Bug: Reset Passwd String in Oops Message is not URL Encoded

I've got a problem with the oopsresetpasswd template; sometimes, users call the ResetPassword and generate an encrypted password that contains a '+'. The oopsresetpasswd template fails to display this correctly, and I've got to go to the apache log to find out what the generated passwd entry was.

I transposed the link used at my site for TWiki.org : http://twiki.org/cgi-bin/oops/Main/TestAccount2?template=oopsresetpasswd&param1=TestAccount2:{SHA}qZk%2BNkcGgWq6PiVxeFDCbJzQ2J0=. It fails to display correctly here too.

However, the ResetPassword seems to encrypt passwords differently to my site, so I couldn't reproduce this with a real user account at TWiki.org.

my config:

• Apache 1.3.28
• Activate state perl 5.6.1
• TWiki 01Feb2003
• Windows 2000

-- JeanMarieClement - 10 Nov 2003

This sounds like a bug. The encoded strings needs to be URL encoded before passing it on to the oops dialog.

-- PeterThoeny - 10 Nov 2003

This is now fixed, in TWikiAlphaRelease and at TWiki.org.

Test: http://www.twiki.org/cgi-bin/view/Codev/UrlEncodeTesting?urlencode=aaaaa%2Bzzzzz

Fix in lib/TWiki.pm, indicated in red color:

# =========================
# Encode URLs
sub handleUrlEncode
{
    my( $theStr, $doExtract ) = @_;

    $theStr = extractNameValuePair( $theStr ) if( $doExtract );
    $theStr =~ s/[\n\r]/\%3Cbr\%20\%3E/g;
    $theStr =~ s/\s+/\%20/g;
    $theStr =~ s/\"/\%22/g;
    $theStr =~ s/\&/\%26/g; 
    $theStr =~ s/\+/\%2B/g; 
    $theStr =~ s/\</\%3C/g;
    $theStr =~ s/\>/\%3E/g;
    # Encode characters with 8th bit set (ASCII-derived charsets only)
    $theStr =~ s/([\x7f-\xff])/'%' . unpack( "H*", $1 ) /ge;

    return $theStr;
}

-- PeterThoeny - 11 Nov 2003