Ensure password with special characters are working correctly when creating a token auth (#18348)DEV-2306

2 files changed, 15 insertions, 1 deletions

diff --git a/plugins/UsersManager/API.php b/plugins/UsersManager/API.php
index 96702a36f7..8aa5a37ca5 100644
--- a/plugins/UsersManager/API.php
+++ b/plugins/UsersManager/API.php
@@ -27,7 +27,6 @@ use Piwik\Piwik;
 use Piwik\Plugin;
 use Piwik\Plugins\CoreAdminHome\Emails\UserCreatedEmail;
 use Piwik\Plugins\Login\PasswordVerifier;
-use Piwik\SettingsPiwik;
 use Piwik\Site;
 use Piwik\Tracker\Cache;
 use Piwik\View;
@@ -1409,6 +1408,7 @@ class API extends \Piwik\Plugin\API
             }
         }
 
+        $passwordConfirmation = Common::unsanitizeInputValue($passwordConfirmation);
         if (empty($user) || !$this->passwordVerifier->isPasswordCorrect($userLogin, $passwordConfirmation)) {
             if (empty($user)) {
                 /**
diff --git a/plugins/UsersManager/tests/System/ApiTest.php b/plugins/UsersManager/tests/System/ApiTest.php
index 786f71e01b..2c93dc2eb5 100644
--- a/plugins/UsersManager/tests/System/ApiTest.php
+++ b/plugins/UsersManager/tests/System/ApiTest.php
@@ -114,6 +114,20 @@ class ApiTest extends SystemTestCase
         return $apiToTest;
     }
 
+    public function test_createAppSpecificTokenAuthWithCrypticPassword()
+    {
+        $password = 'p§$%"@&<~#\'\\/+ >*^!°p';
+        API::$UPDATE_USER_REQUIRE_PASSWORD_CONFIRMATION = false;
+        $this->api->updateUser('login6', $password);
+        API::$UPDATE_USER_REQUIRE_PASSWORD_CONFIRMATION = true;
+        $this->model->deleteAllTokensForUser('login6');
+        $token = $this->api->createAppSpecificTokenAuth('login6', $password, 'test');
+        $this->assertMd5($token);
+
+        $user = $this->model->getUserByTokenAuth($token);
+        $this->assertSame('login6', $user['login']);
+    }
+
     public function test_createAppSpecificTokenAuth()
     {
         $this->model->deleteAllTokensForUser('login1');