Description
If you want to login with a non ascii password, you will get a traceback. Additionally, old passwords will need some workaround in the code to work properly after this is fixed.
Details
This Wiki (1.3).
Workaround
- Do not use non ascii passwords.
- If you migrate, request a "password-lost" mail, click the link and change your password to an ascii one.
Discussion
I implemented a fix that work like this:
- Added encoding to utf-8 in user.encodePassword. I don't use config.charset because only Unicode can encode all passwords. This is the safest way, it will work even if someone switch to iso and then back to unicode, or any other evil thing.
- When the user password is compared to the password on the file, we first try the current encoding. If the password don't match, we try all the pre 1.3 encoding available on the machine (maximum 5).
If we find a match with another encoding - the user is valid. Then we replace the user password with the standard utf-8 encoded hash. Next time, the password will match on the first try. The user password did not change - only the hash changed, and its completely transparent to the user.
- If none of the encodings match, we deny the user, it must be wrong password.
Plan
- Priority: High
Assigned to: NirSoffer
- Status: fixed in patch-506