https://bugzilla.redhat.com/show_bug.cgi?id=1267005
Bug ID: 1267005 Summary: New PW containing the special character "§" is rejected Product: Fedora Version: 23 Component: bugzilla Assignee: itamar@ispbrasil.com.br Reporter: joerg.lechner@aol.de QA Contact: extras-qa@fedoraproject.org CC: bazanluis20@gmail.com, emmanuel@seyman.fr, itamar@ispbrasil.com.br, perl-devel@lists.fedoraproject.org
Description of problem: Password change, new password with string inside "....e§3......" is rejected by trying to change the old PW to a new one containing this string. The "invalid" rejected character seem to be §.
Version-Release number of selected component (if applicable): Current new version, which requests also special characters
How reproducible: always
Steps to Reproduce: 1. old password does not contain special characters 2. Bugzilla requests a saver PW 3. Enter a PW with at least 8 characters containing the string e§3
Actual results: PW rejected
Expected results: PW accepted, because it contains all requested characters
Additional info:
https://bugzilla.redhat.com/show_bug.cgi?id=1267005
--- Comment #1 from Emmanuel Seyman emmanuel@seyman.fr --- Joerg, are you complaining about the behaviour of Bugzilla as shipped by Fedora or the behaviour of bugzilla.redhat.com?
https://bugzilla.redhat.com/show_bug.cgi?id=1267005
--- Comment #2 from joerg.lechner@aol.de --- My problems are with: https://bugzilla.redhat.com/ As I have heard there was an update, which requested saver PWs. This I tried, there I got the problems described.
https://bugzilla.redhat.com/show_bug.cgi?id=1267005
Emmanuel Seyman emmanuel@seyman.fr changed:
What |Removed |Added ---------------------------------------------------------------------------- CC| |jmcdonal@redhat.com, | |mtahir@redhat.com, | |qgong@redhat.com Component|bugzilla |User Accounts Version|23 |4.4 Assignee|itamar@ispbrasil.com.br |hss-ied-bugs@redhat.com Product|Fedora |Bugzilla QA Contact|extras-qa@fedoraproject.org |tools-bugs@redhat.com
https://bugzilla.redhat.com/show_bug.cgi?id=1267005
Jason McDonald jmcdonal@redhat.com changed:
What |Removed |Added ---------------------------------------------------------------------------- Priority|unspecified |medium Severity|unspecified |medium
https://bugzilla.redhat.com/show_bug.cgi?id=1267005
Matt Tyson mtyson@redhat.com changed:
What |Removed |Added ---------------------------------------------------------------------------- CC| |joerg.lechner@aol.de, | |mtyson@redhat.com Flags| |needinfo?(joerg.lechner@aol | |.de)
--- Comment #3 from Matt Tyson mtyson@redhat.com --- I'm not aware of any issues with bugzilla and unicode passwords, nor can I replicate the problem you describe.
Are you using python-bugzilla? There was a bug recently with unicode passwords (bug 1264848). If so update to the latest version (1.2.2) and try again.
Let me know if this addresses the problem.
https://bugzilla.redhat.com/show_bug.cgi?id=1267005
joerg.lechner@aol.de changed:
What |Removed |Added ---------------------------------------------------------------------------- Flags|needinfo?(joerg.lechner@aol | |.de) |
--- Comment #4 from joerg.lechner@aol.de --- AS far as I see Python-Bugzilla is not installed.
[root@linux joerg]# dnf info python-bugzilla Last metadata expiration check performed 7:46:56 ago on Tue Sep 29 18:16:40 2015. Available Packages Name : python-bugzilla Arch : noarch Epoch : 0 Version : 1.2.2 Release : 1.fc23 Size : 94 k Repo : updates-testing Summary : A python library and tool for interacting with Bugzilla URL : https://github.com/python-bugzilla/python-bugzilla License : GPLv2+ Description : python-bugzilla is a python 2 library for interacting with : bugzilla instances over XML-RPC. This package also includes the : 'bugzilla' command-line tool for interacting with bugzilla from : shell scripts.
