[Sakai Jira] Created: (KERN-731) Form fields allow text greater than the allowable length to be inputted.

1 view
Skip to first unread message

Alan Berg (JIRA)

unread,
Apr 4, 2010, 1:31:37 PM4/4/10
to sakai-...@googlegroups.com
Form fields allow text greater than the allowable length to be inputted.
------------------------------------------------------------------------

Key: KERN-731
URL: http://jira.sakaiproject.org/browse/KERN-731
Project: Nakamura
Issue Type: Bug/Defect
Components: System - other
Affects Versions: 0.4
Reporter: Alan Berg


Login at /dev as admin and then edit your own profile.

There is no max length size limit, so end users can input values greater than the length acceptable on the server side. Wish for both client and serverside verification. Serverside verification is indirect via throwing an Exception.

No error message is shown on the client side.
For example see the country input under Degree in the user profile.


Stack trace is:

04.04.2010 19:19:58.285 *WARN* [580321105@qtp-1493422662-20] org.mortbay.jetty EXCEPTION java.lang.IllegalStateException: Form too large269514>200000
at org.mortbay.jetty.Request.extractParameters(Request.java:1476)
at org.mortbay.jetty.Request.getParameterMap(Request.java:785)
at javax.servlet.ServletRequestWrapper.getParameterMap(ServletRequestWrapper.java:177)
at org.apache.sling.engine.impl.parameters.ParameterSupport.getContainerParameters(ParameterSupport.java:153)
at org.apache.sling.engine.impl.parameters.ParameterSupport.getRequestParameterMapInternal(ParameterSupport.java:119)
at org.apache.sling.engine.impl.parameters.ParameterSupport.getParameter(ParameterSupport.java:85)
at org.apache.sling.engine.impl.SlingMainServlet$1.getParameter(SlingMainServlet.java:809)
at org.sakaiproject.nakamura.formauth.FormAuthenticationHandler$FormAuthentication.<init>(FormAuthenticationHandler.java:95)
at org.sakaiproject.nakamura.formauth.FormAuthenticationHandler.extractCredentials(FormAuthenticationHandler.java:156)
at org.apache.sling.commons.auth.impl.AuthenticationHandlerHolder.doExtractCredentials(AuthenticationHandlerHolder.java:67)
at org.apache.sling.commons.auth.impl.AbstractAuthenticationHandlerHolder.extractCredentials(AbstractAuthenticationHandlerHolder.java:60)
at org.apache.sling.commons.auth.impl.SlingAuthenticator.getAuthenticationInfo(SlingAuthenticator.java:560)
at org.apache.sling.commons.auth.impl.SlingAuthenticator.handleSecurity(SlingAuthenticator.java:374)
at org.apache.sling.engine.impl.SlingMainServlet.handleSecurity(SlingMainServlet.java:832)
at org.ops4j.pax.web.service.internal.HttpServiceServletHandler.handle(HttpServiceServletHandler.java:62)
at org.mortbay.jetty.servlet.SessionHandler.handle(SessionHandler.java:181)
at org.mortbay.jetty.handler.ContextHandler.handle(ContextHandler.java:765)
at org.ops4j.pax.web.service.internal.HttpServiceContext.handle(HttpServiceContext.java:111)
at org.ops4j.pax.web.service.internal.JettyServerHandlerCollection.handle(JettyServerHandlerCollection.java:64)
at org.mortbay.jetty.handler.HandlerWrapper.handle(HandlerWrapper.java:152)
at org.mortbay.jetty.Server.handle(Server.java:324)
at org.mortbay.jetty.HttpConnection.handleRequest(HttpConnection.java:535)
at org.mortbay.jetty.HttpConnection$RequestHandler.content(HttpConnection.java:880)
at org.mortbay.jetty.HttpParser.parseNext(HttpParser.java:747)
at org.mortbay.jetty.HttpParser.parseAvailable(HttpParser.java:218)
at org.mortbay.jetty.HttpConnection.handle(HttpConnection.java:404)
at org.mortbay.io.nio.SelectChannelEndPoint.run(SelectChannelEndPoint.java:409)
at org.mortbay.thread.QueuedThreadPool$PoolThread.run(QueuedThreadPool.java:520)

