Double quotes in --gui-password value breaks the password generation

lcfd · December 9, 2022, 10:28am

Hi! I’m trying to use syncthing generate --config=... --gui-user="..." --gui-password="..." to set a new password for the user.

If I use a password that contains a double quote it seems that everything is fine until I try to do login into the GUI.

What I’ve tried:

Escape double quote with \ to make the generation of the bcrypt hash work but then the password is unusable
Surround the value with single quotes makes everything work, both the generation and the usage (Example: --gui-password='fe8efh^Ud;*$Vz3Bg?ecG@soh|3KH,_H"uuVkwfe8bnm12'). That’s not usable for me because I need to support single quotes.
Replace " with \x22 same result as the first try

What can I do to support double quotes?

calmh · December 9, 2022, 10:36am

I suspect this is a shell thing, your password contains $Vz3Bg which will be interpreted as a variable interpolation when inside double quotes, but not in single quotes. Compare the result of the command with single and double quotes just adding an echo at the front to see what actually gets executed.

Using --gui-password="foo\"bar" works fine for me to set a password foo"bar that works in my browser.

lcfd · December 9, 2022, 10:55am

Wow, thanks for the super fast response! I didn’t know about this detail, in fact, I’ve been testing test after test for quite a while using bcrypt.

So I have to use double quotes around the password and escape all chars which can do something crafty.

calmh · December 9, 2022, 12:02pm

That, or try to avoid having it in a context open to shell interpretation, I guess.

system · January 8, 2023, 12:03pm

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.