Using purify to secure a password

Re: Using purify to secure a password

igelineau — Sat, 05 Feb 2011 13:07:44 -0500

Thank you both for your answer. I'm relatively new to the php and Vtiger world, that's why I didn't doubt of the need to use the purifier function. I will remove it from my own Vtiger system source code, and indeed i will resolve the problem.

Ismaël

Re: Using purify to secure a password

Ambush Commander — Sat, 05 Feb 2011 06:49:10 -0500

Hello,

This problem belies a very fundamental misunderstanding about how encoding works. I will try to elucidate. What is a password? A password is an arbitrary string of characters, with no structure to them. As such, there is no "validation" that needs to be done on it, you just hash it and then perform the comparison on it with the database. HTML Purifier should NOT be called on passwords.

Edward

Re: Using purify to secure a password

vaughan — Sat, 05 Feb 2011 06:47:25 -0500

don't use htmlpurifier for NON-HTML. purifier is designed for HTML code only.

if you want to filter plain text, then use a different filter.

there are plenty of PHP functions available to do the job.

for passwords i would probably use filter_var($plaintext_pass, FILTER_SANITIZE_STRING); or if it's a $_POST, then filter_input(INPUT_POST, $plaintext_pass, FILTER_SANITIZE_STRING)

filter_var() & filter_input() are both native PHP functions. see http://www.php.net/manual/en/ref.filter.php

but never use htmlpurifier for filtering plaintext or non-html input.

Using purify to secure a password

Igelineau — Fri, 04 Feb 2011 21:39:52 -0500

Hello,

I currently uses and try to improve the Vtiger CRM system. It uses a lot the vtlib_purify function to secure user input. I understood that it uses htmlpurifier tool.

I found a bug in the Vtiger login page, when logging with a password containing an ampersand.

I was able to point out the problem : The password input is passed through the vtlib_purify function before it's hashed with php crypt function and compared to the one from the database.

When the password an ampersand (&), all these ampersand are replaced by their html encoded code :

Of course, when encoding the purified password and comparing with the hash in the database, there is no match.

I was able to solve the problem by adding a htmlspecialchars_decode($password) call after the purify call, but I suspect that leaves a security breach and makes the purify call useles...

Is it standard to deny passwords containing an ampersand or others special characters ? Is it useful to use the purify tool with the password, if it's passed to crypt function later ? I used myself a lot of passwords with an ampersand, and it's the first time I have a problem with it.

Please, if someone have a solution to my problem,i'm very interested.

P.S. Please excuse my not always perfect English, I'm speaking French.

Ismaël