[jira] [Commented] (JAMES-1724) JPAUsersRepository fails with exception when login via SMTP contains \0 symbol

Nadiyar (Jira) Wed, 07 Jan 2026 09:22:18 -0800


    [ 
https://issues.apache.org/jira/browse/JAMES-1724?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=18050440#comment-18050440
 ]


Nadiyar commented on JAMES-1724:
--------------------------------

Nice <3

So as [~btellier] mentioned NUL ({{{}0x00{}}}) has a specific role, according 
to RFC4616:
{code:java}
message   = [authzid] UTF8NUL authcid UTF8NUL passwd{code}
So each message should have exactly two NUL.

In my humble opinion, James should first parse, then check if the message 
includes exactly two \0.

Any other combination should be considered invalid.

p.s. since it was first time me reading an RFC I was lost among dozens of them 
with no result, I might not be as agile as you are.

> JPAUsersRepository fails with exception when login via SMTP contains \0 symbol
> ------------------------------------------------------------------------------
>
>                 Key: JAMES-1724
>                 URL: https://issues.apache.org/jira/browse/JAMES-1724
>             Project: James Server
>          Issue Type: Bug
>          Components: SMTPServer
>            Reporter: Alexei Osipov
>            Priority: Major
>              Labels: easyfix, security
>
> JPAUsersRepository throws exception if login provided in AUTH request 
> contains zero symbol (\0).
> Precondition:
> James must use JPA store.
> Steps to reproduce:
> Connect to server via SMTP and execute commands:
> HELO servername
> AUTH LOGIN
> AA==
> AA==
> Actual behavior:
> Server refuses login (good) and throws exception (not good).
> Exception log:
> {code}INFO   | jvm 1    | 2016/04/21 00:34:01 | 
> org.apache.james.user.api.UsersRepositoryException: Unable to search user
> INFO   | jvm 1    | 2016/04/21 00:34:01 |     at 
> org.apache.james.user.jpa.JPAUsersRepository.getUserByName(JPAUsersRepository.java:84)
> INFO   | jvm 1    | 2016/04/21 00:34:01 |     at 
> org.apache.james.user.jpa.JPAUsersRepository.test(JPAUsersRepository.java:202)
> INFO   | jvm 1    | 2016/04/21 00:34:01 |     at 
> org.apache.james.smtpserver.UsersRepositoryAuthHook.doAuth(UsersRepositoryAuthHook.java:64)
> INFO   | jvm 1    | 2016/04/21 00:34:01 |     at 
> org.apache.james.protocols.smtp.core.esmtp.AuthCmdHandler.doAuthTest(AuthCmdHandler.java:350)
> INFO   | jvm 1    | 2016/04/21 00:34:01 |     at 
> org.apache.james.protocols.smtp.core.esmtp.AuthCmdHandler.doLoginAuthPassCheck(AuthCmdHandler.java:319)
> INFO   | jvm 1    | 2016/04/21 00:34:01 |     at 
> org.apache.james.protocols.smtp.core.esmtp.AuthCmdHandler.access$400(AuthCmdHandler.java:60)
> INFO   | jvm 1    | 2016/04/21 00:34:01 |     at 
> org.apache.james.protocols.smtp.core.esmtp.AuthCmdHandler$3.onCommand(AuthCmdHandler.java:297)
> INFO   | jvm 1    | 2016/04/21 00:34:01 |     at 
> org.apache.james.protocols.smtp.core.esmtp.AuthCmdHandler$AbstractSMTPLineHandler.handleCommand(AuthCmdHandler.java:106)
> INFO   | jvm 1    | 2016/04/21 00:34:01 |     at 
> org.apache.james.protocols.smtp.core.esmtp.AuthCmdHandler$AbstractSMTPLineHandler.onLine(AuthCmdHandler.java:88)
> INFO   | jvm 1    | 2016/04/21 00:34:01 |     at 
> org.apache.james.protocols.smtp.core.esmtp.AuthCmdHandler$AbstractSMTPLineHandler.onLine(AuthCmdHandler.java:76)
> INFO   | jvm 1    | 2016/04/21 00:34:01 |     at 
> org.apache.james.protocols.netty.LineHandlerUpstreamHandler.messageReceived(LineHandlerUpstreamHandler.java:50)
> INFO   | jvm 1    | 2016/04/21 00:34:01 |     at 
> org.jboss.netty.channel.SimpleChannelUpstreamHandler.handleUpstream(SimpleChannelUpstreamHandler.java:75)
> INFO   | jvm 1    | 2016/04/21 00:34:01 |     at 
