incubator-jspwiki-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Andrew Jaquith <andrew.r.jaqu...@gmail.com>
Subject Re: www.jspwiki.org responding with NPE's
Date Thu, 19 Mar 2009 13:12:21 GMT
Just checked the code. There are bunch of things going on here:
- XMLUserDatabase contains a bug that causes the UID not to be saved.
I don't know how or why this happened, but it's just not saving. There
is no place where the XML node's uid attribute is actually set.
- Unit tests don't do a find-by-uid test, so we didn't detect this
error condition.
- Our InputValidator does not screen out characters #, [, or ]

So, my conclusion is that the gmail addresses have nothing to do with
the NPEs. And the inclusion of slightly weird characters in the user
ID or name have nothing to do with the issue either.

Proposed fixes, which I will commit tonight:
- Fix XMLUserDatabase to set the UID properly (I will check the JDBC code also)
- Better test coverage to detect UIDs are actually set
- Add the #, [ and ] characters to the list of sketchy characters
detected by InputValidator

In the meantime, the auto-registration flood of Gmail users is just
that -- a flood of automatically registered users from Gmail. There's
no obvious fix for this, other than turning on registration workflows.

Andrew

On Thu, Mar 19, 2009 at 4:01 AM, Janne Jalkanen <janne.jalkanen@iki.fi> wrote:
> Yeah, I have no idea what is going.  I tried to muck about in the
> server to do some checks, but at the moment I think we may have to
> assume that some spammer has found a way to break JSPWiki.
>
> I am in no position to do anything except read emails for the next
> some time, so could someone please check the case where illegal
> characters (#[]) end up in username?
>
> /Janne
>
> On Thu, Mar 19, 2009 at 07:02:51AM +0100, Harry Metske wrote:
>> Thanks, but now I have a couple of different errors, first the Main page is
>> empty, but looking at the version history this shows no recent changes, and
>> also the View Page Source shows the content.
>> Then, trying to login, I get :
>>
>> An unknown exception java.lang.NullPointerException was caught by Error.jsp.
>> *Exception*java.lang.NullPointerException*Place where
>> detected*java.lang.String.compareTo(),
>> line 1168So it's almost fixed I guess :-)
>>
>> regards,
>> Harry
>>
>> 2009/3/18 Janne Jalkanen <janne.jalkanen@ecyrd.com>
>>
>> >
>> > Yes, I just kicked the server.
>> >
>> > It would appear that there is a spambot registering a lot of userids which
>> > broke our xmluserdatabase.  In which situation we would have an user account
>> > with no user id?  I've got a ton of these now in the database:
>> >
>> >    <user uid="" loginName="Kayarveattews" wikiName="Kayarveattews"
>> > fullName="Kayarveattews" email="serabarclay0214@gma
>> > il.com" password="{SSHA}NMJhGEkqxH+gAfskH1IgRqfJP5nqdxNhV0SUYA=="
>> > created="2009.03.17 at 08:40:44:598 EET" lastModified
>> > ="2009.03.17 at 08:40:44:598 EET" lockExpiry="" >    </user>
>> >
>> > The user ids were generated properly until this user:
>> >
>> >    <user uid="" loginName="#dennick[IRIFIFZFZIII]"
>> > wikiName="#dennick[IRIFIFZFZIII]" fullName="#dennick[IRIFIFZFZIII]" email="
>> > gladyskerr0863@gmail.com"
>> > password="{SSHA}csdOtEsTz4l2l0gtBjDESF5bJkFgSlx+hTMA8Q=="
>> > created="2009.03.01 at 18:54:22:468 EET" lastModified="2009.03.01 at
>> > 18:54:22:468 EET" lockExpiry="" >
>> >    </user>
>> >
>> > I think it's got something to do with the # and [] characters.  Andrew?
>> >
>> > /Janne
>> >
>> >
>> > On 18 Mar 2009, at 19:56, Harry Metske wrote:
>> >
>> >  I don't know how long this is going on, but on every URL within
>> >> http://www.jspwiki.org I get the following exception:
>> >>
>> >> java.lang.NullPointerException
>> >>
>> >>  org.apache.xerces.dom.DeepNodeListImpl.nextMatchingElementAfter(Unknown
>> >> Source)
>> >>        org.apache.xerces.dom.DeepNodeListImpl.item(Unknown Source)
>> >>        org.apache.xerces.dom.DeepNodeListImpl.getLength(Unknown Source)
>> >>
>> >>  com.ecyrd.jspwiki.auth.user.XMLUserDatabase.findByAttribute(XMLUserDatabase.java:617)
>> >>
>> >>  com.ecyrd.jspwiki.auth.user.XMLUserDatabase.findByFullName(XMLUserDatabase.java:163)
>> >>
>> >>  com.ecyrd.jspwiki.auth.user.AbstractUserDatabase.find(AbstractUserDatabase.java:81)
>> >>
>> >>  com.ecyrd.jspwiki.WikiSession.injectUserProfilePrincipals(WikiSession.java:672)
>> >>        com.ecyrd.jspwiki.WikiSession.actionPerformed(WikiSession.java:548)
>> >>
>> >>  com.ecyrd.jspwiki.event.WikiEventManager$WikiEventDelegate.fireEvent(WikiEventManager.java:566)
>> >>
>> >>  com.ecyrd.jspwiki.event.WikiEventManager.fireEvent(WikiEventManager.java:347)
>> >>
>> >>  com.ecyrd.jspwiki.auth.AuthenticationManager.fireEvent(AuthenticationManager.java:677)
>> >>
>> >>  com.ecyrd.jspwiki.auth.AuthenticationManager.login(AuthenticationManager.java:301)
>> >>
>> >>  com.ecyrd.jspwiki.ui.WikiServletFilter.doFilter(WikiServletFilter.java:156)
>> >>        com.ecyrd.jspwiki.ui.WikiJSPFilter.doFilter(WikiJSPFilter.java:111)
>> >>
>> >> Can someone poke around a bit ?
>> >>
>> >> thanks,
>> >> Harry
>> >>
>> >
>> >
>

Mime
View raw message