456464 – xmlrpc api allows users to change password to include disallowed characters

Bug 456464 - xmlrpc api allows users to change password to include disallowed characters

Summary: xmlrpc api allows users to change password to include disallowed characters

Keywords:
Status:	CLOSED CURRENTRELEASE
Alias:	None
Product:	Red Hat Network
Classification:	Retired
Component:	RHN/Backend
Sub Component:
Version:	rhn505
Hardware:	All
OS:	Linux
Priority:	low
Severity:	low
Target Milestone:	---
Assignee:	Sebastian Skracic
QA Contact:	Stephen Herr
Docs Contact:
URL:
Whiteboard:	us=38139
Depends On:
Blocks:	457802
TreeView+	depends on / blocked

Reported:	2008-07-23 21:03 UTC by Stephen Herr
Modified:	2008-09-25 13:04 UTC (History)
CC List:	3 users (show)
Fixed In Version:
Clone Of:
Environment:
Last Closed:	2008-09-25 13:04:10 UTC
Embargoed:

Attachments	(Terms of Use)

Description Stephen Herr 2008-07-23 21:03:49 UTC

Description of problem:
Using the user.setDetails xmlrpc api method users can change their password to
include the characters '<', '>', '\s', and '\"', which according the the user
page should be disallowed. 

Version-Release number of selected component (if applicable):
5.0.6

How reproducible:
Always

Steps to Reproduce:
1. Ask sherr to run the automated java api test for user.setDetails
2.
3.
  
Actual results:
details (including password) successfully update

Expected results:
Error stating password was invalid

Additional info:

Comment 1 Sebastian Skracic 2008-08-26 09:56:43 UTC

Fixed in r118986 - user.setDetails now validates the password against the .xsd file, just like the Web frontend does.

Comment 4 Stephen Herr 2008-08-26 20:23:31 UTC

fails qa, I can still change the password. It will throw an error over the password being too short but not the bad characters.

Comment 5 Stephen Herr 2008-08-28 20:23:58 UTC

verified in dev

Comment 6 Stephen Herr 2008-09-05 20:37:04 UTC

verified in qa

Note You need to log in before you can comment on or make changes to this bug.