Bug 309571 - UserDetails.do allows user to set a password less that 6 characters.
UserDetails.do allows user to set a password less that 6 characters.
Product: Red Hat Network
Classification: Red Hat
Component: RHN/Web Site (Show other bugs)
All Linux
high Severity high
: ---
: ---
Assigned To: Mike Orazi
Grant Gainey
Depends On:
Blocks: 253920
  Show dependency treegraph
Reported: 2007-09-27 14:21 EDT by Alex Wood
Modified: 2010-10-22 15:02 EDT (History)
2 users (show)

See Also:
Fixed In Version: 5.0.4
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Last Closed: 2007-12-10 09:37:34 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)

  None (edit)
Description Alex Wood 2007-09-27 14:21:27 EDT
The password validation on redhat.com requires users to enter a password greater
than or equal to 6 characters.  However, on RHN at
https://rhn.redhat.com/rhn/account/UserDetails.do users can create passwords
less than 6 characters.  The validation on the aforementioned page should have
the same requirements as the ones in place throughout the rest of redhat.com
Comment 2 Mike Orazi 2007-10-16 11:52:53 EDT
Validation is now set to a minimum of 6 characters for passwords. rev:  117994

Test plan:

1.  Try to update an existing user through RHN with a 5 char or shorter password
and get an error message.

2.  As an org admin, try to create a sub-user with 5 char or shorter password.

Comment 3 Grant Gainey 2007-10-22 08:11:19 EDT
Comment 4 Grant Gainey 2007-10-31 12:09:21 EDT
Oops, not passed.

- Run the following SQL against a given login:

select * from web.web_contact where login = '<login-here>'

You'll see the current password

- Now, go to https://rhn.webqa.redhat.com/rhn/account/UserDetails.do
- Change the pasword to 'foo'
- Submit
See the error messages

    * Desired Password cannot be less than 6 characters.
    * Confirm Password cannot be less than 6 characters.

- Now, re-run

select * from web.web_contact where login = '<login-here>'

- No change

- web.web_contact.password has been changed to 'foo'

Sigh heavily.
Comment 5 Mike Orazi 2007-11-07 09:04:15 EST
Password change validation was occuring as 2 separate steps so, simply adding
the validation was allowing matching passwords to be commited to the DB before
the length validation was completely.  The logic has been updated to act atomically.
Comment 6 Grant Gainey 2007-11-07 09:10:51 EST

Note You need to log in before you can comment on or make changes to this bug.