--
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators: http://jira.sakaiproject.org/secure/Administrators.jspa
-
For more information on JIRA, see: http://www.atlassian.com/software/jira


Ian Boston (JIRA)

unread,
Apr 20, 2010, 3:27:48 AM4/20/10
to sakai-...@googlegroups.com

[ http://jira.sakaiproject.org/browse/KERN-731?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]

Ian Boston updated KERN-731:
----------------------------

Fix Version/s: 0.5

> Form fields allow text greater than the allowable length to be inputted.
> ------------------------------------------------------------------------
>
> Key: KERN-731
> URL: http://jira.sakaiproject.org/browse/KERN-731
> Project: Nakamura
> Issue Type: Bug/Defect
> Components: System - other
> Affects Versions: 0.4
> Reporter: Alan Berg
> Fix For: 0.5
--
You received this message because you are subscribed to the Google Groups "Sakai Kernel" group.
To post to this group, send email to sakai-...@googlegroups.com.
To unsubscribe from this group, send email to sakai-kernel...@googlegroups.com.
For more options, visit this group at http://groups.google.com/group/sakai-kernel?hl=en.

Ian Boston (JIRA)

unread,
Apr 22, 2010, 3:10:42 AM4/22/10
to sakai-...@googlegroups.com

[ http://jira.sakaiproject.org/browse/KERN-731?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=97765#action_97765 ]

Ian Boston commented on KERN-731:
---------------------------------

Correction, this should probably be looked at in the back end, not really XSS.

> Form fields allow text greater than the allowable length to be inputted.
> ------------------------------------------------------------------------
>
> Key: KERN-731
> URL: http://jira.sakaiproject.org/browse/KERN-731
> Project: Nakamura
> Issue Type: Bug/Defect
> Components: System - other
> Affects Versions: 0.4
> Reporter: Alan Berg
> Fix For: 0.5

Alan Berg (JIRA)

unread,
Apr 22, 2010, 3:12:43 AM4/22/10
to sakai-...@googlegroups.com

[ http://jira.sakaiproject.org/browse/KERN-731?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=97766#action_97766 ]

Alan Berg commented on KERN-731:
--------------------------------

Agree this is not XSS related, but boundary checking.

> Form fields allow text greater than the allowable length to be inputted.
> ------------------------------------------------------------------------
>
> Key: KERN-731
> URL: http://jira.sakaiproject.org/browse/KERN-731
> Project: Nakamura
> Issue Type: Bug/Defect
> Components: System - other
> Affects Versions: 0.4
> Reporter: Alan Berg
> Fix For: 0.5

Ian Boston (JIRA)

unread,
Apr 22, 2010, 3:20:42 AM4/22/10
to sakai-...@googlegroups.com

[ http://jira.sakaiproject.org/browse/KERN-731?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=97773#action_97773 ]

Ian Boston commented on KERN-731:
---------------------------------

Looking at it again, the server is responding correctly, throwing an exception as soon as it realizes the form is too big.
I think this really us a UI issue (HTML that created the form is wrong)

wdyt ?

> Form fields allow text greater than the allowable length to be inputted.
> ------------------------------------------------------------------------
>
> Key: KERN-731
> URL: http://jira.sakaiproject.org/browse/KERN-731
> Project: Nakamura
> Issue Type: Bug/Defect
> Components: System - other
> Affects Versions: 0.4
> Reporter: Alan Berg
> Fix For: 0.5

Ian Boston (JIRA)

unread,
Apr 22, 2010, 9:58:42 PM4/22/10
to sakai-...@googlegroups.com

[ http://jira.sakaiproject.org/browse/KERN-731?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]

Ian Boston resolved KERN-731.
-----------------------------

Resolution: Duplicate

Cloned in UI jira, closing here as duplicate.

> Form fields allow text greater than the allowable length to be inputted.
> ------------------------------------------------------------------------
>
> Key: KERN-731
> URL: http://jira.sakaiproject.org/browse/KERN-731
> Project: Nakamura
> Issue Type: Bug/Defect
> Components: System - other
> Affects Versions: 0.4
> Reporter: Alan Berg
> Fix For: 0.5
Reply all
Reply to author
Forward
0 new messages