[
https://issues.apache.org/jira/browse/JAMES-1724?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=18050310#comment-18050310
]
Matthieu Baechler commented on JAMES-1724:
------------------------------------------
Hi [~nadiyar] , you are welcome to work on the issue as far as I'm concerned.
However, the description seems incomplete as there's no agreement on the
expected behavior.
What would be the expected behavior in your opinion? Does any RFC defines what
is valid input during SMTP authentication?
> JPAUsersRepository fails with exception when login via SMTP contains \0 symbol
> ------------------------------------------------------------------------------
>
> Key: JAMES-1724
> URL: https://issues.apache.org/jira/browse/JAMES-1724
> Project: James Server
> Issue Type: Bug
> Components: SMTPServer
> Reporter: Alexei Osipov
> Priority: Major
> Labels: easyfix, security
>
> JPAUsersRepository throws exception if login provided in AUTH request
> contains zero symbol (\0).
> Precondition:
> James must use JPA store.
> Steps to reproduce:
> Connect to server via SMTP and execute commands:
> HELO servername
> AUTH LOGIN
> AA==
> AA==
> Actual behavior:
> Server refuses login (good) and throws exception (not good).
> Exception log:
> {code}INFO | jvm 1 | 2016/04/21 00:34:01 |
> org.apache.james.user.api.UsersRepositoryException: Unable to search user
> INFO | jvm 1 | 2016/04/21 00:34:01 | at
> org.apache.james.user.jpa.JPAUsersRepository.getUserByName(JPAUsersRepository.java:84)
> INFO | jvm 1 | 2016/04/21 00:34:01 | at
> org.apache.james.user.jpa.JPAUsersRepository.test(JPAUsersRepository.java:202)
> INFO | jvm 1 | 2016/04/21 00:34:01 | at
> org.apache.james.smtpserver.UsersRepositoryAuthHook.doAuth(UsersRepositoryAuthHook.java:64)
> INFO | jvm 1 | 2016/04/21 00:34:01 | at
> org.apache.james.protocols.smtp.core.esmtp.AuthCmdHandler.doAuthTest(AuthCmdHandler.java:350)
> INFO | jvm 1 | 2016/04/21 00:34:01 | at
> org.apache.james.protocols.smtp.core.esmtp.AuthCmdHandler.doLoginAuthPassCheck(AuthCmdHandler.java:319)
> INFO | jvm 1 | 2016/04/21 00:34:01 | at
> org.apache.james.protocols.smtp.core.esmtp.AuthCmdHandler.access$400(AuthCmdHandler.java:60)
> INFO | jvm 1 | 2016/04/21 00:34:01 | at
> org.apache.james.protocols.smtp.core.esmtp.AuthCmdHandler$3.onCommand(AuthCmdHandler.java:297)
> INFO | jvm 1 | 2016/04/21 00:34:01 | at
> org.apache.james.protocols.smtp.core.esmtp.AuthCmdHandler$AbstractSMTPLineHandler.handleCommand(AuthCmdHandler.java:106)
> INFO | jvm 1 | 2016/04/21 00:34:01 | at
> org.apache.james.protocols.smtp.core.esmtp.AuthCmdHandler$AbstractSMTPLineHandler.onLine(AuthCmdHandler.java:88)
> INFO | jvm 1 | 2016/04/21 00:34:01 | at
> org.apache.james.protocols.smtp.core.esmtp.AuthCmdHandler$AbstractSMTPLineHandler.onLine(AuthCmdHandler.java:76)
> INFO | jvm 1 | 2016/04/21 00:34:01 | at
> org.apache.james.protocols.netty.LineHandlerUpstreamHandler.messageReceived(LineHandlerUpstreamHandler.java:50)
> INFO | jvm 1 | 2016/04/21 00:34:01 | at
> org.jboss.netty.channel.SimpleChannelUpstreamHandler.handleUpstream(SimpleChannelUpstreamHandler.java:75)
> INFO | jvm 1 | 2016/04/21 00:34:01 | at
> org.jboss.netty.channel.DefaultChannelPipeline.sendUpstream(DefaultChannelPipeline.java:558)
> INFO | jvm 1 | 2016/04/21 00:34:01 | at
> org.jboss.netty.channel.DefaultChannelPipeline$DefaultChannelHandlerContext.sendUpstream(DefaultChannelPipeline.java:777)
