github-starred/vaultwarden
2
0
Fork 0
mirror of https://github.com/dani-garcia/vaultwarden.git synced 2026-03-11 17:41:29 -05:00
Code Issues 79 Packages Projects Releases 78 Wiki Activity

Exporting Unicode passwords and custom fields result in corrupted exported file filled with "?" characters #4715

New Issue
Closed
opened 2026-03-07 19:58:43 -06:00 by GiteaMirror · 6 comments
GiteaMirror commented 2026-03-07 19:58:43 -06:00
Owner
Copy Link

Originally created by @ghost on GitHub (Jul 6, 2021).

Subject of the issue

When exporting passwords (in CSV or JSON), all fields (cleartext, custom and hidden) containing Unicode characters are corrupted. All Unicode characters are replaced with a '?' character resulting in a corruption of exported data.

This problem is also present on the Android app (version 2.10.0) and the Desktop app (version 1.27.0) (not checked on Navigators extensions).

I opened an issue on Bitwarden Web Vault but they couldn't reproduce the issue so it seems to be a problem on the Vaultwarden side.

Deployment environment

Your environment (Generated via diagnostics page)

  • Vaultwarden version: v1.22.1
  • Web-vault version: v2.20.4
  • Running within Docker: false
  • Environment settings overridden: true
  • Uses a reverse proxy: true
  • IP Header check: true (X-Real-IP)
  • Internet access: true
  • Internet access via a proxy: false
  • DNS Check: true
  • Time Check: true
  • Domain Configuration Check: true
  • HTTPS Check: true
  • Database type: SQLite
  • Database version: 3.35.4
  • Clients used: Web vault, Desktop and Android.
  • Reverse proxy and version: nginx 1.20.1
  • Install method: OS package (Arch Linux).

Config (Generated via diagnostics page)

Show Running Config

Environment settings which are overridden: DOMAIN, SIGNUPS_ALLOWED, SIGNUPS_VERIFY, INVITATIONS_ALLOWED, PASSWORD_ITERATIONS, SHOW_PASSWORD_HINT, ADMIN_TOKEN, IP_HEADER, ICON_CACHE_TTL, ICON_CACHE_NEGTTL, ICON_BLACKLIST_NON_GLOBAL_IPS, AUTHENTICATOR_DISABLE_TIME_DRIFT, DISABLE_ADMIN_TOKEN, SMTP_HOST, SMTP_FROM, SMTP_FROM_NAME, SMTP_USERNAME, SMTP_PASSWORD, SMTP_AUTH_MECHANISM, SMTP_TIMEOUT, EMAIL_EXPIRATION_TIME, EMAIL_ATTEMPTS_LIMIT

{
  "_duo_akey": null,
  "_enable_duo": false,
  "_enable_email_2fa": true,
  "_enable_smtp": true,
  "_enable_yubico": true,
  "_ip_header_enabled": true,
  "admin_token": "***",
  "allowed_iframe_ancestors": "",
  "attachments_folder": "/var/lib/vaultwarden/data/attachments",
  "authenticator_disable_time_drift": false,
  "data_folder": "/var/lib/vaultwarden",
  "database_max_conns": 10,
  "database_url": "****/**.*******",
  "db_connection_retries": 15,
  "disable_2fa_remember": false,
  "disable_admin_token": false,
  "disable_icon_download": false,
  "domain": "*****://**.******.**",
  "domain_origin": "*****://**.******.**",
  "domain_path": "",
  "domain_set": true,
  "duo_host": null,
  "duo_ikey": null,
  "duo_skey": null,
  "email_attempts_limit": 3,
  "email_expiration_time": 600,
  "email_token_size": 6,
  "enable_db_wal": true,
  "extended_logging": true,
  "helo_name": null,
  "hibp_api_key": null,
  "icon_blacklist_non_global_ips": true,
  "icon_blacklist_regex": null,
  "icon_cache_folder": "/var/lib/vaultwarden/data/icon_cache",
  "icon_cache_negttl": 259200,
  "icon_cache_ttl": 2592000,
  "icon_download_timeout": 10,
  "invitation_org_name": "Vaultwarden",
  "invitations_allowed": true,
  "ip_header": "X-Real-IP",
  "job_poll_interval_ms": 30000,
  "log_file": null,
  "log_level": "Info",
  "log_timestamp_format": "%Y-%m-%d %H:%M:%S.%3f",
  "org_attachment_limit": null,
  "org_creation_users": "",
  "password_iterations": 100000,
  "reload_templates": false,
  "require_device_email": false,
  "rsa_key_filename": "/var/lib/vaultwarden/data/rsa_key",
  "send_purge_schedule": "0 5 * * * *",
  "sends_allowed": true,
  "sends_folder": "/var/lib/vaultwarden/data/sends",
  "show_password_hint": true,
  "signups_allowed": false,
  "signups_domains_whitelist": "",
  "signups_verify": true,
  "signups_verify_resend_limit": 6,
  "signups_verify_resend_time": 3600,
  "smtp_accept_invalid_certs": false,
  "smtp_accept_invalid_hostnames": false,
  "smtp_auth_mechanism": "Plain",
  "smtp_debug": false,
  "smtp_explicit_tls": true,
  "smtp_from": "*****@******.**",
  "smtp_from_name": "Bitwarden Server",
  "smtp_host": "****.******.**",
  "smtp_password": "***",
  "smtp_port": 465,
  "smtp_ssl": true,
  "smtp_timeout": 15,
  "smtp_username": "*****@******.**",
  "templates_folder": "/var/lib/vaultwarden/templates",
  "trash_auto_delete_days": null,
  "trash_purge_schedule": "0 5 0 * * *",
  "use_syslog": true,
  "user_attachment_limit": null,
  "web_vault_enabled": true,
  "web_vault_folder": "/usr/share/webapps/vaultwarden-web/",
  "websocket_address": "127.0.0.1",
  "websocket_enabled": true,
  "websocket_port": 3012,
  "yubico_client_id": null,
  "yubico_secret_key": null,
  "yubico_server": null
}

