forums/index.php?/topic/13357-directadmin-activation-email
        Hide
        admin Paul Phillips added a comment -

        Is that related to h2o parsing the templates, or we parse the final message prior to delivery? Is there a global fix?

        Show
        admin Paul Phillips added a comment - Is that related to h2o parsing the templates, or we parse the final message prior to delivery? Is there a global fix?
        Hide
        jonathan Jonathan Reissmueller added a comment -

        I don't think it is h2o taking care of this part, but it might be. It seems very likely there is a global fix, but we could also do a simple fix that doesn't allow the '<' character in the password.

        Show
        jonathan Jonathan Reissmueller added a comment - I don't think it is h2o taking care of this part, but it might be. It seems very likely there is a global fix, but we could also do a simple fix that doesn't allow the '<' character in the password.
        abdy Abdy Franco made changes -
        Assignee Abdy Franco [ abdy ]
        abdy Abdy Franco made changes -
        Status Open [ 1 ] In Progress [ 3 ]
        Automated transition triggered when Abdy Franco created pull request #23 in Stash -
        Status In Progress [ 3 ] In Review [ 5 ]
        Resolution Fixed [ 1 ]
        Hide
        abdy Abdy Franco added a comment -
        Show
        abdy Abdy Franco added a comment - We can use the built-in "safe" filter. https://github.com/speedmax/h2o-php/wiki/Built-in-filters#safe
        abdy Abdy Franco made changes -
        Remaining Estimate 0 minutes [ 0 ]
        Time Spent 22 minutes [ 1320 ]
        Worklog Id 14232 [ 14232 ]
        Hide
        jonathan Jonathan Reissmueller added a comment -

        Nice find!

        Show
        jonathan Jonathan Reissmueller added a comment - Nice find!
        Automated transition triggered when Jonathan Reissmueller merged pull request #23 in Stash -
        Status In Review [ 5 ] Closed [ 6 ]

          People

          • Assignee:
            abdy Abdy Franco
            Reporter:
            admin Paul Phillips
          • Votes:
            0 Vote for this issue
            Watchers:
            3 Start watching this issue

            Dates

            • Created:
              Updated:
              Resolved:
              Fix Release Date:
              28/Sep/20

              Time Tracking

              Estimated:
              Original Estimate - Not Specified
              Not Specified
              Remaining:
              Remaining Estimate - 0 minutes
              0m
              Logged:
              Time Spent - 22 minutes
              22m

                Agile