[OFBIZ-12287] UserLoginHistory failed the store operation with large password - ASF JIRA

XML

Word

Printable

JSON

Details

Type: Bug
Status: Closed
Priority: Major
Resolution: Fixed
Affects Version/s: Trunk, 17.12.07, 18.12.01
Fix Version/s: Release Branch 18.12, Release Branch 17.12
Component/s: framework/security
Labels:
None

Description

When you have a user with long password (greater than 256 characters) present in OFBiz and you try to log with, OFBiz return a long error message with sensitive information.

Error saving UserLoginHistory and updating login status to reset hasLoggedOut, unsuccessful login count, etc.: org.apache.ofbiz.entity.GenericEntityException: org.apache.ofbiz.entity.GenericEntityException: Error while inserting: [GenericEntity:UserLoginHistory][createdStamp,2021-07-21 16:42:18.81(java.sql.Timestamp)][createdTxStamp,2021-07-21 16:42:18.804(java.sql.Timestamp)][fromDate,2021-07-21 16:42:18.809(java.sql.Timestamp)][lastUpdatedStamp,2021-07-21 16:42:18.81(java.sql.Timestamp)][lastUpdatedTxStamp,2021-07-21 16:42:18.804(java.sql.Timestamp)][partyId,10010(java.lang.String)][passwordUsed,$SHA$l1rQ$i9Js3M3Mx3uQr4N1r8F6Jtj8dzQ(java.lang.String)][successfulLogin,N(java.lang.String)][userLoginId,lolo(java.lang.String)][visitId,10103(java.lang.String)] (SQL Exception while executing the following:null (A truncation error was encountered trying to shrink VARCHAR 'k+f3Qyf7vGwy/7lAh7xB3zerfnUUAZnx3Bkc9hMbQJxSt+wzeyj+plWWsHRa&' to length 255.)) (Error while inserting: [GenericEntity:UserLoginHistory][createdStamp,2021-07-21 16:42:18.81(java.sql.Timestamp)][createdTxStamp,2021-07-21 16:42:18.804(java.sql.Timestamp)][fromDate,2021-07-21 16:42:18.809(java.sql.Timestamp)][lastUpdatedStamp,2021-07-21 16:42:18.81(java.sql.Timestamp)][lastUpdatedTxStamp,2021-07-21 16:42:18.804(java.sql.Timestamp)][partyId,10010(java.lang.String)][passwordUsed,$SHA$l1rQ$i9Js3M3Mx3uQr4N1r8F6Jtj8dzQ(java.lang.String)][successfulLogin,N(java.lang.String)][userLoginId,lolo(java.lang.String)][visitId,10103(java.lang.String)] (SQL Exception while executing the following:null (A truncation error was encountered trying to shrink VARCHAR 'k+f3Qyf7vGwy/7lAh7xB3zerfnUUAZnx3Bkc9hMbQJxSt+wzeyj+plWWsHRa&' to length 255.)))

The error come from LoginService.java:353 that try to store without check the password size.

This issue has been raise by Daniel Elkabes <daniel.elkabes@whitesourcesoftware.com> and Hagai Wechsler <hagai.wechsler@whitesourcesoftware.com> from white source software, many thanks to them !

To solve this I suggest to don't return any information on the genericValue that failed and analyse the field passwordUsed to store to escape an unusefull error.

Attachments

- Sort By Name
- Sort By Date
- Ascending
- Descending

OFBIZ-12287.patch
22/Jul/21 08:14
4 kB
Nicolas Malin
2023-12-18-remove-passwordUsed.diff
18/Dec/23 09:17
4 kB
Sixty One

Activity

People

Assignee:: Nicolas Malin

Reporter:: Nicolas Malin

Votes:: 0 Vote for this issue

Watchers:: 4 Start watching this issue

Dates

Created:: 22/Jul/21 08:12

Updated:: 18/Dec/23 09:17

Resolved:: 28/Jul/21 13:10