[Savannah-hackers] bug in change password system

[Arc]

I've tried twice now to recover a lost password, I got the automated
email then went to the URL enclosed.  Entered a new password in both
fields (the same in both, i checked), and when I clicked "Update" it
gave me this:

Error
   Invalid confirmation hash.

I'm using Lynx Version 2.8.3 w/ ssl support, the "confirm_hash" CGI
field had the following value: "confirm_hash=%24confirm_hash".  I assume
this is the cause for this bug, some HTML form style that is not handled
by lynx properly.

I manually went to the same page again, using the CGI values sent which
resulted in the above error (such as my new password, etc) but with the
confirm_hash the same as the URL sent to me via email.  This time it
worked fine.

So there's some problem with the way the confirmation hash is included
in a hidden form field on the first page.  I haven't looked into it any
further, but can if nessesary to get this bug fixed.

------------------------------------------------------------------------

Use GNU Privacy Guard to protect your email, see [http://www.gnupg.org/]

The attachement to this and every email I send is my GPG signature which
is used to verify that I am the sender and it is unmodified by any third
party.  You need GNU Privacy Guard installed to verify my GPG signature.

This was important even before our government's war on civil liberties,
but with the USA PAT RIOT Act signed into law it's especially important
to secure our right to communicate freely without federal surveillance.

If you have GNU Privacy Guard, please use it to encrypt and sign any and
all mail you send me.  I can help you in setting up and using encryption
to protect your email as well as host workshops for teaching your group.

------------------------------------------------------------------------

pgpAkYbPMWARb.pgp
Description: PGP signature