[Pidgin] #11347: irc.freenode.net nickserv passwords containing the colon (:) character, specified in the account settings, are improperly escaped

Pidgin trac at pidgin.im
Thu Feb 11 12:20:30 EST 2010 

#11347: irc.freenode.net nickserv passwords containing the colon (:) character,
specified in the account settings, are improperly escaped
-----------------------------------------+----------------------------------
 Reporter:  graphiclunarkid              |        Owner:  elb    
     Type:  defect                       |       Status:  pending
Milestone:                               |    Component:  IRC    
  Version:  2.6.5                        |   Resolution:         
 Keywords:  irc password nickserv colon  |  
-----------------------------------------+----------------------------------
Changes (by graphiclunarkid):

  * status:  pending => new


Comment:

 In my case the password was not the first character in the password.

 The original password (since changed!) was "SKLI2uHhG:$<" (without the
 quotes). This is what I received from nickserv on login:

 {{{
 (5:01:39 PM) NickServ: (notice) This nickname is registered. Please choose
 a different nickname, or identify via /msg NickServ identify <password>.
 (5:01:40 PM) NickServ: (notice) SKLI2uHhG is not a registered nickname.
 }}}

 The first line indicates that it's recognising my username and asking for
 the corresponding password. In the second line it then seems to act as if
 I'd issued the following command:

 {{{
 /msg nickserv identify SKLI2uHhG <password>
 }}}

 The username "SKLI2uHhG" is apparently not registered so the check fails.
 What's interesting is that it seems the first part of the password is
 being substituted for the username, presumably either by virtue of the
 command syntax being used by pidgin, or by the way nickserv is
 interpreting the special characters in the password.

 I edited the password to remove the colon, thus "SKLI2uHhG$<" (without
 quotes) and was able to log in normally.

 I have also reproduced the bug with a password of "test:1" (without
 quotes). In this case, the user "test" apparently is registered, as I get
 the following messages:

 {{{
 (5:11:13 PM) NickServ: (notice) This nickname is registered. Please choose
 a different nickname, or identify via /msg NickServ identify <password>.
 (5:11:13 PM) NickServ: (notice) Invalid password for Morasique.
 }}}

 I assume "test" is an alias for user "Morasique".

 I can log on as normal by removing the colon to make the password "test1".

-- 
Ticket URL: <http://developer.pidgin.im/ticket/11347#comment:2>
Pidgin <http://pidgin.im>
Pidgin

More information about the Tracker mailing list