Following up on thisŠ It¹s via the UI. We¹re using LDAP authentication with Active Directory as the backend, where AD allows Œ<Œ and Œ>¹ but Cloudstack apparently doesn¹t. We¹ve disabled connection security on LDAP and used tcpdump to verify that CS is mistakenly encoding those characters before sending them off to AD. Could this be an unintended artifact of the XSS defensive code (maybe CLOUDSTACK-2936)? Right now we¹re looking at telling folks to change their passwords if they¹ve got either of those characters in their password. And if there are other characters that get encoded, we don¹t know what they are yetŠ
Help? On 12/10/14, 2:31 PM, "Yiping Zhang" <yzh...@marketo.com> wrote: > > >On 11/3/14, 4:22 PM, "Demetrius Tsitrelis" ><demetrius.tsitre...@citrix.com> wrote: > >>Is that a password which is being used by the API directly or via the UI? >> I think the UI has a text sanitization function which tries to HTML >>encode the "<" and ">" characters as a first-line cross-site scripting >>defense. >> >>-----Original Message----- >>From: Yiping Zhang [mailto:yzh...@marketo.com] >>Sent: Monday, November 03, 2014 2:14 PM >>To: users@cloudstack.apache.org >>Subject: cloudstack user password requirements >> >>Hi, >> >>By chance, we found out that CS user password can not contain "<" or ">" >>characters, what other characters are illegal in user's password string? >>We are not able to find any documents on the subject. >> >>Thanks >> >>Yiping >
