Reported in the IRC room
When creating a user through the CLI, passwords including a "
character can't properly validate when logging in through the web UI.
The bug arises because when
willow.go
hashes the password at the time of user creation, it does not sanitize. However, when users login their password is sanitized before being pulled out of the request, which escapes the quotation mark. A test case got this code out ofws.go
:LoginHandler (unsanitized): bob a"a LoginHandler (sanitized): bob a"a
Amolith referenced this ticket in commit d2e7cf2.
Amolith referenced this ticket in commit a81a16d.