-
Bug
-
Resolution: Fixed
-
Major
-
5.3.14, 5.4.6, 5.4.7
-
-
Yes
-
Empty show more show less
-
Yes
-
Saigon 54
-
5
We allow ' character in JCR user nodes.
So we need to escape properly the user name, as it us used in queries to fetch the user in:
info.magnolia.cms.security.RepositoryBackedSecurityManager.findPrincipalNodeByQuery(String, Session, String, Node)
Especially for public users (and when having Scottish users) the ' character is used a lot and needed.
Here with a test user named "test'test".
ERROR info.magnolia.cms.security.MgnlUserManager 15.06.2016 16:39:42 – Could not retrieve user with name: simon_o'connell@westpac.co.nz javax.jcr.query.InvalidQueryException: Query: select * from [mgnl:user] where name() = 'test'test' and isdescendantnode(['/public(*)']) at org.apache.jackrabbit.commons.query.sql2.Parser.getSyntaxError(Parser.java:978) at org.apache.jackrabbit.commons.query.sql2.Parser.getSyntaxError(Parser.java:959) at org.apache.jackrabbit.commons.query.sql2.Parser.checkRunOver(Parser.java:773) at
Or the bold part will be interpreted as query:
...name() = 'test'test' and isdescendantnode...
I added a patch with an escape method used for the user name.
Maybe one sees more cases to escape.
Group names can't have ' characters, so I'm not escaping the groupname.
Acceptance criteria
- mentioned in
-
Page Loading...