Description
If certain Unicode characters (for example "א" but apparently most multi-byte UTF-8 characters) are entered in the password field of the login page and several other places, a "WeBWorK error" page is generated rather than a "nice response". Several sample error messages are below.
See: https://perldoc.perl.org/5.32.0/functions/crypt.html (end of page).
This issue is somewhat complicated by the fact that some 8-bit characters do not trigger the error. For example, when the 3 character string £¥± is pasted into the password box no error occues. These are characters which in ISO-8859-1 used the high-bit and were copy+pasted from there to the string £¥± and into the password box. See: https://cs.stanford.edu/people/miles/iso8859.html . That is probably due to Perl's attempt to "downgrade (a copy of) the string back to an eight-bit byte string before calling crypt (on that copy)" when Unicode data is included. However, when that downgrade fails - the "Wide character in crypt" error is issued.
It would be nice to avoid these error pages, if necessary by just rejecting passwords entered in such places which contain wide characters which crypt cannot handle.
However, it would be nicer to handle wide characters inside the password in a manner which is invisible to the end user and which allows such characters as part of the passwords.
Since crypt does not support wide characters, we would need to "encode" the raw password string into a form which does not have any "wide characters" (for example to UTF-8) to avoid these types of problems. That sort of approach was suggested in the first patch proposed at https://bugzilla.mozilla.org/show_bug.cgi?id=453767 as a fix for similar issues with Bugzilla.
Most of WW seems to use cryptPassword() from lib/WeBWorK/Utils.pm so the main change would be there. However, at least 2 places under lib call crypt directly to verify a user submitted password.
checkPasswordinlib/WeBWorK/Authen.pm(see also the samplesite_checkPassword)bodyinlib/WeBWorK/ContentGenerator/Options.pm(section about updating the user's password)
Those locations also need to be modified.
I suspect that if the change is made carefully and using UTF-8 encoding of the new/provided password string, then any "plain" ASCII passwords (at those only using characters without the high-bit set) would continue to work as they did before.
However, any change which enabled using more Unicode characters in the password might break the current behavior for passwords which have 8-bit characters which crypt currently managed to handle (as in the examples above), as such characters would be modified by the encoding into UTF-8 into a multi-byte character and thus the hashed password would be different.
Thus, the manner in which this issue is addressed needs to be carefully considered, and any change will need to be well tested, due to the potential to cause authentication problems for existing accounts.
Modifying the definition of cryptPassword would hopefully fix most uses in the bin/ scripts. There are some scripts which use crypt directly, but do not have any non-Latin1 characters being used. (bin/addprofa, bin/addadmin, bin/putadmin).
Sample of the error message from the login page:
WeBWorK error
An error occured while processing your request. For help, please send mail to this site's webmaster (hidden@domain-hidden), including all of the following information as well as what what you were doing when the error occured.
Wed Sep 23 15:36:06 2020
Warning messages
Error messages
Wide character in crypt at /opt/webwork/webwork2/lib/WeBWorK/Authen.pm line 681.
Call stack
The information below can help locate the source of the problem.
in WeBWorK::Authen::checkPassword called at line 609 of /opt/webwork/webwork2/lib/WeBWorK/Authen.pm
in WeBWorK::Authen::authenticate called at line 578 of /opt/webwork/webwork2/lib/WeBWorK/Authen.pm
in WeBWorK::Authen::verify_normal_user called at line 335 of /opt/webwork/webwork2/lib/WeBWorK/Authen.pm
in WeBWorK::Authen::do_verify called at line 216 of /opt/webwork/webwork2/lib/WeBWorK/Authen.pm
in WeBWorK::Authen::verify called at line 160 of /opt/webwork/webwork2/lib/WeBWorK/Authen.pm
in WeBWorK::Authen::call_next_authen_method called at line 213 of /opt/webwork/webwork2/lib/WeBWorK/Authen.pm
in WeBWorK::Authen::verify called at line 388 of /opt/webwork/webwork2/lib/WeBWorK.pm
The same sort of error occurs if the "current password" has a wide character entered on the Options page where a user can change their password.
WeBWorK error
An error occured while processing your request. For help, please send mail to this site's webmaster ([email protected]), including all of the following information as well as what what you were doing when the error occured.
Wed Sep 23 16:18:55 2020
Warning messages
Error messages
Wide character in crypt at /opt/webwork/webwork2/lib/WeBWorK/ContentGenerator/Options.pm line 79.
