[ofbiz-framework] branch release17.12 updated: Fixed: UserLoginHistory failed the store operation with large password (OFBIZ-12287)

Wed, 28 Jul 2021 06:09:28 -0700 

This is an automated email from the ASF dual-hosted git repository.

nmalin pushed a commit to branch release17.12
in repository https://gitbox.apache.org/repos/asf/ofbiz-framework.git


The following commit(s) were added to refs/heads/release17.12 by this push:
     new 2f5b8d3  Fixed: UserLoginHistory failed the store operation with large 
password (OFBIZ-12287)
2f5b8d3 is described below

commit 2f5b8d33e32c4d9a48243cf9e503236acd5aec5c
Author: Nicolas Malin <[email protected]>
AuthorDate: Wed Jul 28 14:42:09 2021 +0200

    Fixed: UserLoginHistory failed the store operation with large password 
(OFBIZ-12287)
    
    Backport 2aa68dc4de8892e8a7cbb38c10a3a3dd65d233e5 from trunk
    
    When you have a user with long password (greater than 256 characters) 
present in OFBiz and you try to log with, OFBiz return a long error message 
with sensitive information due to exceeding value size to store on the field 
UserLoginHistory.passwordUsed.
    
    To solve this we don't return any information on the genericValue that 
failed and analyze the field passwordUsed to escape the case where the password 
set to login is create than the database field capacity.
    
    Thanks to Daniel Elkabes <[email protected]> and Hagai 
Wechsler <[email protected]> from white source software to 
raise the problem.
---
 .../apache/ofbiz/common/login/LoginServices.java   | 34 ++++++++++++++++++++--
 1 file changed, 31 insertions(+), 3 deletions(-)

diff --git 
a/framework/common/src/main/java/org/apache/ofbiz/common/login/LoginServices.java
 
b/framework/common/src/main/java/org/apache/ofbiz/common/login/LoginServices.java
index 7e47402..3ccfa02 100644
--- 
a/framework/common/src/main/java/org/apache/ofbiz/common/login/LoginServices.java
+++ 
b/framework/common/src/main/java/org/apache/ofbiz/common/login/LoginServices.java
@@ -47,6 +47,7 @@ import org.apache.ofbiz.entity.condition.EntityCondition;
 import org.apache.ofbiz.entity.condition.EntityFunction;
 import org.apache.ofbiz.entity.condition.EntityOperator;
 import org.apache.ofbiz.entity.model.ModelEntity;
+import org.apache.ofbiz.entity.model.ModelField;
 import org.apache.ofbiz.entity.transaction.GenericTransactionException;
 import org.apache.ofbiz.entity.transaction.TransactionUtil;
 import org.apache.ofbiz.entity.util.EntityListIterator;
@@ -334,8 +335,12 @@ public class LoginServices {
                                         }
 
                                         // ONLY save the password if it was 
incorrect
-                                        if ("N".equals(successfulLogin) && 
!"false".equals(EntityUtilProperties.getPropertyValue("security", 
"store.login.history.incorrect.password", delegator))) {
-                                            ulhCreateMap.put("passwordUsed", 
password);
+                                        // we will check in the hash size 
isn't too huge for the store other wise store a fix string
+                                        if ("N".equals(successfulLogin) && 
!"false".equals(EntityUtilProperties.getPropertyValue("security",
+                                                
"store.login.history.incorrect.password", delegator))) {
+                                            ulhCreateMap.put("passwordUsed", 
isGivenPasswordCanBeStored(delegator, password)
+                                                    ? " TOO LONG FOR STORAGE "
+                                                    : password);
                                         }
 
                                         delegator.create("UserLoginHistory", 
ulhCreateMap);
@@ -346,7 +351,6 @@ public class LoginServices {
                                 if (doStore) {
                                     geeErrMsg += " and updating login status 
to reset hasLoggedOut, unsuccessful login count, etc.";
                                 }
-                                geeErrMsg += ": " + e.toString();
                                 try {
                                     TransactionUtil.rollback(beganTransaction, 
geeErrMsg, e);
                                 } catch (GenericTransactionException e2) {
@@ -435,6 +439,30 @@ public class LoginServices {
         return result;
     }
 
+    /**
+     * To escape an exception when the password store due to limitation size 
for passwordUsed field, we analyse if it's possible.
+     * @param delegator
+     * @param password
+     * @return
+     * @throws GenericEntityException
+     */
+    private static boolean isGivenPasswordCanBeStored(Delegator delegator, 
String password)
+            throws GenericEntityException {
+        ModelEntity modelEntityUserLoginHistory = 
delegator.getModelEntity("UserLoginHistory");
+        ModelField passwordUsedField = 
modelEntityUserLoginHistory.getField("passwordUsed");
+        int maxPasswordSize = delegator.getEntityFieldType(
+                modelEntityUserLoginHistory,
+                passwordUsedField.getType()).stringLength();
+        int passwordUsedCurrentSize = password.length();
+
+        // if the field is encrypted, we check the size of the hashed result
+        ModelField.EncryptMethod encryptMethod = 
passwordUsedField.getEncryptMethod();
+        if (encryptMethod.isEncrypted()) {
+            passwordUsedCurrentSize = 
delegator.encryptFieldValue("UserLoginHistory", encryptMethod, 
password).toString().length();
+        }
+        return passwordUsedCurrentSize > maxPasswordSize;
+    }
+
     public static void createUserLoginPasswordHistory(GenericValue userLogin) 
throws GenericEntityException{
         int passwordChangeHistoryLimit = 0;
         Delegator delegator = userLogin.getDelegator();

Reply via email to