> org.jboss.netty.channel.DefaultChannelPipeline.sendUpstream(DefaultChannelPipeline.java:558)
> INFO   | jvm 1    | 2016/04/21 00:34:01 |     at 
> org.jboss.netty.channel.DefaultChannelPipeline$DefaultChannelHandlerContext.sendUpstream(DefaultChannelPipeline.java:777)
> INFO   | jvm 1    | 2016/04/21 00:34:01 |     at 
> org.jboss.netty.channel.SimpleChannelUpstreamHandler.messageReceived(SimpleChannelUpstreamHandler.java:129)
> INFO   | jvm 1    | 2016/04/21 00:34:01 |     at 
> org.jboss.netty.channel.SimpleChannelUpstreamHandler.handleUpstream(SimpleChannelUpstreamHandler.java:75)
> INFO   | jvm 1    | 2016/04/21 00:34:01 |     at 
> org.jboss.netty.channel.DefaultChannelPipeline.sendUpstream(DefaultChannelPipeline.java:558)
> INFO   | jvm 1    | 2016/04/21 00:34:01 |     at 
> org.jboss.netty.channel.DefaultChannelPipeline$DefaultChannelHandlerContext.sendUpstream(DefaultChannelPipeline.java:777)
> INFO   | jvm 1    | 2016/04/21 00:34:01 |     at 
> org.jboss.netty.handler.execution.ChannelUpstreamEventRunnable.run(ChannelUpstreamEventRunnable.java:44)
> INFO   | jvm 1    | 2016/04/21 00:34:01 |     at 
> org.jboss.netty.handler.execution.OrderedMemoryAwareThreadPoolExecutor$ChildExecutor.run(OrderedMemoryAwareThreadPoolExecutor.java:312)
> INFO   | jvm 1    | 2016/04/21 00:34:01 |     at 
> java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1145)
> INFO   | jvm 1    | 2016/04/21 00:34:01 |     at 
> java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:615)
> INFO   | jvm 1    | 2016/04/21 00:34:01 |     at 
> java.lang.Thread.run(Thread.java:745)
> INFO   | jvm 1    | 2016/04/21 00:34:01 | Caused by: 
> <openjpa-2.2.1-r422266:1396819 fatal general error> 
> org.apache.openjpa.persistence.PersistenceException: ERROR: invalid byte 
> sequence for encoding "UTF8": 0x00 {prepstmnt 20859541 SELECT t0.user_name, 
> t0.version, t0.password_hash_algorithm, t0.password FROM public.JAMES_USER t0 
> WHERE (t0.user_name = ?)} [code=0, state=22021]
> INFO   | jvm 1    | 2016/04/21 00:34:01 | FailedObject: SELECT user FROM 
> JamesUser user WHERE user.name=:name [java.lang.String]
> INFO   | jvm 1    | 2016/04/21 00:34:01 |     at 
> org.apache.openjpa.jdbc.sql.DBDictionary.narrow(DBDictionary.java:4958)
> INFO   | jvm 1    | 2016/04/21 00:34:01 |     at 
> org.apache.openjpa.jdbc.sql.DBDictionary.newStoreException(DBDictionary.java:4918)
> INFO   | jvm 1    | 2016/04/21 00:34:01 |     at 
> org.apache.openjpa.jdbc.sql.SQLExceptions.getStore(SQLExceptions.java:136)
> INFO   | jvm 1    | 2016/04/21 00:34:01 |     at 
> org.apache.openjpa.jdbc.sql.SQLExceptions.getStore(SQLExceptions.java:118)
> INFO   | jvm 1    | 2016/04/21 00:34:01 |     at 
> org.apache.openjpa.jdbc.sql.SQLExceptions.getStore(SQLExceptions.java:70)
> INFO   | jvm 1    | 2016/04/21 00:34:01 |     at 
> org.apache.openjpa.jdbc.kernel.SelectResultObjectProvider.handleCheckedException(SelectResultObjectProvider.java:155)
> INFO   | jvm 1    | 2016/04/21 00:34:01 |     at 
> org.apache.openjpa.lib.rop.EagerResultList.<init>(EagerResultList.java:40)
> INFO   | jvm 1    | 2016/04/21 00:34:01 |     at 
> org.apache.openjpa.kernel.QueryImpl.toResult(QueryImpl.java:1251)
> INFO   | jvm 1    | 2016/04/21 00:34:01 |     at 
> org.apache.openjpa.kernel.QueryImpl.execute(QueryImpl.java:1007)
> INFO   | jvm 1    | 2016/04/21 00:34:01 |     at 
> org.apache.openjpa.kernel.QueryImpl.execute(QueryImpl.java:863)
> INFO   | jvm 1    | 2016/04/21 00:34:01 |     at 
> org.apache.openjpa.kernel.QueryImpl.execute(QueryImpl.java:794)
> INFO   | jvm 1    | 2016/04/21 00:34:01 |     at 
> org.apache.openjpa.kernel.DelegatingQuery.execute(DelegatingQuery.java:542)
> INFO   | jvm 1    | 2016/04/21 00:34:01 |     at 
> org.apache.openjpa.persistence.QueryImpl.execute(QueryImpl.java:286)
