Bug 1060745

Since this issue was entered in Red Hat Bugzilla, the release flag has been
set to ? to ensure that it is properly evaluated for this release.

Upstream bug component is WebUI

Upstream bug component is Security

Upstream bug component is Provisioning

Upstream bug component is Security

Upstream bug assigned to tbrisker

Upstream bug assigned to tbrisker

Normal backlog item, WIP. QA please ACK.

Thank you for your interest in Satellite 6. We have evaluated this request, and we do not expect this to be implemented in product in the forseeable future. We are therefore closing this out as WONTFIX. If you have any concerns about this, please feel free to contact Rich Jerrido or Bryan Kearney. Thank you.

Fix for this has been merged upstream, reopening and moving to post.

VERIFIED on SAT6.4#11

Reproducer for Hammer:
bz1602367

Reproducer for WebUI:
1. Setup variables
> export SAT=mysatellite.example.com
> export USER=admin
> export PW=xxx

2.  Check correct login
> TOKEN=$(curl -k --cookie-jar cookies.txt https://$SAT/users/login 2> /dev/null  | grep 'name=\"authenticity_token\"' | xargs -0 -I % expr % : '.*value="\(.*\)".*$'); curl -L -k -b cookies.txt -F login[login]=$USER -F login[password]=$PW -F authenticity_token=$TOKEN -F commit='Log In' https://$SAT/users/login 2> /dev/null | tee /tmp/a.html | grep "fa-user avatar"

...  Admin User ...

3. Test bad password
> export PW=badpassword

> for i in {1..30}; do TOKEN=$(curl -k --cookie-jar cookies.txt https://$SAT/users/login 2> /dev/null  | grep 'name=\"authenticity_token\"' | xargs -0 -I % expr % : '.*value="\(.*\)".*$'); curl -L -k -b cookies.txt -F login[login]=$USER -F login[password]=$PW -F authenticity_token=$TOKEN -F commit='Log In' https://$SAT/users/login 2> /dev/null | tee /tmp/a.html | grep -A 1 "pficon-error-circle-o" | tail -n 1; done

            Incorrect username or password
            Incorrect username or password
            Incorrect username or password
            Incorrect username or password
            Incorrect username or password
            Incorrect username or password
            Incorrect username or password
            Incorrect username or password
            Incorrect username or password
            Incorrect username or password
            Incorrect username or password
            Incorrect username or password
            Incorrect username or password
            Incorrect username or password
            Incorrect username or password
            Incorrect username or password
            Incorrect username or password
            Incorrect username or password
            Incorrect username or password
            Incorrect username or password
            Incorrect username or password
            Incorrect username or password
            Incorrect username or password
            Incorrect username or password
            Incorrect username or password
            Incorrect username or password
            Incorrect username or password
            Incorrect username or password
            Incorrect username or password
            Too many tries, please try again in a few minutes.

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHSA-2018:2927