Bug Reports

[dandymcgee]

As a developer, there's nothing I hate more than bug reports consisting of "I opened it, clicked stuff, and an error popped up. Please fix ASAP." So when I stumbled across a bug on the League of Legends website, I wrote them the message that follows. How long do you think it will take them to fix it?

Attn: LeagueOfLegends.com Web Development Team

I have discovered a bug in the JavaScript-based password validator on the sign-up page.

Page: https://signup.leagueoflegends.com/en/signup/index

See: var validationRules

Notice the following rule:
{"rule":["custom","\/(\\d[a-z]|[a-z]\\d)\/i"],"message":"Must contain at least one letter and one number"},

The regular expression, unescaped for readability, "(\d[a-z]|[a-z]\d)" does not properly match all passwords containing at least one letter and one number. Rather, it matches passwords containing at least one adjacent letter/number pair.

Consider the following (theoretically valid) passwords:
Password123 [Passes]
123Password [Passes]
Password123- [Passes]
-123Password [Passes]
Password-123 [Fails]
123-Password [Fails]

The latter two are not matched by this regular expression, even though they are both perfectly based solely on the rules displayed to the user.

I propose the check be split into two rules to most simply resolve this issue:
\d
[a-z]

Those would be implemented as such:
{"rule":["custom","\/\\d\/i"],"message":"Must contain at least one number"},
{"rule":["custom","\/[a-z]\/i"],"message":"Must contain at least one letter"},

Note to developer: You may find http://regexpal.com/ incredibly useful for helping you test and debug regular expressions. Disclaimer: I do not own nor am I associated with the aforementioned site or it's owner.

I believe this issue may exist on other login pages, but I leave the responsibility of finding all instances of this bug to you.

I respectfully request that you contact me at the email provided when this issue has been resolved.

An avid League player,
Dan Washere

Moral of the story: Every programmer should be at least moderately proficient with Regular Expressions.

[bbguimaraes]

Moral of the story: Every programmer should be at least moderately proficient with Regular Expressions.

Specially when it involves any kind of security-related matter... But yeah, every time I see something like

some_string.split('name="')[1].split('"')[0]

a part of me dies inside.

[dandymcgee]

So it's now been 5 days since the initial report. As of this morning (after being forwarded through about 3 different support reps) my ticket has been marked "resolved" with the following message:

Thanks for the heads up on this bug. I have brought this issue to the attention of the web development team. Unfortunately, I can't provide a timeline for when we might see a fix on this issue, but thank you again for the report. Please let me know if you have any other questions!

The bug still exists on the live page, which is pretty embarrassing on their part.