Just checked the code. There are bunch of things going on here: - XMLUserDatabase contains a bug that causes the UID not to be saved. I don't know how or why this happened, but it's just not saving. There is no place where the XML node's uid attribute is actually set. - Unit tests don't do a find-by-uid test, so we didn't detect this error condition. - Our InputValidator does not screen out characters #, [, or ]
So, my conclusion is that the gmail addresses have nothing to do with the NPEs. And the inclusion of slightly weird characters in the user ID or name have nothing to do with the issue either. Proposed fixes, which I will commit tonight: - Fix XMLUserDatabase to set the UID properly (I will check the JDBC code also) - Better test coverage to detect UIDs are actually set - Add the #, [ and ] characters to the list of sketchy characters detected by InputValidator In the meantime, the auto-registration flood of Gmail users is just that -- a flood of automatically registered users from Gmail. There's no obvious fix for this, other than turning on registration workflows. Andrew On Thu, Mar 19, 2009 at 4:01 AM, Janne Jalkanen <[email protected]> wrote: > Yeah, I have no idea what is going. I tried to muck about in the > server to do some checks, but at the moment I think we may have to > assume that some spammer has found a way to break JSPWiki. > > I am in no position to do anything except read emails for the next > some time, so could someone please check the case where illegal > characters (#[]) end up in username? > > /Janne > > On Thu, Mar 19, 2009 at 07:02:51AM +0100, Harry Metske wrote: >> Thanks, but now I have a couple of different errors, first the Main page is >> empty, but looking at the version history this shows no recent changes, and >> also the View Page Source shows the content. >> Then, trying to login, I get : >> >> An unknown exception java.lang.NullPointerException was caught by Error.jsp. >> *Exception*java.lang.NullPointerException*Place where >> detected*java.lang.String.compareTo(), >> line 1168So it's almost fixed I guess :-) >> >> regards, >> Harry >> >> 2009/3/18 Janne Jalkanen <[email protected]> >> >> > >> > Yes, I just kicked the server. >> > >> > It would appear that there is a spambot registering a lot of userids which >> > broke our xmluserdatabase. In which situation we would have an user >> > account >> > with no user id? I've got a ton of these now in the database: >> > >> > <user uid="" loginName="Kayarveattews" wikiName="Kayarveattews" >> > fullName="Kayarveattews" email="serabarclay0...@gma >> > il.com" password="{SSHA}NMJhGEkqxH+gAfskH1IgRqfJP5nqdxNhV0SUYA==" >> > created="2009.03.17 at 08:40:44:598 EET" lastModified >> > ="2009.03.17 at 08:40:44:598 EET" lockExpiry="" > </user> >> > >> > The user ids were generated properly until this user: >> > >> > <user uid="" loginName="#dennick[IRIFIFZFZIII]" >> > wikiName="#dennick[IRIFIFZFZIII]" fullName="#dennick[IRIFIFZFZIII]" email=" >> > [email protected]" >> > password="{SSHA}csdOtEsTz4l2l0gtBjDESF5bJkFgSlx+hTMA8Q==" >> > created="2009.03.01 at 18:54:22:468 EET" lastModified="2009.03.01 at >> > 18:54:22:468 EET" lockExpiry="" > >> > </user> >> > >> > I think it's got something to do with the # and [] characters. Andrew? >> > >> > /Janne >> > >> > >> > On 18 Mar 2009, at 19:56, Harry Metske wrote: >> > >> > I don't know how long this is going on, but on every URL within >> >> http://www.jspwiki.org I get the following exception: >> >> >> >> java.lang.NullPointerException >> >> >> >> org.apache.xerces.dom.DeepNodeListImpl.nextMatchingElementAfter(Unknown >> >> Source) >> >> org.apache.xerces.dom.DeepNodeListImpl.item(Unknown Source) >> >> org.apache.xerces.dom.DeepNodeListImpl.getLength(Unknown Source) >> >> >> >> com.ecyrd.jspwiki.auth.user.XMLUserDatabase.findByAttribute(XMLUserDatabase.java:617) >> >> >> >> com.ecyrd.jspwiki.auth.user.XMLUserDatabase.findByFullName(XMLUserDatabase.java:163) >> >> >> >> com.ecyrd.jspwiki.auth.user.AbstractUserDatabase.find(AbstractUserDatabase.java:81) >> >> >> >> com.ecyrd.jspwiki.WikiSession.injectUserProfilePrincipals(WikiSession.java:672) >> >> com.ecyrd.jspwiki.WikiSession.actionPerformed(WikiSession.java:548) >> >> >> >> com.ecyrd.jspwiki.event.WikiEventManager$WikiEventDelegate.fireEvent(WikiEventManager.java:566) >> >> >> >> com.ecyrd.jspwiki.event.WikiEventManager.fireEvent(WikiEventManager.java:347) >> >> >> >> com.ecyrd.jspwiki.auth.AuthenticationManager.fireEvent(AuthenticationManager.java:677) >> >> >> >> com.ecyrd.jspwiki.auth.AuthenticationManager.login(AuthenticationManager.java:301) >> >> >> >> com.ecyrd.jspwiki.ui.WikiServletFilter.doFilter(WikiServletFilter.java:156) >> >> com.ecyrd.jspwiki.ui.WikiJSPFilter.doFilter(WikiJSPFilter.java:111) >> >> >> >> Can someone poke around a bit ? >> >> >> >> thanks, >> >> Harry >> >> >> > >> > >
