From f95f74caaa864f850616f137422a74dc226ebdbc Mon Sep 17 00:00:00 2001
From: Lukas Tribus <lukas@ltri.eu>
Date: Tue, 12 Aug 2025 16:28:55 +0000
Subject: [PATCH] DOC: config: recommend single quoting passwords

Suggests single quoting passwords and update examples to avoid unexpected
behaviors due to special characters.

Should be backported to stable versions.

Link: https://discourse.haproxy.org/t/enhance-documentation-for-insecure-passwords-and-invald-characters/11959
(cherry picked from commit 9432e7d6887ade0db69947f343c5b5535a33e303)
Signed-off-by: Amaury Denoyelle <adenoyelle@haproxy.com>
(cherry picked from commit 456d7dc170fd4a3e6541cc5816810f398efe2d07)
[cf: context adjustment]
Signed-off-by: Christopher Faulet <cfaulet@haproxy.com>
(cherry picked from commit 99dc78982db90181de548a9051e21069628ec6c5)
Signed-off-by: Christopher Faulet <cfaulet@haproxy.com>
---
 doc/configuration.txt |   16 ++++++++++------
 1 file changed, 10 insertions(+), 6 deletions(-)

diff --git a/doc/configuration.txt b/doc/configuration.txt
index e84f292..d09e003 100644
--- a/doc/configuration.txt
+++ b/doc/configuration.txt
@@ -4350,22 +4350,26 @@ user <username> [password|insecure-password <password>]
   slower than their glibc counterparts when calculating hashes, so you might
   want to consider this aspect too.
 
+  All passwords are considered normal arguments and are therefor subject to
+  regular section 2.2 Quoting and escaping. Single quoting passwords is
+  therefor recommended.
+
   Example:
         userlist L1
           group G1 users tiger,scott
           group G2 users xdb,scott
 
           user tiger password $6$k6y3o.eP$JlKBx9za9667qe4(...)xHSwRv6J.C0/D7cV91
-          user scott insecure-password elgato
-          user xdb insecure-password hello
+          user scott insecure-password 'elgato'
+          user xdb insecure-password 'hello'
 
         userlist L2
           group G1
           group G2
 
           user tiger password $6$k6y3o.eP$JlKBx(...)xHSwRv6J.C0/D7cV91 groups G1
-          user scott insecure-password elgato groups G1,G2
-          user xdb insecure-password hello groups G2
+          user scott insecure-password 'elgato' groups G1,G2
+          user xdb insecure-password 'hello' groups G2
 
   Please note that both lists are functionally identical.
 
@@ -11740,9 +11744,9 @@ stats admin { if | unless } <cond>
     # statistics admin level depends on the authenticated user
     userlist stats-auth
         group admin    users admin
-        user  admin    insecure-password AdMiN123
+        user  admin    insecure-password 'AdMiN123'
         group readonly users haproxy
-        user  haproxy  insecure-password haproxy
+        user  haproxy  insecure-password 'haproxy'
 
     backend stats_auth
         stats enable
-- 
1.7.10.4