Steps to reproduce

  1. Login to your Vault.
  2. Go to "Tools" section.
  3. Click on "Export Vault" section.
  4. Choose export format, enter main password and click on "Export Vault" button.
  5. Open the exported file with a text editor and check fields containing Unicode symbols.

Expected behaviour

The following password string : ×þd6%I6ÛOÇ0ìôYd]9|ÔK?îML7û_¿1%
will result in the following exported string : ×þd6%I6ÛOÇ0ìôYd]9|ÔK?îML7û_¿1%

The following custom field : Clé de Sécurité
will result in the following exported string : Clé de Sécurité

Actual behaviour

The following password string : ×þd6%I6ÛOÇ0ìôYd]9|ÔK?îML7û_¿1%
will result (approximately) in the following exported string : ??d6%I6?O?0??Yd]9??K??ML7?_?1%

The following custom field : Clé de Sécurité
will result in the following exported string : Cl? de S?curit?

Originally created by @ghost on GitHub (Jul 6, 2021). ### Subject of the issue When exporting passwords (in CSV or JSON), all fields (cleartext, custom and hidden) containing Unicode characters are corrupted. All Unicode characters are replaced with a '?' character resulting in a corruption of exported data. This problem is also present on the Android app (version 2.10.0) and the Desktop app (version 1.27.0) (not checked on Navigators extensions). I opened an issue on Bitwarden Web Vault but they couldn't reproduce the issue so it seems to be a problem on the Vaultwarden side. ### Deployment environment ### Your environment (Generated via diagnostics page) * Vaultwarden version: v1.22.1 * Web-vault version: v2.20.4 * Running within Docker: false * Environment settings overridden: true * Uses a reverse proxy: true * IP Header check: true (X-Real-IP) * Internet access: true * Internet access via a proxy: false * DNS Check: true * Time Check: true * Domain Configuration Check: true * HTTPS Check: true * Database type: SQLite * Database version: 3.35.4 * Clients used: Web vault, Desktop and Android. * Reverse proxy and version: nginx 1.20.1 * Install method: OS package (Arch Linux). ### Config (Generated via diagnostics page) <details><summary>Show Running Config</summary> **Environment settings which are overridden:** DOMAIN, SIGNUPS_ALLOWED, SIGNUPS_VERIFY, INVITATIONS_ALLOWED, PASSWORD_ITERATIONS, SHOW_PASSWORD_HINT, ADMIN_TOKEN, IP_HEADER, ICON_CACHE_TTL, ICON_CACHE_NEGTTL, ICON_BLACKLIST_NON_GLOBAL_IPS, AUTHENTICATOR_DISABLE_TIME_DRIFT, DISABLE_ADMIN_TOKEN, SMTP_HOST, SMTP_FROM, SMTP_FROM_NAME, SMTP_USERNAME, SMTP_PASSWORD, SMTP_AUTH_MECHANISM, SMTP_TIMEOUT, EMAIL_EXPIRATION_TIME, EMAIL_ATTEMPTS_LIMIT ```json { "_duo_akey": null, "_enable_duo": false, "_enable_email_2fa": true, "_enable_smtp": true, "_enable_yubico": true, "_ip_header_enabled": true, "admin_token": "***", "allowed_iframe_ancestors": "", "attachments_folder": "/var/lib/vaultwarden/data/attachments", "authenticator_disable_time_drift": false, "data_folder": "/var/lib/vaultwarden", "database_max_conns": 10, "database_url": "****/**.*******", "db_connection_retries": 15, "disable_2fa_remember": false, "disable_admin_token": false, "disable_icon_download": false, "domain": "*****://**.******.**", "domain_origin": "*****://**.******.**", "domain_path": "", "domain_set": true, "duo_host": null, "duo_ikey": null, "duo_skey": null, "email_attempts_limit": 3, "email_expiration_time": 600, "email_token_size": 6, "enable_db_wal": true, "extended_logging": true, "helo_name": null, "hibp_api_key": null, "icon_blacklist_non_global_ips": true, "icon_blacklist_regex": null, "icon_cache_folder": "/var/lib/vaultwarden/data/icon_cache", "icon_cache_negttl": 259200, "icon_cache_ttl": 2592000, "icon_download_timeout": 10, "invitation_org_name": "Vaultwarden", "invitations_allowed": true, "ip_header": "X-Real-IP", "job_poll_interval_ms": 30000, "log_file": null, "log_level": "Info", "log_timestamp_format": "%Y-%m-%d %H:%M:%S.%3f", "org_attachment_limit": null, "org_creation_users": "", "password_iterations": 100000, "reload_templates": false, "require_device_email": false, "rsa_key_filename": "/var/lib/vaultwarden/data/rsa_key", "send_purge_schedule": "0 5 * * * *", "sends_allowed": true, "sends_folder": "/var/lib/vaultwarden/data/sends", "show_password_hint": true, "signups_allowed": false, "signups_domains_whitelist": "", "signups_verify": true, "signups_verify_resend_limit": 6, "signups_verify_resend_time": 3600, "smtp_accept_invalid_certs": false, "smtp_accept_invalid_hostnames": false, "smtp_auth_mechanism": "Plain", "smtp_debug": false, "smtp_explicit_tls": true, "smtp_from": "*****@******.**", "smtp_from_name": "Bitwarden Server", "smtp_host": "****.******.**", "smtp_password": "***", "smtp_port": 465, "smtp_ssl": true, "smtp_timeout": 15, "smtp_username": "*****@******.**", "templates_folder": "/var/lib/vaultwarden/templates", "trash_auto_delete_days": null, "trash_purge_schedule": "0 5 0 * * *", "use_syslog": true, "user_attachment_limit": null, "web_vault_enabled": true, "web_vault_folder": "/usr/share/webapps/vaultwarden-web/", "websocket_address": "127.0.0.1", "websocket_enabled": true, "websocket_port": 3012, "yubico_client_id": null, "yubico_secret_key": null, "yubico_server": null } ``` </details> ### Steps to reproduce 1. Login to your Vault. 2. Go to "Tools" section. 3. Click on "Export Vault" section. 4. Choose export format, enter main password and click on "Export Vault" button. 5. Open the exported file with a text editor and check fields containing Unicode symbols. ### Expected behaviour The following password string : ×þd6%I6ÛOÇ0ìôYd]9|ÔK?îML7û_¿1% will result in the following exported string : ×þd6%I6ÛOÇ0ìôYd]9|ÔK?îML7û_¿1% The following custom field : Clé de Sécurité will result in the following exported string : Clé de Sécurité ### Actual behaviour The following password string : ×þd6%I6ÛOÇ0ìôYd]9|ÔK?îML7û_¿1% will result (approximately) in the following exported string : ??d6%I6?O?0??Yd]9??K??ML7?_?1% The following custom field : Clé de Sécurité will result in the following exported string : Cl? de S?curit?
GiteaMirror commented 2026-03-07 19:58:44 -06:00
Author
Owner
Copy Link

@BlackDex commented on GitHub (Jul 6, 2021):

Have you tried this on the bitwarden site also? vault.bitwarden.com?
Since the export and import is a web-vault item, something we do not modify at all.

I think you need to report this at bitwarden, but I would suggest to first try it out on a free vault.bitwarden.com account.

