Reproduction scenario:
- Go to
GET /account/lostlogin.php?confirm_hash[]=a
Trace:
Fatal error: Uncaught TypeError: Tuleap\Cryptography\ConcealedString::__construct(): Argument #1 ($value) must be of type string, array given, called in /usr/share/tuleap/src/common/User/Account/LostPassword/DisplayResetPasswordController.php on line 58 and defined in /usr/share/tuleap/src/common/Cryptography/ConcealedString.php:32
Stack trace:
#0 /usr/share/tuleap/src/common/User/Account/LostPassword/DisplayResetPasswordController.php(58): Tuleap\Cryptography\ConcealedString->__construct()
#1 /usr/share/tuleap/src/common/Request/FrontRouter.php(241): Tuleap\User\Account\LostPassword\DisplayResetPasswordController->process()
#2 /usr/share/tuleap/src/common/Request/FrontRouter.php(98): Tuleap\Request\FrontRouter->routeHandler()
#3 /usr/share/tuleap/src/www/index.php(50): Tuleap\Request\FrontRouter->route() #4 {main} thrown in /usr/share/tuleap/src/common/Cryptography/ConcealedString.php on line 32
This issue is likely present in multiple places in Tuleap but this endpoint is always tested during audits, I mostly want to avoid false positives.