Bug Reports

Random irrelevance that just didn't fit into other forums. Talk about anything.

Moderator: Talkative People

Post Reply
User avatar
dandymcgee
ES Beta Backer
ES Beta Backer
Posts: 4709
Joined: Tue Apr 29, 2008 3:24 pm
Current Project: https://github.com/dbechrd/RicoTech
Favorite Gaming Platforms: NES, Sega Genesis, PS2, PC
Programming Language of Choice: C
Location: San Francisco
Contact:

Bug Reports

Post by dandymcgee »

As a developer, there's nothing I hate more than bug reports consisting of "I opened it, clicked stuff, and an error popped up. Please fix ASAP." So when I stumbled across a bug on the League of Legends website, I wrote them the message that follows. How long do you think it will take them to fix it?
I wrote:Attn: LeagueOfLegends.com Web Development Team

I have discovered a bug in the JavaScript-based password validator on the sign-up page.

Page: https://signup.leagueoflegends.com/en/signup/index

See: var validationRules

Notice the following rule:
{"rule":["custom","\/(\\d[a-z]|[a-z]\\d)\/i"],"message":"Must contain at least one letter and one number"},

The regular expression, unescaped for readability, "(\d[a-z]|[a-z]\d)" does not properly match all passwords containing at least one letter and one number. Rather, it matches passwords containing at least one adjacent letter/number pair.

Consider the following (theoretically valid) passwords:
Password123 [Passes]
123Password [Passes]
Password123- [Passes]
-123Password [Passes]
Password-123 [Fails]
123-Password [Fails]

The latter two are not matched by this regular expression, even though they are both perfectly based solely on the rules displayed to the user.

I propose the check be split into two rules to most simply resolve this issue:
\d
[a-z]

Those would be implemented as such:
{"rule":["custom","\/\\d\/i"],"message":"Must contain at least one number"},
{"rule":["custom","\/[a-z]\/i"],"message":"Must contain at least one letter"},

Note to developer: You may find http://regexpal.com/ incredibly useful for helping you test and debug regular expressions. Disclaimer: I do not own nor am I associated with the aforementioned site or it's owner.

I believe this issue may exist on other login pages, but I leave the responsibility of finding all instances of this bug to you.

I respectfully request that you contact me at the email provided when this issue has been resolved.

An avid League player,
Dan Washere
Moral of the story: Every programmer should be at least moderately proficient with Regular Expressions.
Falco Girgis wrote:It is imperative that I can broadcast my narcissistic commit strings to the Twitter! Tweet Tweet, bitches! :twisted:
User avatar
bbguimaraes
Chaos Rift Junior
Chaos Rift Junior
Posts: 294
Joined: Wed Apr 11, 2012 4:34 pm
Programming Language of Choice: c++
Location: Brazil
Contact:

Re: Bug Reports

Post by bbguimaraes »

dandymcgee wrote:Moral of the story: Every programmer should be at least moderately proficient with Regular Expressions.
Specially when it involves any kind of security-related matter... But yeah, every time I see something like
some_string.split('name="')[1].split('"')[0]
a part of me dies inside.
User avatar
dandymcgee
ES Beta Backer
ES Beta Backer
Posts: 4709
Joined: Tue Apr 29, 2008 3:24 pm
Current Project: https://github.com/dbechrd/RicoTech
Favorite Gaming Platforms: NES, Sega Genesis, PS2, PC
Programming Language of Choice: C
Location: San Francisco
Contact:

Re: Bug Reports

Post by dandymcgee »

So it's now been 5 days since the initial report. As of this morning (after being forwarded through about 3 different support reps) my ticket has been marked "resolved" with the following message:
Riot Technical Support wrote:Thanks for the heads up on this bug. I have brought this issue to the attention of the web development team. Unfortunately, I can't provide a timeline for when we might see a fix on this issue, but thank you again for the report. Please let me know if you have any other questions!
The bug still exists on the live page, which is pretty embarrassing on their part.
Falco Girgis wrote:It is imperative that I can broadcast my narcissistic commit strings to the Twitter! Tweet Tweet, bitches! :twisted:
Post Reply