Bug 454558 - [Security] A malicious user can find usernames by vectors on loadUserByUsername
Summary: [Security] A malicious user can find usernames by vectors on loadUserByUsername
Status: RESOLVED WONTFIX
Alias: None
Product: Hudson
Classification: Technology
Component: Core (show other bugs)
Version: 3.2.1   Edit
Hardware: PC Windows 7
: P3 major (vote)
Target Milestone: ---   Edit
Assignee: Winston Prakash CLA
QA Contact: Geoff Waymark CLA
URL:
Whiteboard:
Keywords: security
Depends on:
Blocks:
 
Reported: 2014-12-09 06:57 EST by Geoff Waymark CLA
Modified: 2019-05-14 14:19 EDT (History)
4 users (show)

See Also:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Geoff Waymark CLA 2014-12-09 06:57:45 EST 
@Override
    public Details loadUserByUsername(String username) throws UsernameNotFoundException, DataAccessException {
        User u = User.get(username, false);
        Details p = u != null ? u.getProperty(Details.class) : null;
        if (p == null) {
            throw new UsernameNotFoundException("Password is not set: " + username);
        }
        if (p.getUser() == null) {
            throw new AssertionError();
        }
        return p;
    }

    @Override
    protected Details authenticate(String username, String password) throws AuthenticationException {
        Details u = loadUserByUsername(username);
        if (!PASSWORD_ENCODER.isPasswordValid(u.getPassword(), password, null)) {
            throw new BadCredentialsException("Failed to login as " + username);
        }
        return u;
    }

The second method shows that the username exists. We should just return invalid login or incorrect credentials instead.
Comment 1 Wayne Beaton CLA 2019-05-14 14:19:45 EDT 
The Eclipse Hudson project has been terminated and archived.