> INFO | jvm 1 | 2016/04/21 00:34:01 | at
> org.jboss.netty.channel.SimpleChannelUpstreamHandler.messageReceived(SimpleChannelUpstreamHandler.java:129)
> INFO | jvm 1 | 2016/04/21 00:34:01 | at
> org.jboss.netty.channel.SimpleChannelUpstreamHandler.handleUpstream(SimpleChannelUpstreamHandler.java:75)
> INFO | jvm 1 | 2016/04/21 00:34:01 | at
> org.jboss.netty.channel.DefaultChannelPipeline.sendUpstream(DefaultChannelPipeline.java:558)
> INFO | jvm 1 | 2016/04/21 00:34:01 | at
> org.jboss.netty.channel.DefaultChannelPipeline$DefaultChannelHandlerContext.sendUpstream(DefaultChannelPipeline.java:777)
> INFO | jvm 1 | 2016/04/21 00:34:01 | at
> org.jboss.netty.handler.execution.ChannelUpstreamEventRunnable.run(ChannelUpstreamEventRunnable.java:44)
> INFO | jvm 1 | 2016/04/21 00:34:01 | at
> org.jboss.netty.handler.execution.OrderedMemoryAwareThreadPoolExecutor$ChildExecutor.run(OrderedMemoryAwareThreadPoolExecutor.java:312)
> INFO | jvm 1 | 2016/04/21 00:34:01 | at
> java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1145)
> INFO | jvm 1 | 2016/04/21 00:34:01 | at
> java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:615)
> INFO | jvm 1 | 2016/04/21 00:34:01 | at
> java.lang.Thread.run(Thread.java:745)
> INFO | jvm 1 | 2016/04/21 00:34:01 | Caused by:
> <openjpa-2.2.1-r422266:1396819 fatal general error>
> org.apache.openjpa.persistence.PersistenceException: ERROR: invalid byte
> sequence for encoding "UTF8": 0x00 {prepstmnt 20859541 SELECT t0.user_name,
> t0.version, t0.password_hash_algorithm, t0.password FROM public.JAMES_USER t0
> WHERE (t0.user_name = ?)} [code=0, state=22021]
> INFO | jvm 1 | 2016/04/21 00:34:01 | FailedObject: SELECT user FROM
> JamesUser user WHERE user.name=:name [java.lang.String]
> INFO | jvm 1 | 2016/04/21 00:34:01 | at
> org.apache.openjpa.jdbc.sql.DBDictionary.narrow(DBDictionary.java:4958)
> INFO | jvm 1 | 2016/04/21 00:34:01 | at
> org.apache.openjpa.jdbc.sql.DBDictionary.newStoreException(DBDictionary.java:4918)
> INFO | jvm 1 | 2016/04/21 00:34:01 | at
> org.apache.openjpa.jdbc.sql.SQLExceptions.getStore(SQLExceptions.java:136)
> INFO | jvm 1 | 2016/04/21 00:34:01 | at
> org.apache.openjpa.jdbc.sql.SQLExceptions.getStore(SQLExceptions.java:118)
> INFO | jvm 1 | 2016/04/21 00:34:01 | at
> org.apache.openjpa.jdbc.sql.SQLExceptions.getStore(SQLExceptions.java:70)
> INFO | jvm 1 | 2016/04/21 00:34:01 | at
> org.apache.openjpa.jdbc.kernel.SelectResultObjectProvider.handleCheckedException(SelectResultObjectProvider.java:155)
> INFO | jvm 1 | 2016/04/21 00:34:01 | at
> org.apache.openjpa.lib.rop.EagerResultList.<init>(EagerResultList.java:40)
> INFO | jvm 1 | 2016/04/21 00:34:01 | at
> org.apache.openjpa.kernel.QueryImpl.toResult(QueryImpl.java:1251)
> INFO | jvm 1 | 2016/04/21 00:34:01 | at
> org.apache.openjpa.kernel.QueryImpl.execute(QueryImpl.java:1007)
> INFO | jvm 1 | 2016/04/21 00:34:01 | at
> org.apache.openjpa.kernel.QueryImpl.execute(QueryImpl.java:863)
> INFO | jvm 1 | 2016/04/21 00:34:01 | at
> org.apache.openjpa.kernel.QueryImpl.execute(QueryImpl.java:794)
> INFO | jvm 1 | 2016/04/21 00:34:01 | at
> org.apache.openjpa.kernel.DelegatingQuery.execute(DelegatingQuery.java:542)
> INFO | jvm 1 | 2016/04/21 00:34:01 | at
> org.apache.openjpa.persistence.QueryImpl.execute(QueryImpl.java:286)
