Page MenuHomePhabricator
Create Task
Maniphest T318987

Erroneous reading of credentials containing a backslash
Open, Needs TriagePublicBUG REPORT
Actions

Description

Steps to replicate the issue (include links if applicable)

  1. Populate the file credentials.txt with a username and a password, both containing a backslash (\).
  2. Start WPCleaner, indicating it the path to the credentials.txt file (for instance java -jar getdown.jar . client -credentials credentials.txt).

What happens?

  • Login fails.
  • The strings in the text boxes are missing the backslashes (the password is obscured but is one letter shorter).

What should have happened instead?

  • If the credentials are correct, login should not fail.
  • Backslashes should be read like other characters, as assumptions should not be made over the content of usernames of passwords.

Software version (skip for WMF-hosted wikis like Wikipedia)

WPCleaner 2.05 (august 2022)

Other information (browser name/version, screenshots, etc.)

The likely cause of this bug is java.utils.Properties and its method load(), that treats backslashes as an escape character.

Using Debian 11.

Java 11.0.16 (openjdk).

Event Timeline

Etthen created this task.Sep 29 2022, 11:56 PM
NicoV subscribed.Sep 30 2022, 11:22 AM

Hi @Etthen, as you guessed loading the account name and password from the credentials.txt file is done using java.utils.Properties.

You can bypass this problem by doubling the backslashes in the file.

Etthen added a comment.Oct 3 2022, 11:04 PM

Thank you for your answer, this indeed fixes the problem.

However, this bypass is not really discoverable, and users encountering this problem could think the software is broken (which, in a way, it is).
I understand that you may not want to completely redesign the retrieval of credentials from a file in order to remove java.utils.Properties.

Could it however be possible to sanitise the input before java.utils.Properties reads it, so this problem cannot happen any more?

Alternatively, warnings should be added to the documentation to indicate that backslashes in the input file should be doubled.

Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL