You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@ofbiz.apache.org by nm...@apache.org on 2021/07/28 13:01:57 UTC
[ofbiz-framework] branch trunk updated (36c489f -> 2aa68dc)
This is an automated email from the ASF dual-hosted git repository.
nmalin pushed a change to branch trunk
in repository https://gitbox.apache.org/repos/asf/ofbiz-framework.git.
from 36c489f Improved: Adds missing ASL2 headers in Helveticus less files
new de4213f Improved: Add description for all color orientation on Helveticus theme (OFBIZ-12288)
new 2aa68dc Fixed: UserLoginHistory failed the store operation with large password (OFBIZ-12287)
The 2 revisions listed above as "new" are entirely new to this
repository and will be described in separate emails. The revisions
listed as "add" were already present in the repository and have only
been added to this reference.
Summary of changes:
framework/common/config/CommonEntityLabels.xml | 18 ++++++++++---
.../apache/ofbiz/common/login/LoginServices.java | 31 ++++++++++++++++++++--
2 files changed, 44 insertions(+), 5 deletions(-)
[ofbiz-framework] 01/02: Improved: Add description for all color
orientation on Helveticus theme (OFBIZ-12288)
Posted by nm...@apache.org.
This is an automated email from the ASF dual-hosted git repository.
nmalin pushed a commit to branch trunk
in repository https://gitbox.apache.org/repos/asf/ofbiz-framework.git
commit de4213f017f6a8442ae0ced86ee096f3ea5ddb81
Author: Nicolas Malin <ni...@nereide.fr>
AuthorDate: Fri Jul 23 14:50:58 2021 +0200
Improved: Add description for all color orientation on Helveticus theme (OFBIZ-12288)
---
framework/common/config/CommonEntityLabels.xml | 18 +++++++++++++++---
1 file changed, 15 insertions(+), 3 deletions(-)
diff --git a/framework/common/config/CommonEntityLabels.xml b/framework/common/config/CommonEntityLabels.xml
index 7efa7ee..03c6f9c 100644
--- a/framework/common/config/CommonEntityLabels.xml
+++ b/framework/common/config/CommonEntityLabels.xml
@@ -21927,9 +21927,21 @@
<value xml:lang="zh">电子商务的替代视觉风格</value>
<value xml:lang="zh-TW">電子商務的替代視覺風格</value>
</property>
- <property key="VisualTheme.description.HELVETICUS">
- <value xml:lang="en">: a Rainbowstone evolution</value>
- <value xml:lang="fr"> : une évolution de Rainbowstone</value>
+ <property key="VisualTheme.description.HELVETICUS_AMBER">
+ <value xml:lang="en">: a Rainbowstone evolution in orange</value>
+ <value xml:lang="fr"> : une évolution de Rainbowstone en orange</value>
+ </property>
+ <property key="VisualTheme.description.HELVETICUS_RUBY">
+ <value xml:lang="en">: a Rainbowstone evolution in red</value>
+ <value xml:lang="fr"> : une évolution de Rainbowstone en rouge</value>
+ </property>
+ <property key="VisualTheme.description.HELVETICUS_EMERALD">
+ <value xml:lang="en">: a Rainbowstone evolution in green</value>
+ <value xml:lang="fr"> : une évolution de Rainbowstone en vert</value>
+ </property>
+ <property key="VisualTheme.description.HELVETICUS_SAPHIR">
+ <value xml:lang="en">: a Rainbowstone evolution in blue</value>
+ <value xml:lang="fr"> : une évolution de Rainbowstone en bleu</value>
</property>
<property key="VisualTheme.description.RAINBOWSTONE_AMBER">
<value xml:lang="en">: Rainbowstone theme in orange</value>
[ofbiz-framework] 02/02: Fixed: UserLoginHistory failed the store
operation with large password (OFBIZ-12287)
Posted by nm...@apache.org.
This is an automated email from the ASF dual-hosted git repository.
nmalin pushed a commit to branch trunk
in repository https://gitbox.apache.org/repos/asf/ofbiz-framework.git
commit 2aa68dc4de8892e8a7cbb38c10a3a3dd65d233e5
Author: Nicolas Malin <ni...@nereide.fr>
AuthorDate: Wed Jul 28 11:59:03 2021 +0200
Fixed: UserLoginHistory failed the store operation with large password (OFBIZ-12287)
When you have a user with long password (greater than 256 characters) present in OFBiz and you try to log with, OFBiz return a long error message with sensitive information due to exceeding value size to store on the field UserLoginHistory.passwordUsed.
To solve this we don't return any information on the genericValue that failed and analyze the field passwordUsed to escape the case where the password set to login is create than the database field capacity.
Thanks to Daniel Elkabes <da...@whitesourcesoftware.com> and Hagai Wechsler <ha...@whitesourcesoftware.com> from white source software to raise the problem.
---
.../apache/ofbiz/common/login/LoginServices.java | 31 ++++++++++++++++++++--
1 file changed, 29 insertions(+), 2 deletions(-)
diff --git a/framework/common/src/main/java/org/apache/ofbiz/common/login/LoginServices.java b/framework/common/src/main/java/org/apache/ofbiz/common/login/LoginServices.java
index 877afaf..edb820a 100644
--- a/framework/common/src/main/java/org/apache/ofbiz/common/login/LoginServices.java
+++ b/framework/common/src/main/java/org/apache/ofbiz/common/login/LoginServices.java
@@ -49,6 +49,7 @@ import org.apache.ofbiz.entity.condition.EntityCondition;
import org.apache.ofbiz.entity.condition.EntityFunction;
import org.apache.ofbiz.entity.condition.EntityOperator;
import org.apache.ofbiz.entity.model.ModelEntity;
+import org.apache.ofbiz.entity.model.ModelField;
import org.apache.ofbiz.entity.transaction.GenericTransactionException;
import org.apache.ofbiz.entity.transaction.TransactionUtil;
import org.apache.ofbiz.entity.util.EntityListIterator;
@@ -345,9 +346,12 @@ public class LoginServices {
}
// ONLY save the password if it was incorrect
+ // we will check in the hash size isn't too huge for the store other wise store a fix string
if ("N".equals(successfulLogin) && !"false".equals(EntityUtilProperties.getPropertyValue("security",
"store.login.history.incorrect.password", delegator))) {
- ulhCreateMap.put("passwordUsed", password);
+ ulhCreateMap.put("passwordUsed", isGivenPasswordCanBeStored(delegator, password)
+ ? " TOO LONG FOR STORAGE "
+ : password);
}
delegator.create("UserLoginHistory", ulhCreateMap);
@@ -358,7 +362,6 @@ public class LoginServices {
if (doStore) {
geeErrMsg += " and updating login status to reset hasLoggedOut, unsuccessful login count, etc.";
}
- geeErrMsg += ": " + e.toString();
try {
TransactionUtil.rollback(beganTransaction, geeErrMsg, e);
} catch (GenericTransactionException e2) {
@@ -448,6 +451,30 @@ public class LoginServices {
}
/**
+ * To escape an exception when the password store due to limitation size for passwordUsed field, we analyse if it's possible.
+ * @param delegator
+ * @param password
+ * @return
+ * @throws GenericEntityException
+ */
+ private static boolean isGivenPasswordCanBeStored(Delegator delegator, String password)
+ throws GenericEntityException {
+ ModelEntity modelEntityUserLoginHistory = delegator.getModelEntity("UserLoginHistory");
+ ModelField passwordUsedField = modelEntityUserLoginHistory.getField("passwordUsed");
+ int maxPasswordSize = delegator.getEntityFieldType(
+ modelEntityUserLoginHistory,
+ passwordUsedField.getType()).stringLength();
+ int passwordUsedCurrentSize = password.length();
+
+ // if the field is encrypted, we check the size of the hashed result
+ ModelField.EncryptMethod encryptMethod = passwordUsedField.getEncryptMethod();
+ if (encryptMethod.isEncrypted()) {
+ passwordUsedCurrentSize = delegator.encryptFieldValue("UserLoginHistory", encryptMethod, password).toString().length();
+ }
+ return passwordUsedCurrentSize > maxPasswordSize;
+ }
+
+ /**
* Login service to authenticate a username without password, storing history
* @return Map of results including (userLogin) GenericValue object
*/