This is an automated email from the ASF dual-hosted git repository. juanpablo pushed a commit to branch master in repository https://gitbox.apache.org/repos/asf/jspwiki.git
commit c850744b4b663603c1f43a9b859f1cfd27e95f7e Author: Juan Pablo Santos RodrÃguez <[email protected]> AuthorDate: Wed Apr 6 22:32:38 2022 +0200 validateProfile method requires always a non-null password in order to avoid CSRF attacks --- .../src/main/java/org/apache/wiki/auth/DefaultUserManager.java | 6 ++---- 1 file changed, 2 insertions(+), 4 deletions(-) diff --git a/jspwiki-main/src/main/java/org/apache/wiki/auth/DefaultUserManager.java b/jspwiki-main/src/main/java/org/apache/wiki/auth/DefaultUserManager.java index 56ddd19b3..64ae54ed7 100644 --- a/jspwiki-main/src/main/java/org/apache/wiki/auth/DefaultUserManager.java +++ b/jspwiki-main/src/main/java/org/apache/wiki/auth/DefaultUserManager.java @@ -341,12 +341,10 @@ public class DefaultUserManager implements UserManager { validator.validate( profile.getEmail(), rb.getString("security.user.email"), InputValidator.EMAIL ); if( !m_engine.getManager( AuthenticationManager.class ).isContainerAuthenticated() ) { + // passwords must match and can't be null final String password = profile.getPassword(); if( password == null ) { - if( profile.isNew() ) { - // If new profile, passwords must match and can't be null - session.addMessage( SESSION_MESSAGES, rb.getString( "security.error.blankpassword" ) ); - } + session.addMessage( SESSION_MESSAGES, rb.getString( "security.error.blankpassword" ) ); } else { final HttpServletRequest request = context.getHttpRequest(); final String password0 = ( request == null ) ? null : request.getParameter( "password0" );
