You are viewing a plain text version of this content. The canonical link for it is here.
Posted to notifications@ofbiz.apache.org by "Nicolas Malin (Jira)" <ji...@apache.org> on 2021/07/22 08:13:00 UTC
[jira] [Created] (OFBIZ-12287) UserLoginHistory failed the store
operation with large password
Nicolas Malin created OFBIZ-12287:
-------------------------------------
Summary: UserLoginHistory failed the store operation with large password
Key: OFBIZ-12287
URL: https://issues.apache.org/jira/browse/OFBIZ-12287
Project: OFBiz
Issue Type: Bug
Components: framework/security
Affects Versions: 17.12.07, Trunk, 18.12.01
Reporter: Nicolas Malin
Assignee: Nicolas Malin
When you have a user with long password (greater than 256 characters) present in OFBiz and you try to log with, OFBiz return a long error message with sensitive information.
{code:java}
Error saving UserLoginHistory and updating login status to reset hasLoggedOut, unsuccessful login count, etc.: org.apache.ofbiz.entity.GenericEntityException: org.apache.ofbiz.entity.GenericEntityException: Error while inserting: [GenericEntity:UserLoginHistory][createdStamp,2021-07-21 16:42:18.81(java.sql.Timestamp)][createdTxStamp,2021-07-21 16:42:18.804(java.sql.Timestamp)][fromDate,2021-07-21 16:42:18.809(java.sql.Timestamp)][lastUpdatedStamp,2021-07-21 16:42:18.81(java.sql.Timestamp)][lastUpdatedTxStamp,2021-07-21 16:42:18.804(java.sql.Timestamp)][partyId,10010(java.lang.String)][passwordUsed,$SHA$l1rQ$i9Js3M3Mx3uQr4N1r8F6Jtj8dzQ(java.lang.String)][successfulLogin,N(java.lang.String)][userLoginId,lolo(java.lang.String)][visitId,10103(java.lang.String)] (SQL Exception while executing the following:null (A truncation error was encountered trying to shrink VARCHAR 'k+f3Qyf7vGwy/7lAh7xB3zerfnUUAZnx3Bkc9hMbQJxSt+wzeyj+plWWsHRa&' to length 255.)) (Error while inserting: [GenericEntity:UserLoginHistory][createdStamp,2021-07-21 16:42:18.81(java.sql.Timestamp)][createdTxStamp,2021-07-21 16:42:18.804(java.sql.Timestamp)][fromDate,2021-07-21 16:42:18.809(java.sql.Timestamp)][lastUpdatedStamp,2021-07-21 16:42:18.81(java.sql.Timestamp)][lastUpdatedTxStamp,2021-07-21 16:42:18.804(java.sql.Timestamp)][partyId,10010(java.lang.String)][passwordUsed,$SHA$l1rQ$i9Js3M3Mx3uQr4N1r8F6Jtj8dzQ(java.lang.String)][successfulLogin,N(java.lang.String)][userLoginId,lolo(java.lang.String)][visitId,10103(java.lang.String)] (SQL Exception while executing the following:null (A truncation error was encountered trying to shrink VARCHAR 'k+f3Qyf7vGwy/7lAh7xB3zerfnUUAZnx3Bkc9hMbQJxSt+wzeyj+plWWsHRa&' to length 255.)))
{code}
The error come from LoginService.java:353 that try to store without check the password size.
This issue has been raise by Daniel Elkabes <da...@whitesourcesoftware.com> and Hagai Wechsler <ha...@whitesourcesoftware.com> from white source software, many thanks to them !
To solve this I suggest to don't return any information on the genericValue that failed and analyse the field passwordUsed to store to escape an unusefull error.
--
This message was sent by Atlassian Jira
(v8.3.4#803005)