User service plugin returns http code 405 with passwords containing & char

paulo4 · December 23, 2014, 12:33pm

Hello and merry crhistmas,

just building a bridge between my authentication database and openfire using PUT method with user service plugin

everything works as documented , however users whose password contain the & char are not created/updated . the REST service return http code 405

is it a bug ?

already tried do urlencode and utf8_encode the password string, same behaviour

thanks and regards

Redeyes · December 23, 2014, 4:43pm

Hey,

Could you show me your http request with the payload?

Best

Roman

paulo4 · December 23, 2014, 5:05pm

Sure, here it is my code:

<?php //============================================================================== ===== // CHANGED: // ID ....: 201412222247 // DOC....: [https://community.igniterealtime.org/docs/DOC-1706](https://community.igniterealtime.org/docs/DOC-1706) // DOC....: [http://www.igniterealtime.org/projects/openfire/plugins/userservice/readme.html](http://www.igniterealtime.org/projects/openfire/plugins/userservice/readme.html) // DOC....: https://community.igniterealtime.org/thread/54117 // NEEDS..: curl extension //============================================================================== ===== define('XMPPSERVERURL','[http://192.168.1.75:9090');](http://192.168.1.75:9090');) //does not finish with / define('ADMINUSER','admin'); define('ADMINPASSWORD','123456'); define('EMAILDOMAIN','some.pt'); //without the @ define('PASSWORDFILE','password.txt'); // --- Do not change from here ----------------------------- $users_all=users_get_all(); $rv=password_file_import(); //------------------------------------------------------------------------------ ------- // function id ..: 201412222253 // modified dates: // doc ..........: password file format: user:password on every line // doc ..........: example: john:12345 // doc ..........: example: maria:abc123 //------------------------------------------------------------------------------ ------- function password_file_import(){ global $users_all; $ret=""; $afields=array(); $handle = fopen(PASSWORDFILE, "r"); if ($handle) { while(true) { $buffer = fgets($handle, 4096); if( $buffer===false) break; $buffer=trim($buffer); $af1=explode(':',$buffer); $afields['login']=$af1[0]; $afields['password']=$af1[1]; if (strpos($users_all,''. $afields['login'] . '') ===false ){ //create user echo 'New user:' . $afields['login'] . ' http_code:' . user_add($afields['login'],$afields['password']) . PHP_EOL ; } else { //update password echo 'Update Password:' . $afields['login'] . ' http code:' . user_password_update($afields['login'],$afields['password']) . PHP_EOL ; } } fclose($handle); } return $ret; } //------------------------------------------------------------------------------ ------- // function id: 201412222312 // modified dates: //------------------------------------------------------------------------------ ------- function users_get_all(){ $xmlstr= curl0(XMPPSERVERURL . '/plugins/userService/users',""); return $xmlstr; } //------------------------------------------------------------------------------ ------- // function id: 201412231049 // modified dates: //------------------------------------------------------------------------------ ------- function user_password_update($user,$passwd){ $xml_data='<?xml version="1.0" encoding="UTF-8" standalone="yes"?>

USER00

PASSWORD00

NAME00

EMAIL00

';

$xml_data=str_ireplace(‘USER00’,$user,$xml_data);

$xml_data=str_ireplace(‘PASSWORD00’,$passwd,$xml_data);

$xml_data=str_ireplace(‘NAME00’,$user,$xml_data);

$xml_data=str_ireplace(‘EMAIL00’,$user.’@’ . EMAILDOMAIN ,$xml_data);

$rv=curl0(XMPPSERVERURL . ‘/plugins/userService/users/’ . $user,$xml_data);

return $rv;

}

//------------------------------------------------------------------------------ -------

// function id: 201412222323

// modified dates:

//------------------------------------------------------------------------------ -------

function user_add($user,$passwd){

$xml_data=’<?xml version="1.0" encoding="UTF-8" standalone="yes"?>

USER00

PASSWORD00

NAME00

EMAIL00

';

$xml_data=str_ireplace(‘USER00’,$user,$xml_data);

$xml_data=str_ireplace(‘PASSWORD00’,$passwd,$xml_data);

$xml_data=str_ireplace(‘NAME00’,$user,$xml_data);

$xml_data=str_ireplace(‘EMAIL00’,$user.’@’ . EMAILDOMAIN ,$xml_data);

$rv=curl0(XMPPSERVERURL . ‘/plugins/userService/users’,$xml_data);

return $rv;

}

//------------------------------------------------------------------------------ -------

// function id: 201412222311

// modified dates:

//------------------------------------------------------------------------------ -------

function curl0($url,$xml_data){

//$xml_data=urlencode($xml_data);

$headers = array(

‘Content-Type:application/xml’,

'Authorization: Basic '. base64_encode(ADMINUSER . “:” . ADMINPASSWORD)

);

$ch = curl_init(); // create curl resource

curl_setopt($ch, CURLOPT_URL, $url); // set url

curl_setopt($ch, CURLOPT_HTTPHEADER, $headers);

if ($xml_data <> “”){

curl_setopt($ch, CURLOPT_CUSTOMREQUEST, “PUT”);

curl_setopt($ch, CURLOPT_POSTFIELDS,$xml_data);

}

curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);

$output = curl_exec($ch); // $output contains the output string

$curl_get_info=curl_getinfo($ch);

curl_close($ch); // close curl resource to free up system resources

//return $url . PHP_EOL . $xml_data . PHP_EOL . $output . PHP_EOL . print_r($curl_get_info,true) . PHP_EOL;

//return $url . PHP_EOL . $xml_data . PHP_EOL . $output . PHP_EOL . ‘Return HTTP Code:’ . $curl_get_info[‘http_code’] . PHP_EOL;

if ( strpos($output,“xml”) ===false){

return $curl_get_info[‘http_code’];

}

return $output;

}

/*

@echo off

mode 120,40

%~d0

cd “%~d0%~p0”

echo ----------------------------------------------------

…\php_bin\php.exe -l user_create.php

echo ----------------------------------------------------

…\php_bin\php.exe user_create.php %1

if %COMPUTERNAME%==PAULOTRAVEL7 pause

*/

//$u1=‘http://192.168.1.75:9090/plugins/userService/userservice?type=add&secret=fIt3688 0&username=kafka&password=drowssap&name=franz&email=franz@kafka.com’;=fIt36880&username=kafka&password=drowssap&name=franz&email=franz@kafka.com’;

?>

Redeyes · January 2, 2015, 3:45pm

Sorry for the late response.

I looked at this issue and saw that & char need to be escaped in XML by &

See here: How to escape “&” in XML? - Stack Overflow

Valid request would be:

<user>
  <username>redeyes</username>
    <name>red</name>
    <email>franz@kafka.com</email>
  <password>test&amp;test</password>
</user>