Uploaded image for project: 'Magnolia'
  1. Magnolia
  2. MAGNOLIA-6696

Allow ' characters in Usernames: the username in MgnlUserManager.getUser(String) needs to be properly escaped

    XMLWordPrintable

    Details

    • Type: Bug
    • Status: Closed
    • Priority: Major
    • Resolution: Fixed
    • Affects Version/s: 5.3.14, 5.4.6, 5.4.7
    • Fix Version/s: 5.3.16, 5.4.8, 5.5
    • Component/s: security
    • Labels:
    • Patch included:
      Yes
    • Release notes required:
      Yes
    • Sprint:
      Saigon 54
    • Story Points:
      5
    • Magnolia Release:
      5.3.16, 5.4.8, 5.5

      Description

      We allow ' character in JCR user nodes.
      So we need to escape properly the user name, as it us used in queries to fetch the user in:
      info.magnolia.cms.security.RepositoryBackedSecurityManager.findPrincipalNodeByQuery(String, Session, String, Node)

      Especially for public users (and when having Scottish users) the ' character is used a lot and needed.

      Here with a test user named "test'test".

      ERROR info.magnolia.cms.security.MgnlUserManager 15.06.2016 16:39:42 – Could not retrieve user with name: simon_o'connell@westpac.co.nz
      javax.jcr.query.InvalidQueryException: Query:
      select * from [mgnl:user] where name() = 'test'test' and isdescendantnode(['/public(*)'])
      at org.apache.jackrabbit.commons.query.sql2.Parser.getSyntaxError(Parser.java:978)
      at org.apache.jackrabbit.commons.query.sql2.Parser.getSyntaxError(Parser.java:959)
      at org.apache.jackrabbit.commons.query.sql2.Parser.checkRunOver(Parser.java:773)
      at
      

      Or the bold part will be interpreted as query:
      ...name() = 'test'test' and isdescendantnode...

      I added a patch with an escape method used for the user name.
      Maybe one sees more cases to escape.

      Group names can't have ' characters, so I'm not escaping the groupname.

        Attachments

          Issue Links

            Activity

              People

              Assignee:
              oanh.thai Oanh Thai Hoang
              Reporter:
              cringele Christian Ringele
              Votes:
              0 Vote for this issue
              Watchers:
              4 Start watching this issue

                Dates

                Created:
                Updated:
                Resolved:
                Date of First Response:

                  Time Tracking

                  Estimated:
                  Original Estimate - 3d
                  3d
                  Remaining:
                  Remaining Estimate - 0d
                  0d
                  Logged:
                  Time Spent - 2.25d Time Not Required
                  2.25d