[root@linux joerg]# dnf update python-bugzilla Last metadata expiration check performed 0:00:00 ago on Wed Sep 30 02:04:21 2015. Package python-bugzilla not installed, cannot update it. No match for argument: python-bugzilla Error: No packages marked for upgrade. [root@linux joerg]#
https://bugzilla.redhat.com/show_bug.cgi?id=1267005
--- Comment #5 from joerg.lechner@aol.de --- I should have said, that I use Firefox to use Redhat Bugzilla. Just I tried the following test PW joerg§joerg, which was again rejected, see screenshot in the attachment.
https://bugzilla.redhat.com/show_bug.cgi?id=1267005
--- Comment #6 from joerg.lechner@aol.de --- Created attachment 1078500 --> https://bugzilla.redhat.com/attachment.cgi?id=1078500&action=edit Tried to change the bugzilla PW to joerg§joerg
https://bugzilla.redhat.com/show_bug.cgi?id=1267005
--- Comment #7 from Matt Tyson mtyson@redhat.com --- Ah
As stated in the screen shot, the password needs special characters (punctuation, in this case) and numbers.
From what I can see from looking at the code, bugzilla doesn't regard § as any
kind of character that contributes to password complexity. It's not a special character or a digit or a letter.
Having it in your passoword isn't a problem, but it's not something that will contribute to password complexity tests.
joerg§joerg won't work because it doesn't contain numbers or punctuation characters.
joerg§joerg.1 would work fine as the dot and number meets the complexity test.
We have a bug open (bug 1265066) to address password complexity tests and make them a bit more intelligent.
https://bugzilla.redhat.com/show_bug.cgi?id=1267005
--- Comment #8 from joerg.lechner@aol.de --- You are right the test password in comment 5 and 6 can not have worked. because it contained no numbers. I made another one Joerg§3joerg , which contains the nonascii character §, a capital character, characters and a number - naturrally according to comment 7 it did not work, but in my understanding as a "no PW specialist" according to the picture in comment 6 it should work.
If in the PW check it has to be an ASCII character, the easiest way is to tell in that picture, which I have shown in the attachment comment 6 i.e. "special character except §" or "only ASCII characters". If I see my keyboard (a German keyboard) in the line !"§$%&/()=?`, I myself assume, I can use all characters in this line to meet the PW requirements.
https://bugzilla.redhat.com/show_bug.cgi?id=1267005
--- Comment #9 from Matt Tyson mtyson@redhat.com --- (In reply to joerg.lechner from comment #8)
keyboard (a German keyboard) in the line !"§$%&/()=?`, I myself assume, I can use all characters in this line to meet the PW requirements.
Ahh that makes more sense now. Bugzilla uses a perl [[:punct:]] regex to determine the characters ( http://perldoc.perl.org/perlrecharclass.html ). It doesn't consider that character to be punctuation.
I'll have to update the password check routine to broaden the definition of what is a special character.
https://bugzilla.redhat.com/show_bug.cgi?id=1267005
Ralf Corsepius rc040203@freenet.de changed:
What |Removed |Added ---------------------------------------------------------------------------- CC| |rc040203@freenet.de
--- Comment #10 from Ralf Corsepius rc040203@freenet.de --- (In reply to Matt Tyson from comment #9) May-be it would be sufficient to let bugzilla explicitly mention in its forms what it considers to be a "special character"?
FWIW: Some time end of last week, I tripped over the same issue as Jörg. Bugzilla had started to reject my previous password and had urged me to choose a new one. Initially I also ran into the "§" issue and started trying "special characters" on my keyboard, until I found one BZ accepted - I now understand you mean "punct". This could be obvious to English speakers, but in the ages of utf8 and i18n'ed apps this isn't obvious to non-native Engish speakers, anymore.
E.g. to me - being German myself - it would be tempting to use umlauts, sharp "s" or the "EURO"-char as part of "special chars" in passwords.
https://bugzilla.redhat.com/show_bug.cgi?id=1267005
Petr Pisar ppisar@redhat.com changed:
What |Removed |Added ---------------------------------------------------------------------------- CC| |ppisar@redhat.com
--- Comment #11 from Petr Pisar ppisar@redhat.com --- (In reply to Matt Tyson from comment #9)
(In reply to joerg.lechner from comment #8)
keyboard (a German keyboard) in the line !"§$%&/()=?`, I myself assume, I can use all characters in this line to meet the PW requirements.
Ahh that makes more sense now. Bugzilla uses a perl [[:punct:]] regex to determine the characters ( http://perldoc.perl.org/perlrecharclass.html ). It doesn't consider that character to be punctuation.
[[:punct::]] is alias for \p{PosixPunct} in ASCII range. POSIX does not consider the `§' as a punctuation.
