Hello, There seems to be a bug in the Spacewalk Java code that allows a user to set whatever password regardless of any errors (e.g. length < minlength), as long as the desired and confirm password are equal. It is even possible to set a user's password to the empty string, which results in not being able to login anymore after sign out! Attached is a patch that fixes the problem.
Greetings, Johannes Renner -- SUSE LINUX Products GmbH, GF: Markus Rex, HRB 16746 (AG Nürnberg)
>From 57bac09f19795e5fc4c21514da4ac20bef9cc79d Mon Sep 17 00:00:00 2001 From: Johannes Renner <jren...@suse.de> Date: Tue, 18 Jan 2011 15:58:23 +0100 Subject: [PATCH] Password with less than minlength characters accepted --- .../frontend/action/user/UserEditActionHelper.java | 11 ++++++----- 1 files changed, 6 insertions(+), 5 deletions(-) diff --git a/java/code/src/com/redhat/rhn/frontend/action/user/UserEditActionHelper.java b/java/code/src/com/redhat/rhn/frontend/action/user/UserEditActionHelper.java index 79529b4..68f6ce0 100644 --- a/java/code/src/com/redhat/rhn/frontend/action/user/UserEditActionHelper.java +++ b/java/code/src/com/redhat/rhn/frontend/action/user/UserEditActionHelper.java @@ -45,12 +45,13 @@ public abstract class UserEditActionHelper extends RhnAction { form.get(UserActionHelper.DESIRED_PASS))) { String pw = (String)form.get(UserActionHelper.DESIRED_PASS); String conf = (String)form.get(UserActionHelper.DESIRED_PASS_CONFIRM); - if (pw.equals(conf)) { - targetUser.setPassword(pw); - } - else { + if (!pw.equals(conf)) { errors.add(ActionMessages.GLOBAL_MESSAGE, - new ActionMessage("error.password_mismatch")); + new ActionMessage("error.password_mismatch")); + } + else if (errors.isEmpty()) { + //Set the password only if there are no errors at all + targetUser.setPassword(pw); } } -- 1.7.1
_______________________________________________ Spacewalk-devel mailing list Spacewalk-devel@redhat.com https://www.redhat.com/mailman/listinfo/spacewalk-devel