This service will be undergoing maintenance at 00:00 UTC, 2016-09-28. It is expected to last about 1 hours
Bug 233784 - Conflicting acceptable password rules between SSO Create Account form and RHN Register
Conflicting acceptable password rules between SSO Create Account form and RHN...
Status: CLOSED CURRENTRELEASE
Product: Red Hat Network
Classification: Red Hat
Component: RHN/Backend (Show other bugs)
rhn500
All Linux
medium Severity medium
: ---
: ---
Assigned To: Grant Gainey
Stephen Herr
US=21906
:
Depends On:
Blocks: 431812 443075
  Show dependency treegraph
 
Reported: 2007-03-24 20:01 EDT by Máirín Duffy
Modified: 2013-01-10 05:18 EST (History)
2 users (show)

See Also:
Fixed In Version: 5.0.6
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2008-06-26 16:23:03 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:


Attachments (Terms of Use)

  None (edit)
Description Máirín Duffy 2007-03-24 20:01:18 EDT
Note: keeping bug public so customer can follow.

+++ This bug was initially created as a clone of Bug #233461 +++

Description of problem:

URL: https://www.redhat.com/wapps/ugc/register.html

- password rejection message does not state the allowed/disallowed characters
nor the character max length limit. password rules seem strange as some non
numeric non letter characters are accepted but others are not. recommend that we
are more lenient in allowing these types of characters in passwords as it
increases potential security.

From customer:

"If I enterred a password that was too short I got a nice little message
telling me it had to be at least 6 characters long. If I entered one that long
or longer that was rejected as invalid I was given no clue as to why or what
characters were allowed or not. I'm guessing '<' was not a valid character but
it would have been easier to figure out if there were a little popup or
something that just explained the rules for passwords. I still find it weird
that '<' seems bad but ':' seems good.

Update from customer:

"I created an account which has a
password that includes the '[' character. This works fine on
RHN but when trying to register a guest VM during firstboot now
I discover that the character '[' is not accepted in the password
field preventing registration."

Things to look at:

- acceptable password rules for SSO account creation
- acceptable password rules for SSO account login
- acceptable password rules for RHN Register account creation
- acceptable password rules for RHN Register account login
Comment 2 Máirín Duffy 2007-03-24 21:03:09 EDT
update: only seems to be an issue with RHEL 5 system registrations. RHEL 4
registration client seems to accept the '[' character.
Comment 3 Alex Wood 2007-03-28 15:52:31 EDT
Just FYI, the reason the angle brackets are prohibited is to prevent cross-site
scripting attacks.
Comment 4 John T. Rose 2007-03-28 16:28:22 EDT
I'm not lobbying for including angle brackets or anything else in particular. I
would like to know what the "official" password rules are governing RHN and
other related Red Hat logins. If they are public I haven't run across them yet.

They appear to be inconsistently enforced in various places from my experience.
Perhaps I should stick to the alphabet for now. It is scary to have a password
change allowed by RHN and then not be able to login with it.
Comment 5 Mark Sechrest 2007-04-05 16:35:40 EDT
It isn't too surprising that the old clients aren't enforcing new rules.
However, relaxing the rules would mean we'll never be able to move forward.
Setting this to  NEEDINFO to get the business to tell us whether they want to
continue with the new rules, or revert to the old practice.
Comment 6 Mark Sechrest 2007-05-18 13:40:40 EDT
Moving everything to ON_DEV to get revisited for the "true up" release.
Comment 8 daryl herzmann 2008-01-18 15:12:12 EST
We ran into an example of this today.

A old RHN user has an account with a password of 5 character length.

- He can log into the rhn hosted website just fine
- rhn_register on RHEL5 will fail tho and not allow login.

He updated his password to 6 characters and rhn_register now works.

Perhaps the rhn hosted website should detect < 6 char logins and "force" the
user to change their password when they log in?
Comment 15 Grant Gainey 2008-05-05 17:17:43 EDT
UserService and the wapps UI have rules, but only the UI enforces them :( .  We
must therefore enforce the rules in our UI as well, in order to keep bad data
out of UserService, until such time as UserService does its own policing.

The rules are that the password cannot contain the characters (space) < > " ,
and must be between 6 and 38 characters long

TEST PLAN:
=========

On both the user-details and the create-new-user pages in RHN: 

.../rhn/account/UserDetails.do
.../rhn/users/CreateUser.do?account_type=into_org

you should now see a note next to the "Desired Password" field describing the rules.

The characters (space), <, >, and " should be rejected in the desired/confirm
password fields, in order to match the rules in user-service.  Please test the
following combinations in those fields:

1) empty field
EXPECTED:
Error messages for desired/confirm, with "must be at least 6 characters"

2) less than 6 chars per field
EXPECTED:
Error messages for desired/confirm, with "must be at least 6 characters"

3) desired != confirm
EXPECTED:
Error message, desired must equal confirm

4) password starts with one of (space) < > "
5) repeat 4, ends with
6) repeat 4, contains
7) repeat 4, consists solely of
8) repeat 4-7, except with multiple instances of the forbidden characters

EXPECTED:
In all cases, error message for desired/confirm "are invalid"

9) password is > 38 characters 
EXPECTED:
The form will stop accepting input at 38 characters
Comment 16 Grant Gainey 2008-05-05 17:27:55 EDT
Sending       
rhn-common/src/main/java/com/redhat/rhn/common/validator/SchemaParser.java
Sending       
rhn-common/src/main/java/com/redhat/rhn/frontend/struts/RhnValidationHelper.java
Sending       
rhn-common/src/main/resources/com/redhat/rhn/frontend/action/user/validation/userCreateForm.xsd
Sending       
rhn-common/src/main/resources/com/redhat/rhn/frontend/action/user/validation/userDetailsForm.xsd
Sending       
rhn-common/src/main/resources/com/redhat/rhn/frontend/strings/jsp/StringResource_en_US.xml
Adding        
rhn-web/src/main/java/com/redhat/rhn/frontend/action/user/UserForm.java
Sending       
rhn-web/src/main/webapp/WEB-INF/pages/common/fragments/user/edit_user_table_rows.jspf
Sending        rhn-web/src/main/webapp/WEB-INF/pages/user/create/usercreate.jsp
Sending        rhn-web/src/main/webapp/WEB-INF/struts-config.xml
Transmitting file data .........
Committed revision 118734.
Comment 17 Grant Gainey 2008-06-13 11:04:55 EDT
I can't be Q Contact, I'm the one that did the code!
Comment 18 Stephen Herr 2008-06-13 11:52:23 EDT
Massively Fails QA, tests 4-8 all fail. The pages in question will let you enter
whatever special characters you wish, you just can't log in with your new
password. Clearly we didn't get the update from dev. 
Comment 19 Stephen Herr 2008-06-13 13:20:05 EDT
Verified

ggainey had to remove tomcat's working directory to get it to reload the new
.xsd files. Extra step has been added to content doc.

Note You need to log in before you can comment on or make changes to this bug.