Call stack
The information below can help locate the source of the problem.
in WeBWorK::ContentGenerator::Options::body called at line 155 of /opt/webwork/webwork2/lib/WeBWorK/Template.pm
in WeBWorK::Template::template called at line 611 of /opt/webwork/webwork2/lib/WeBWorK/ContentGenerator.pm
in WeBWorK::ContentGenerator::content called at line 233 of /opt/webwork/webwork2/lib/WeBWorK/ContentGenerator.pm
in WeBWorK::ContentGenerator::go called at line 478 of /opt/webwork/webwork2/lib/WeBWorK.pm
The same sort of error occurs if the "new password" has a wide character (but the old one was correct) on the Options page where a user can change their password.
WeBWorK error
An error occured while processing your request. For help, please send mail to this site's webmaster ([email protected]), including all of the following information as well as what what you were doing when the error occured.
Wed Sep 23 16:21:34 2020
Warning messages
Error messages
Wide character in crypt at /opt/webwork/webwork2/lib/WeBWorK/Utils.pm line 1024.
Call stack
The information below can help locate the source of the problem.
in WeBWorK::Utils::cryptPassword called at line 99 of /opt/webwork/webwork2/lib/WeBWorK/ContentGenerator/Options.pm
in WeBWorK::ContentGenerator::Options::body called at line 155 of /opt/webwork/webwork2/lib/WeBWorK/Template.pm
in WeBWorK::Template::template called at line 611 of /opt/webwork/webwork2/lib/WeBWorK/ContentGenerator.pm
in WeBWorK::ContentGenerator::content called at line 233 of /opt/webwork/webwork2/lib/WeBWorK/ContentGenerator.pm
in WeBWorK::ContentGenerator::go called at line 478 of /opt/webwork/webwork2/lib/WeBWorK.pm
Similar issues is changing a password from the class list editor:
WeBWorK error
An error occured while processing your request. For help, please send mail to this site's webmaster ([email protected]), including all of the following information as well as what what you were doing when the error occured.
Wed Sep 23 16:25:26 2020
Warning messages
Error messages
Wide character in crypt at /opt/webwork/webwork2/lib/WeBWorK/Utils.pm line 1024.
Call stack
The information below can help locate the source of the problem.
in WeBWorK::Utils::cryptPassword called at line 1310 of /opt/webwork/webwork2/lib/WeBWorK/ContentGenerator/Instructor/UserList2.pm
in WeBWorK::ContentGenerator::Instructor::UserList2::savePassword_handler called at line 370 of /opt/webwork/webwork2/lib/WeBWorK/ContentGenerator/Instructor/UserList2.pm
in WeBWorK::ContentGenerator::Instructor::UserList2::body called at line 155 of /opt/webwork/webwork2/lib/WeBWorK/Template.pm
in WeBWorK::Template::template called at line 611 of /opt/webwork/webwork2/lib/WeBWorK/ContentGenerator.pm
in WeBWorK::ContentGenerator::content called at line 233 of /opt/webwork/webwork2/lib/WeBWorK/ContentGenerator.pm
in WeBWorK::ContentGenerator::go called at line 478 of /opt/webwork/webwork2/lib/WeBWorK.pm
The Apache error.log file gets an error messages like the following for case of wide characters in the supplied password:
[Wed Sep 23 15:36:06.554861 2020] [perl:error] [pid 171] [client 132.68.115.60:47464] [/webwork2/104195_2021a/] Wide character in crypt at /opt/webwork/webwork2/lib/WeBWorK/Authen.pm line 681.\n * in WeBWorK::Authen::checkPassword called at line 609 of /opt/webwork/webwork2/lib/WeBWorK/Authen.pm\n * in WeBWorK::Authen::authenticate called at line 578 of /opt/webwork/webwork2/lib/WeBWorK/Authen.pm\n * in WeBWorK::Authen::verify_normal_user called at line 335 of /opt/webwork/webwork2/lib/WeBWorK/Authen.pm\n * in WeBWorK::Authen::do_verify called at line 216 of /opt/webwork/webwork2/lib/WeBWorK/Authen.pm\n * in WeBWorK::Authen::verify called at line 160 of /opt/webwork/webwork2/lib/WeBWorK/Authen.pm\n * in WeBWorK::Authen::call_next_authen_method called at line 213 of /opt/webwork/webwork2/lib/WeBWorK/Authen.pm\n * in WeBWorK::Authen::verify called at line 388 of /opt/webwork/webwork2/lib/WeBWorK.pm, referer: https://webwork.technion.ac.il/webwork2/104195_2021a/?user=HIDDEN&effectiveUser=HIDDEN&key=HIDDEN