=================== BUG #1631: FULL BUG SNAPSHOT =================== http://savannah.gnu.org/bugs/?func=detailbug&bug_id=1631&group_id=11
Submitted by: adl Project: Savannah Submitted on: 2002-Nov-06 20:18 Category: Site Admin Severity: 5 - Average Priority: None Bug Group: None Resolution: None Assigned to: None Status: Open Effort: 0.00 Summary: login failure + password sent in clear text Original Submission: Hi People, It seems there is something rotten in the login process. 1. I went to https://savannah.gnu.org/account/login.php 2. Filled my login (adl), and my password 3. Left the checkboxes in their default state: [X] Stay in SSL mode after login [ ] Remember me [ ] Login also in savannah.nongnu.org 4. Clicked [Login] 5. And got | Bad Request | | Your browser sent a request that this server could not understand. | | The request line contained invalid characters following the protocol string. At this point the URL displayed is http://savannah.nongnu.org//account/login.php?form_loginname=adl&form_pw=XX YYYYY&cookie_for_a_year=&from_brother=1&login=1 Where `XX YYYYY' stands for my password in clear text, which contains a space. I have a few concerns here 1) Apparently I've been redirected from a HTTPS page to plain HTTP page, and my password is being sent as clear text over the Internet. 2) Spaces in the redircted URL aren't escaped (I suspect that other "unsafe" characters listed in RFC 1738 aren't escaped either). If I replace this space by %20 and reload the page I finally end up to my "my/" page. 3) I didn't asked to login in s.nongnu.o! FWIW, I'm using Netscape 4.77 which, AFAIK, uses given URLs as-is (I know some other browsers fix broken URLs themselve, by quoting unsafe characters). No Followups Have Been Posted CC list is empty No files currently attached For detailed info, follow this link: http://savannah.gnu.org/bugs/?func=detailbug&bug_id=1631&group_id=11
