Hello,
There seems to be a bug in the Spacewalk Java code that allows a user
to set whatever password regardless of any errors (e.g. length <
minlength), as long as the desired and confirm password are equal. It
is even possible to set a user's password to the empty string, which
results in not being able to login anymore after sign out! Attached is
a patch that fixes the problem.
Greetings,
Johannes Renner
--
SUSE LINUX Products GmbH, GF: Markus Rex, HRB 16746 (AG Nürnberg)
>From 57bac09f19795e5fc4c21514da4ac20bef9cc79d Mon Sep 17 00:00:00 2001
From: Johannes Renner <jren...@suse.de>
Date: Tue, 18 Jan 2011 15:58:23 +0100
Subject: [PATCH] Password with less than minlength characters accepted
---
.../frontend/action/user/UserEditActionHelper.java | 11 ++++++-----
1 files changed, 6 insertions(+), 5 deletions(-)
diff --git a/java/code/src/com/redhat/rhn/frontend/action/user/UserEditActionHelper.java b/java/code/src/com/redhat/rhn/frontend/action/user/UserEditActionHelper.java
index 79529b4..68f6ce0 100644
--- a/java/code/src/com/redhat/rhn/frontend/action/user/UserEditActionHelper.java
+++ b/java/code/src/com/redhat/rhn/frontend/action/user/UserEditActionHelper.java
@@ -45,12 +45,13 @@ public abstract class UserEditActionHelper extends RhnAction {
form.get(UserActionHelper.DESIRED_PASS))) {
String pw = (String)form.get(UserActionHelper.DESIRED_PASS);
String conf = (String)form.get(UserActionHelper.DESIRED_PASS_CONFIRM);
- if (pw.equals(conf)) {
- targetUser.setPassword(pw);
- }
- else {
+ if (!pw.equals(conf)) {
errors.add(ActionMessages.GLOBAL_MESSAGE,
- new ActionMessage("error.password_mismatch"));
+ new ActionMessage("error.password_mismatch"));
+ }
+ else if (errors.isEmpty()) {
+ //Set the password only if there are no errors at all
+ targetUser.setPassword(pw);
}
}
--
1.7.1
_______________________________________________
Spacewalk-devel mailing list
Spacewalk-devel@redhat.com
https://www.redhat.com/mailman/listinfo/spacewalk-devel