@BlackDex commented on GitHub (Jul 6, 2021): Have you tried this on the bitwarden site also? vault.bitwarden.com? Since the export and import is a web-vault item, something we do not modify at all. I think you need to report this at bitwarden, but I would suggest to first try it out on a free vault.bitwarden.com account.
GiteaMirror commented 2026-03-07 19:58:44 -06:00
Author
Owner
Copy Link

@ghost commented on GitHub (Jul 6, 2021):

I tried this on vault.bitwarden.com and the Unicode characters of passwords and text fields are correctly exported in JSON and CSV format.

@ghost commented on GitHub (Jul 6, 2021): I tried this on vault.bitwarden.com and the Unicode characters of passwords and text fields are correctly exported in JSON and CSV format.
GiteaMirror commented 2026-03-07 19:58:44 -06:00
Author
Owner
Copy Link

@BlackDex commented on GitHub (Jul 6, 2021):

I just did a quick check, and it seems to work fine for me.
Could you check your Content-Type header in the response via F12 of any page request to your vault?
It should contain something like this: text/plain; charset=utf-8 or application/json.

It kinda looks like your vaultwarden server or the reverse proxy doesn't handle UTF8 correctly.
The thing is, vaultwarden doesn't do anything during the import/export, it is all client based.

So the only thing i can think of, is that the web-vault is sent using something else then UTF8 charset, which causes the javascript code to not use UTF8 or something.

@BlackDex commented on GitHub (Jul 6, 2021): I just did a quick check, and it seems to work fine for me. Could you check your `Content-Type` header in the response via F12 of any page request to your vault? It should contain something like this: `text/plain; charset=utf-8` or `application/json`. It kinda looks like your vaultwarden server or the reverse proxy doesn't handle UTF8 correctly. The thing is, vaultwarden doesn't do anything during the import/export, it is all client based. So the only thing i can think of, is that the web-vault is sent using something else then UTF8 charset, which causes the javascript code to not use UTF8 or something.
GiteaMirror commented 2026-03-07 19:58:44 -06:00
Author
Owner
Copy Link

@ghost commented on GitHub (Jul 6, 2021):

I've verified the Content-Type of API requests and they are correct. I tried to export again from the web vault and it works with no data corrupted. But when I tried to export from the official Android app, the file was corrupted again. Finally, I think it's a bug in the Android app and not in the Web vault or backend server.

@ghost commented on GitHub (Jul 6, 2021): I've verified the `Content-Type` of API requests and they are correct. I tried to export again from the web vault and it works with no data corrupted. But when I tried to export from the official Android app, the file was corrupted again. Finally, I think it's a bug in the Android app and not in the Web vault or backend server.
GiteaMirror commented 2026-03-07 19:58:45 -06:00
Author
Owner
Copy Link

@jjlin commented on GitHub (Jul 6, 2021):

This is presumably https://github.com/bitwarden/mobile/issues/1401, which is fixed but hasn't made it into a release yet. So it sounds like you just assumed the problem existed in the web vault and desktop client, but didn't actually verify?

@jjlin commented on GitHub (Jul 6, 2021): This is presumably https://github.com/bitwarden/mobile/issues/1401, which is fixed but hasn't made it into a release yet. So it sounds like you just assumed the problem existed in the web vault and desktop client, but didn't actually verify?
GiteaMirror commented 2026-03-07 19:58:45 -06:00
Author
Owner
Copy Link

@ghost commented on GitHub (Jul 7, 2021):

Not exactly. I tried to export from the web vault an already corrupted database (previously imported after an upgrade of Vaultwaren which has removed some passwords) so I thought that the web vault was also impacted.

@ghost commented on GitHub (Jul 7, 2021): Not exactly. I tried to export from the web vault an already corrupted database (previously imported after an upgrade of Vaultwaren which has removed some passwords) so I thought that the web vault was also impacted.
Sign in to join this conversation.
No Branch/Tag Specified
Branches Tags
Labels
Clear labels
better for forum
bug
documentation
duplicate
enhancement
future Vault
good first issue
help wanted
low priority
notes
pull-request
Mirrored from GitHub Pull Request
 question
SSO
Third party
troubleshooting
wontfix
No Label
Milestone
No items
No Milestone
Projects
Clear projects
No project
Assignees
Clear assignees
GiteaMirror ninjasurge
No Assignees
1 Participants
Notifications
Due Date
No due date set.
Dependencies

No dependencies set.

Reference: github-starred/vaultwarden#4715
Delete Branch "%!s()"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?