Bugzilla (bugzilla.redhat.com) will be under maintenance for infrastructure upgrades and will not be available on July 31st between 12:30 AM - 05:30 AM UTC. We appreciate your understanding and patience. You can follow status.redhat.com for details.
Bug 456464 - xmlrpc api allows users to change password to include disallowed characters
Summary: xmlrpc api allows users to change password to include disallowed characters
Keywords:
Status: CLOSED CURRENTRELEASE
Alias: None
Product: Red Hat Network
Classification: Retired
Component: RHN/Backend
Version: rhn505
Hardware: All
OS: Linux
low
low
Target Milestone: ---
Assignee: Sebastian Skracic
QA Contact: Stephen Herr
URL:
Whiteboard: us=38139
Depends On:
Blocks: 457802
TreeView+ depends on / blocked
 
Reported: 2008-07-23 21:03 UTC by Stephen Herr
Modified: 2008-09-25 13:04 UTC (History)
3 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2008-09-25 13:04:10 UTC

Attachments (Terms of Use)
Add an attachment (proposed patch, testcase, etc.)

Description Stephen Herr 2008-07-23 21:03:49 UTC 
Description of problem:
Using the user.setDetails xmlrpc api method users can change their password to
include the characters '<', '>', '\s', and '\"', which according the the user
page should be disallowed. 

Version-Release number of selected component (if applicable):
5.0.6

How reproducible:
Always

Steps to Reproduce:
1. Ask sherr to run the automated java api test for user.setDetails
2.
3.
  
Actual results:
details (including password) successfully update

Expected results:
Error stating password was invalid

Additional info:
Comment 1 Sebastian Skracic 2008-08-26 09:56:43 UTC 
Fixed in r118986 - user.setDetails now validates the password against the .xsd file, just like the Web frontend does.
Comment 4 Stephen Herr 2008-08-26 20:23:31 UTC 
fails qa, I can still change the password. It will throw an error over the password being too short but not the bad characters.
Comment 5 Stephen Herr 2008-08-28 20:23:58 UTC 
verified in dev
Comment 6 Stephen Herr 2008-09-05 20:37:04 UTC 
verified in qa
Note You need to log in before you can comment on or make changes to this bug.