Page MenuHomePhabricator
Create Task
Maniphest T9004

PHP iconv() notice on bad password input to Special:Userlogin, with E_ALL enabled.
Closed, ResolvedPublic
Actions

Description

Author: nickpj

Description:
Test:

curl --silent --include \
 --cookie 'wikidb_session=1'\
 -F 'wpName'='nickj'\
 -F 'wpPassword'='^G'\
 'localhost/wiki/index.php?title=Special:Userlogin&action=submitlogin'

Note: "^G" is the ASCII Bell control character (
http://en.wikipedia.org/wiki/Bell_character ), not the string "^" + "G". Also
"nickj" is a valid user name on the test wiki.

Output contains this, on a wiki with error_reporting(E_ALL) :

<b>Notice</b>:  iconv() [<a href='function.iconv'>function.iconv</a>]: Detected
an illegal character in input string in
<b>/var/www/hosts/mediawiki/phase3/includes/User.php</b> on line <b>1798</b><br />

One-line patch will be attached shortly.

Version: 1.8.x
Severity: minor

Details

Reference
bz7004

Related Objects

Event Timeline

bzimport raised the priority of this task from to Low.Nov 21 2014, 9:22 PM
bzimport added a project: MediaWiki-Special-pages.
bzimport set Reference to bz7004.
bzimport added a subscriber: Unknown Object (MLST).
bzimport created this task.Aug 14 2006, 1:33 AM
bzimport added a comment.Aug 14 2006, 1:36 AM

nickpj wrote:

Patch to iconv call to convert illegal password chars to nearest legal ones

Note for some reason the iconv() "IGNORE" parameter listed on
http://php.net/manual/en/function.iconv.php doesn't stop the error, but
"TRANSLIT" does.

Attached:

iconv-notice-bug-7004-diff.txt738 BDownload

bzimport added a comment.Oct 4 2006, 12:06 PM

nickpj wrote:

A better test for reproducing this:

echo -e -n '\a' > file.txt
curl --silent --include --globoff \
--cookie 'wikidb_session=1' \
-F 'wpName'='nickj' \
-F 'wpPassword'='<file.txt' \
-F 'wpRemember'='1' \
'localhost/wiki/index.php?title=Special:Userlogin&action=submitlogin&type=login&returnto=&#124;'

| grep iconv

Note requires error_reporting(E_ALL);

bzimport added a comment.Oct 4 2006, 12:15 PM

nickpj wrote:

Fixed in r16794.

Anomie mentioned this in T170971: iconv(): Detected an illegal character in CentralAuthUser.Sep 14 2017, 7:58 PM
Legoktm updated the task description. (Show Details)Sep 14 2017, 8:02 PM
Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL