You are viewing a plain text version of this content. The canonical link for it is here.
Posted to notifications@ofbiz.apache.org by "Nicolas Malin (Jira)" <ji...@apache.org> on 2021/07/22 08:15:00 UTC
[jira] [Updated] (OFBIZ-12287) UserLoginHistory failed the store
operation with large password
[ https://issues.apache.org/jira/browse/OFBIZ-12287?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Nicolas Malin updated OFBIZ-12287:
----------------------------------
Attachment: OFBIZ-12287.patch
> UserLoginHistory failed the store operation with large password
> ---------------------------------------------------------------
>
> Key: OFBIZ-12287
> URL: https://issues.apache.org/jira/browse/OFBIZ-12287
> Project: OFBiz
> Issue Type: Bug
> Components: framework/security
> Affects Versions: 18.12.01, Trunk, 17.12.07
> Reporter: Nicolas Malin
> Assignee: Nicolas Malin
> Priority: Major
> Attachments: OFBIZ-12287.patch
>
>
> When you have a user with long password (greater than 256 characters) present in OFBiz and you try to log with, OFBiz return a long error message with sensitive information.
> {code:java}
> Error saving UserLoginHistory and updating login status to reset hasLoggedOut, unsuccessful login count, etc.: org.apache.ofbiz.entity.GenericEntityException: org.apache.ofbiz.entity.GenericEntityException: Error while inserting: [GenericEntity:UserLoginHistory][createdStamp,2021-07-21 16:42:18.81(java.sql.Timestamp)][createdTxStamp,2021-07-21 16:42:18.804(java.sql.Timestamp)][fromDate,2021-07-21 16:42:18.809(java.sql.Timestamp)][lastUpdatedStamp,2021-07-21 16:42:18.81(java.sql.Timestamp)][lastUpdatedTxStamp,2021-07-21 16:42:18.804(java.sql.Timestamp)][partyId,10010(java.lang.String)][passwordUsed,$SHA$l1rQ$i9Js3M3Mx3uQr4N1r8F6Jtj8dzQ(java.lang.String)][successfulLogin,N(java.lang.String)][userLoginId,lolo(java.lang.String)][visitId,10103(java.lang.String)] (SQL Exception while executing the following:null (A truncation error was encountered trying to shrink VARCHAR 'k+f3Qyf7vGwy/7lAh7xB3zerfnUUAZnx3Bkc9hMbQJxSt+wzeyj+plWWsHRa&' to length 255.)) (Error while inserting: [GenericEntity:UserLoginHistory][createdStamp,2021-07-21 16:42:18.81(java.sql.Timestamp)][createdTxStamp,2021-07-21 16:42:18.804(java.sql.Timestamp)][fromDate,2021-07-21 16:42:18.809(java.sql.Timestamp)][lastUpdatedStamp,2021-07-21 16:42:18.81(java.sql.Timestamp)][lastUpdatedTxStamp,2021-07-21 16:42:18.804(java.sql.Timestamp)][partyId,10010(java.lang.String)][passwordUsed,$SHA$l1rQ$i9Js3M3Mx3uQr4N1r8F6Jtj8dzQ(java.lang.String)][successfulLogin,N(java.lang.String)][userLoginId,lolo(java.lang.String)][visitId,10103(java.lang.String)] (SQL Exception while executing the following:null (A truncation error was encountered trying to shrink VARCHAR 'k+f3Qyf7vGwy/7lAh7xB3zerfnUUAZnx3Bkc9hMbQJxSt+wzeyj+plWWsHRa&' to length 255.)))
> {code}
> The error come from LoginService.java:353 that try to store without check the password size.
> This issue has been raise by Daniel Elkabes <da...@whitesourcesoftware.com> and Hagai Wechsler <ha...@whitesourcesoftware.com> from white source software, many thanks to them !
> To solve this I suggest to don't return any information on the genericValue that failed and analyse the field passwordUsed to store to escape an unusefull error.
--
This message was sent by Atlassian Jira
(v8.3.4#803005)