Details
-
Bug
-
Status: Closed
-
Major
-
Resolution: Fixed
-
Trunk, 17.12.07, 18.12.01
-
None
Description
When you have a user with long password (greater than 256 characters) present in OFBiz and you try to log with, OFBiz return a long error message with sensitive information.
Error saving UserLoginHistory and updating login status to reset hasLoggedOut, unsuccessful login count, etc.: org.apache.ofbiz.entity.GenericEntityException: org.apache.ofbiz.entity.GenericEntityException: Error while inserting: [GenericEntity:UserLoginHistory][createdStamp,2021-07-21 16:42:18.81(java.sql.Timestamp)][createdTxStamp,2021-07-21 16:42:18.804(java.sql.Timestamp)][fromDate,2021-07-21 16:42:18.809(java.sql.Timestamp)][lastUpdatedStamp,2021-07-21 16:42:18.81(java.sql.Timestamp)][lastUpdatedTxStamp,2021-07-21 16:42:18.804(java.sql.Timestamp)][partyId,10010(java.lang.String)][passwordUsed,$SHA$l1rQ$i9Js3M3Mx3uQr4N1r8F6Jtj8dzQ(java.lang.String)][successfulLogin,N(java.lang.String)][userLoginId,lolo(java.lang.String)][visitId,10103(java.lang.String)] (SQL Exception while executing the following:null (A truncation error was encountered trying to shrink VARCHAR 'k+f3Qyf7vGwy/7lAh7xB3zerfnUUAZnx3Bkc9hMbQJxSt+wzeyj+plWWsHRa&' to length 255.)) (Error while inserting: [GenericEntity:UserLoginHistory][createdStamp,2021-07-21 16:42:18.81(java.sql.Timestamp)][createdTxStamp,2021-07-21 16:42:18.804(java.sql.Timestamp)][fromDate,2021-07-21 16:42:18.809(java.sql.Timestamp)][lastUpdatedStamp,2021-07-21 16:42:18.81(java.sql.Timestamp)][lastUpdatedTxStamp,2021-07-21 16:42:18.804(java.sql.Timestamp)][partyId,10010(java.lang.String)][passwordUsed,$SHA$l1rQ$i9Js3M3Mx3uQr4N1r8F6Jtj8dzQ(java.lang.String)][successfulLogin,N(java.lang.String)][userLoginId,lolo(java.lang.String)][visitId,10103(java.lang.String)] (SQL Exception while executing the following:null (A truncation error was encountered trying to shrink VARCHAR 'k+f3Qyf7vGwy/7lAh7xB3zerfnUUAZnx3Bkc9hMbQJxSt+wzeyj+plWWsHRa&' to length 255.)))
The error come from LoginService.java:353 that try to store without check the password size.
This issue has been raise by Daniel Elkabes <daniel.elkabes@whitesourcesoftware.com> and Hagai Wechsler <hagai.wechsler@whitesourcesoftware.com> from white source software, many thanks to them !
To solve this I suggest to don't return any information on the genericValue that failed and analyse the field passwordUsed to store to escape an unusefull error.