> INFO | jvm 1 | 2016/04/21 00:34:01 | at
> org.apache.openjpa.persistence.QueryImpl.getResultList(QueryImpl.java:302)
> INFO | jvm 1 | 2016/04/21 00:34:01 | at
> org.apache.openjpa.persistence.QueryImpl.getSingleResult(QueryImpl.java:330)
> INFO | jvm 1 | 2016/04/21 00:34:01 | at
> org.apache.james.user.jpa.JPAUsersRepository.getUserByName(JPAUsersRepository.java:79)
> INFO | jvm 1 | 2016/04/21 00:34:01 | ... 22 more
> INFO | jvm 1 | 2016/04/21 00:34:01 | Caused by:
> org.apache.openjpa.lib.jdbc.ReportingSQLException: ERROR: invalid byte
> sequence for encoding "UTF8": 0x00 {prepstmnt 20859541 SELECT t0.user_name,
> t0.version, t0.password_hash_algorithm, t0.password FROM public.JAMES_USER t0
> WHERE (t0.user_name = ?)} [code=0, state=22021]
> INFO | jvm 1 | 2016/04/21 00:34:01 | at
> org.apache.openjpa.lib.jdbc.LoggingConnectionDecorator.wrap(LoggingConnectionDecorator.java:219)
> INFO | jvm 1 | 2016/04/21 00:34:01 | at
> org.apache.openjpa.lib.jdbc.LoggingConnectionDecorator.wrap(LoggingConnectionDecorator.java:203)
> INFO | jvm 1 | 2016/04/21 00:34:01 | at
> org.apache.openjpa.lib.jdbc.LoggingConnectionDecorator.access$700(LoggingConnectionDecorator.java:59)
> INFO | jvm 1 | 2016/04/21 00:34:01 | at
> org.apache.openjpa.lib.jdbc.LoggingConnectionDecorator$LoggingConnection$LoggingPreparedStatement.executeQuery(LoggingConnectionDecorator.java:1118)
> INFO | jvm 1 | 2016/04/21 00:34:01 | at
> org.apache.openjpa.lib.jdbc.DelegatingPreparedStatement.executeQuery(DelegatingPreparedStatement.java:265)
> INFO | jvm 1 | 2016/04/21 00:34:01 | at
> org.apache.openjpa.jdbc.sql.PostgresDictionary$PostgresPreparedStatement.executeQuery(PostgresDictionary.java:1019)
> INFO | jvm 1 | 2016/04/21 00:34:01 | at
> org.apache.openjpa.lib.jdbc.DelegatingPreparedStatement.executeQuery(DelegatingPreparedStatement.java:265)
> INFO | jvm 1 | 2016/04/21 00:34:01 | at
> org.apache.openjpa.jdbc.kernel.JDBCStoreManager$CancelPreparedStatement.executeQuery(JDBCStoreManager.java:1774)
> INFO | jvm 1 | 2016/04/21 00:34:01 | at
> org.apache.openjpa.lib.jdbc.DelegatingPreparedStatement.executeQuery(DelegatingPreparedStatement.java:255)
> INFO | jvm 1 | 2016/04/21 00:34:01 | at
> org.apache.openjpa.jdbc.sql.SelectImpl.executeQuery(SelectImpl.java:499)
> INFO | jvm 1 | 2016/04/21 00:34:01 | at
> org.apache.openjpa.jdbc.sql.SelectImpl.execute(SelectImpl.java:424)
> INFO | jvm 1 | 2016/04/21 00:34:01 | at
> org.apache.openjpa.jdbc.sql.SelectImpl.execute(SelectImpl.java:391)
> INFO | jvm 1 | 2016/04/21 00:34:01 | at
> org.apache.openjpa.jdbc.sql.LogicalUnion$UnionSelect.execute(LogicalUnion.java:427)
> INFO | jvm 1 | 2016/04/21 00:34:01 | at
> org.apache.openjpa.jdbc.sql.LogicalUnion.execute(LogicalUnion.java:230)
> INFO | jvm 1 | 2016/04/21 00:34:01 | at
> org.apache.openjpa.jdbc.sql.LogicalUnion.execute(LogicalUnion.java:220)
> INFO | jvm 1 | 2016/04/21 00:34:01 | at
> org.apache.openjpa.jdbc.kernel.SelectResultObjectProvider.open(SelectResultObjectProvider.java:94)
> INFO | jvm 1 | 2016/04/21 00:34:01 | at
> org.apache.openjpa.lib.rop.EagerResultList.<init>(EagerResultList.java:34)
> INFO | jvm 1 | 2016/04/21 00:34:01 | ... 31 more
> INFO | jvm 1 | 2016/04/21 00:34:01 | ERROR 01:34:01,751 |
> james.smtpserver | Id='8528085' User='' AUTH method LOGIN failed from {code}
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
