Bug 456464 - xmlrpc api allows users to change password to include disallowed characters
xmlrpc api allows users to change password to include disallowed characters
Product: Red Hat Network
Classification: Red Hat
Component: RHN/Backend (Show other bugs)
All Linux
low Severity low
: ---
: ---
Assigned To: Sebastian Skracic
Stephen Herr
Depends On:
Blocks: 457802
  Show dependency treegraph
Reported: 2008-07-23 17:03 EDT by Stephen Herr
Modified: 2008-09-25 09:04 EDT (History)
3 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Last Closed: 2008-09-25 09:04:10 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)

  None (edit)
Description Stephen Herr 2008-07-23 17:03:49 EDT
Description of problem:
Using the user.setDetails xmlrpc api method users can change their password to
include the characters '<', '>', '\s', and '\"', which according the the user
page should be disallowed. 

Version-Release number of selected component (if applicable):

How reproducible:

Steps to Reproduce:
1. Ask sherr to run the automated java api test for user.setDetails
Actual results:
details (including password) successfully update

Expected results:
Error stating password was invalid

Additional info:
Comment 1 Sebastian Skracic 2008-08-26 05:56:43 EDT
Fixed in r118986 - user.setDetails now validates the password against the .xsd file, just like the Web frontend does.
Comment 4 Stephen Herr 2008-08-26 16:23:31 EDT
fails qa, I can still change the password. It will throw an error over the password being too short but not the bad characters.
Comment 5 Stephen Herr 2008-08-28 16:23:58 EDT
verified in dev
Comment 6 Stephen Herr 2008-09-05 16:37:04 EDT
verified in qa

Note You need to log in before you can comment on or make changes to this bug.