Bug: Install Password Fails with Special Chars

the install password script doesn't install the new password. I tracked it down to the regular expression in TWiki::User::Htpassword::htpasswdUpdateUser.

The trouble is that the password also has $ signs (not to mention other regex chars). I think it would be better to escape all regex chars...

Test case

This was my input causing the problem

newEncryptedUserPassword: FloraRobin:Cct/thkgtjQ.A

oldEncryptedUserPassword: FloraRobin:$apr1$Fg/hG/..$pTT.SxlbA3hEdu79Z19aP/

As you can see the oldEncryptedUserPassword has $/. (but no +

Environment

-- KevinBaker - 17 Sep 2004

Follow up

Here's my diff to get my problem solved

--- HtPasswdUser.pm   2004-09-17 11:53:46.000000000 +0200
+++ HtPasswdUser.pm.new   2004-09-17 12:41:22.000000000 +0200
@@ -207,6 +207,7 @@
     my $text = &TWiki::Store::readFile( $TWiki::htpasswdFilename );
     # escape + sign; SHA-passwords can have + signs
     $oldUserEntry =~ s/\+/\\\+/g;
+    $oldUserEntry =~ s/\$/\\\$/g;
     $text =~ s/$user:$oldUserEntry/$user:$newUserEntry/;
     &TWiki::Store::saveFile( $TWiki::htpasswdFilename, $text );
 
@@ -235,6 +236,7 @@
     my $text = &TWiki::Store::readFile( $TWiki::htpasswdFilename );
     # escape + sign; SHA-passwords can have + signs
     $oldEncryptedUserPassword =~ s/\+/\\\+/g;
+    $oldEncryptedUserPassword =~ s/\$/\\\$/g;
     $text =~ s/$oldEncryptedUserPassword/$newEncryptedUserPassword/;
     &TWiki::Store::saveFile( $TWiki::htpasswdFilename, $text );
 

-- KevinBaker - 17 Sep 2004

As you mention, the correct fix is to escape all special chars with \Q...\E. Same potential issue for other password functions.

-- PeterThoeny - 18 Sep 2004

Fix record