Bugzilla (bugzilla.redhat.com) will be under maintenance for infrastructure upgrades and will not be available on July 31st between 12:30 AM - 05:30 AM UTC. We appreciate your understanding and patience. You can follow status.redhat.com for details.
Bug 456464 - xmlrpc api allows users to change password to include disallowed characters
Summary: xmlrpc api allows users to change password to include disallowed characters
Keywords:
Status: CLOSED CURRENTRELEASE
Alias: None
Product: Red Hat Network
Classification: Retired
Component: RHN/Backend
Version: rhn505
Hardware: All
OS: Linux
low
low
Target Milestone: ---
Assignee: Sebastian Skracic
QA Contact: Stephen Herr
URL:
Whiteboard: us=38139
Depends On:
Blocks: 457802
TreeView+ depends on / blocked
 
Reported: 2008-07-23 21:03 UTC by Stephen Herr
Modified: 2008-09-25 13:04 UTC (History)
3 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2008-09-25 13:04:10 UTC


Attachments (Terms of Use)

Description Stephen Herr 2008-07-23 21:03:49 UTC
Description of problem:
Using the user.setDetails xmlrpc api method users can change their password to
include the characters '<', '>', '\s', and '\"', which according the the user
page should be disallowed. 

Version-Release number of selected component (if applicable):
5.0.6

How reproducible:
Always

Steps to Reproduce:
1. Ask sherr to run the automated java api test for user.setDetails
2.
3.
  
Actual results:
details (including password) successfully update

Expected results:
Error stating password was invalid

Additional info:

Comment 1 Sebastian Skracic 2008-08-26 09:56:43 UTC
Fixed in r118986 - user.setDetails now validates the password against the .xsd file, just like the Web frontend does.

Comment 4 Stephen Herr 2008-08-26 20:23:31 UTC
fails qa, I can still change the password. It will throw an error over the password being too short but not the bad characters.

Comment 5 Stephen Herr 2008-08-28 20:23:58 UTC
verified in dev

Comment 6 Stephen Herr 2008-09-05 20:37:04 UTC
verified in qa


Note You need to log in before you can comment on or make changes to this bug.