Bug 454558

Summary: [Security] A malicious user can find usernames by vectors on loadUserByUsername
Product: [Technology] Hudson Reporter: Geoff Waymark <mygwaymark>
Component: CoreAssignee: Winston Prakash <winston.prakash>
Status: RESOLVED WONTFIX QA Contact: Geoff Waymark <mygwaymark>
Severity: major    
Priority: P3 CC: bobfoster, lamujuri, mygwaymark, rovarghe
Version: 3.2.1Keywords: security
Target Milestone: ---   
Hardware: PC   
OS: Windows 7   
Whiteboard:

Description Geoff Waymark CLA 2014-12-09 06:57:45 EST 
@Override
    public Details loadUserByUsername(String username) throws UsernameNotFoundException, DataAccessException {
        User u = User.get(username, false);
        Details p = u != null ? u.getProperty(Details.class) : null;
        if (p == null) {
            throw new UsernameNotFoundException("Password is not set: " + username);
        }
        if (p.getUser() == null) {
            throw new AssertionError();
        }
        return p;
    }

    @Override
    protected Details authenticate(String username, String password) throws AuthenticationException {
        Details u = loadUserByUsername(username);
        if (!PASSWORD_ENCODER.isPasswordValid(u.getPassword(), password, null)) {
            throw new BadCredentialsException("Failed to login as " + username);
        }
        return u;
    }

The second method shows that the username exists. We should just return invalid login or incorrect credentials instead.
Comment 1 Wayne Beaton CLA 2019-05-14 14:19:45 EDT 
The Eclipse Hudson project has been terminated and archived.