> INFO   | jvm 1    | 2016/04/21 00:34:01 |     at 
> org.apache.openjpa.persistence.QueryImpl.getResultList(QueryImpl.java:302)
> INFO   | jvm 1    | 2016/04/21 00:34:01 |     at 
> org.apache.openjpa.persistence.QueryImpl.getSingleResult(QueryImpl.java:330)
> INFO   | jvm 1    | 2016/04/21 00:34:01 |     at 
> org.apache.james.user.jpa.JPAUsersRepository.getUserByName(JPAUsersRepository.java:79)
> INFO   | jvm 1    | 2016/04/21 00:34:01 |     ... 22 more
> INFO   | jvm 1    | 2016/04/21 00:34:01 | Caused by: 
> org.apache.openjpa.lib.jdbc.ReportingSQLException: ERROR: invalid byte 
> sequence for encoding "UTF8": 0x00 {prepstmnt 20859541 SELECT t0.user_name, 
> t0.version, t0.password_hash_algorithm, t0.password FROM public.JAMES_USER t0 
> WHERE (t0.user_name = ?)} [code=0, state=22021]
> INFO   | jvm 1    | 2016/04/21 00:34:01 |     at 
> org.apache.openjpa.lib.jdbc.LoggingConnectionDecorator.wrap(LoggingConnectionDecorator.java:219)
> INFO   | jvm 1    | 2016/04/21 00:34:01 |     at 
> org.apache.openjpa.lib.jdbc.LoggingConnectionDecorator.wrap(LoggingConnectionDecorator.java:203)
> INFO   | jvm 1    | 2016/04/21 00:34:01 |     at 
> org.apache.openjpa.lib.jdbc.LoggingConnectionDecorator.access$700(LoggingConnectionDecorator.java:59)
> INFO   | jvm 1    | 2016/04/21 00:34:01 |     at 
> org.apache.openjpa.lib.jdbc.LoggingConnectionDecorator$LoggingConnection$LoggingPreparedStatement.executeQuery(LoggingConnectionDecorator.java:1118)
> INFO   | jvm 1    | 2016/04/21 00:34:01 |     at 
> org.apache.openjpa.lib.jdbc.DelegatingPreparedStatement.executeQuery(DelegatingPreparedStatement.java:265)
> INFO   | jvm 1    | 2016/04/21 00:34:01 |     at 
> org.apache.openjpa.jdbc.sql.PostgresDictionary$PostgresPreparedStatement.executeQuery(PostgresDictionary.java:1019)
> INFO   | jvm 1    | 2016/04/21 00:34:01 |     at 
> org.apache.openjpa.lib.jdbc.DelegatingPreparedStatement.executeQuery(DelegatingPreparedStatement.java:265)
> INFO   | jvm 1    | 2016/04/21 00:34:01 |     at 
> org.apache.openjpa.jdbc.kernel.JDBCStoreManager$CancelPreparedStatement.executeQuery(JDBCStoreManager.java:1774)
> INFO   | jvm 1    | 2016/04/21 00:34:01 |     at 
> org.apache.openjpa.lib.jdbc.DelegatingPreparedStatement.executeQuery(DelegatingPreparedStatement.java:255)
> INFO   | jvm 1    | 2016/04/21 00:34:01 |     at 
> org.apache.openjpa.jdbc.sql.SelectImpl.executeQuery(SelectImpl.java:499)
> INFO   | jvm 1    | 2016/04/21 00:34:01 |     at 
> org.apache.openjpa.jdbc.sql.SelectImpl.execute(SelectImpl.java:424)
> INFO   | jvm 1    | 2016/04/21 00:34:01 |     at 
> org.apache.openjpa.jdbc.sql.SelectImpl.execute(SelectImpl.java:391)
> INFO   | jvm 1    | 2016/04/21 00:34:01 |     at 
> org.apache.openjpa.jdbc.sql.LogicalUnion$UnionSelect.execute(LogicalUnion.java:427)
> INFO   | jvm 1    | 2016/04/21 00:34:01 |     at 
> org.apache.openjpa.jdbc.sql.LogicalUnion.execute(LogicalUnion.java:230)
> INFO   | jvm 1    | 2016/04/21 00:34:01 |     at 
> org.apache.openjpa.jdbc.sql.LogicalUnion.execute(LogicalUnion.java:220)
> INFO   | jvm 1    | 2016/04/21 00:34:01 |     at 
> org.apache.openjpa.jdbc.kernel.SelectResultObjectProvider.open(SelectResultObjectProvider.java:94)
> INFO   | jvm 1    | 2016/04/21 00:34:01 |     at 
> org.apache.openjpa.lib.rop.EagerResultList.<init>(EagerResultList.java:34)
> INFO   | jvm 1    | 2016/04/21 00:34:01 |     ... 31 more
> INFO   | jvm 1    | 2016/04/21 00:34:01 | ERROR 01:34:01,751 | 
> james.smtpserver | Id='8528085' User='' AUTH method LOGIN failed from {code}



--
This message was sent by Atlassian Jira
(v8.20.10#820010)

---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]

[jira] [Commented] (JAMES-1724) JPAUsersRepository fails with exception when login via SMTP contains \0 symbol

Reply via email to