Please read perlrecharclass POD, especially note #5:
[5] "\p{PosixPunct}" and "[[:punct:]]" in the ASCII range match all non-controls, non-alphanumeric, non-space characters: "[-!"#$%&'()*+,./:;<=>?@[\]^_`{|}~]" (although if a locale is in effect, it could alter the behavior of "[[:punct:]]").
The similarly named property, "\p{Punct}", matches a somewhat different set in the ASCII range, namely "[-!"#%&'()*,./:;?@[\]_{}]". That is, it is missing the nine characters "[$+<=>^`|~]". This is because Unicode splits what POSIX considers to be punctuation into two categories, Punctuation and Symbols.
"\p{XPosixPunct}" and (under Unicode rules) "[[:punct:]]", match what "\p{PosixPunct}" matches in the ASCII range, plus what "\p{Punct}" matches. This is different than strictly matching according to "\p{Punct}". Another way to say it is that if Unicode rules are in effect, "[[:punct:]]" matches all characters that Unicode considers punctuation, plus all ASCII-range characters that Unicode considers symbols.
Probably you want to match against \p{Punct} or switch to Unicode semtantics:
$ perl -e 'q{§} =~ /[[:punct:]]/ and print qq{match\n}' $ perl -e 'q{§} =~ /[[:punct:]]/a and print qq{match\n}' $ perl -e 'q{§} =~ /[[:punct:]]/u and print qq{match\n}' match $ perl -e 'q{§} =~ /\p{PosixPunct}/ and print qq{match\n}' $ perl -e 'q{§} =~ /\p{XPosixPunct}/ and print qq{match\n}' match $ perl -e 'q{§} =~ /\p{Punct}/ and print qq{match\n}' match
https://bugzilla.redhat.com/show_bug.cgi?id=1267005
--- Comment #12 from Jason McDonald jmcdonal@redhat.com --- (In reply to Petr Pisar from comment #11)
Probably you want to match against \p{Punct} or switch to Unicode semtantics:
It's probably better to change from [[:punct:]] to [^[:alnum:]].
https://bugzilla.redhat.com/show_bug.cgi?id=1267005
--- Comment #13 from Jeff Fearn jfearn@redhat.com --- IMO we should use an existing password complexity module, e.g. [1,2,3], and insist on at least "Good" password rating, instead of reinventing the wheel.
Then we should commit upstream any changes we make for improving the chosen module.
1: http://search.cpan.org/~manwar/Data-Password-Filter-0.13/lib/Data/Password/F...
2: http://search.cpan.org/~razinf/Data-Password-1.12/Password.pm
3:http://search.cpan.org/~akron/Data-Password-Meter-0.07/lib/Data/Password/Met...
https://bugzilla.redhat.com/show_bug.cgi?id=1267005
Jeff Fearn jfearn@redhat.com changed:
What |Removed |Added ---------------------------------------------------------------------------- Status|NEW |ASSIGNED Assignee|hss-ied-bugs@redhat.com |jfearn@redhat.com
https://bugzilla.redhat.com/show_bug.cgi?id=1267005
Jeff Fearn jfearn@redhat.com changed:
What |Removed |Added ---------------------------------------------------------------------------- Status|ASSIGNED |POST
https://bugzilla.redhat.com/show_bug.cgi?id=1267005
Jeff Fearn jfearn@redhat.com changed:
What |Removed |Added ---------------------------------------------------------------------------- External Bug ID| |Moblin Bugzilla 1214492
https://bugzilla.redhat.com/show_bug.cgi?id=1267005
Jeff Fearn jfearn@redhat.com changed:
What |Removed |Added ---------------------------------------------------------------------------- External Bug ID|Moblin Bugzilla 1214492 |Mozilla Foundation 1214492
https://bugzilla.redhat.com/show_bug.cgi?id=1267005
Jeff Fearn jfearn@redhat.com changed:
What |Removed |Added ---------------------------------------------------------------------------- Status|POST |NEW Assignee|jfearn@redhat.com |hss-ied-bugs@redhat.com
https://bugzilla.redhat.com/show_bug.cgi?id=1267005
Jeff Fearn jfearn@redhat.com changed:
What |Removed |Added ---------------------------------------------------------------------------- Status|NEW |CLOSED Resolution|--- |DEFERRED Last Closed| |2015-10-15 20:24:02
--- Comment #15 from Jeff Fearn jfearn@redhat.com --- Fixing this requires updating perl, which is not currently on the Bugzilla road map.
perl-devel@lists.fedoraproject.org