View Issue Details

IDProjectCategoryView StatusLast Update
0001480bareos-coredocumentationpublic2022-09-13 18:11
Reportercrameleon Assigned Tofrank  
PrioritylowSeverityminorReproducibilityalways
Status resolvedResolutionfixed 
PlatformBareos 21.1.3OSSUSE Linux Enterprise ServerOS Version15 SP4
Summary0001480: password string length limitation
DescriptionHi,

if I try to log into the web console with the following configuration snippet active:

Console {
  Name = "mygreatusername"
  Password = "SX~E5eMw21shy%z!!B!cZ0PiQ)ex+FOn$Q-A&iv~B3,x|dSGqxsP&4}Zm6iF;[6c6#>LcAvFArcL%d|J}Ae*NB.g8S?$}gJ4mqUH:6aS+Jh6Vtv^Qhno7$>FW24|t2gq"
  Profile = "mygreatwebuiprofile"
  TLS Enable = No
}

The web UI prints the following message:

"Please provide a director, username and password."

If I change the password line to something more simple:

Console {
  Name = "suse-superuser"
  Password = "12345"
  Profile = "webui-superadmin"
  TLS Enable = No
}

Login works as expected.

Since the system does not seem to print any error messages about invalid passwords in its configuration, it would be nice if the allowed characters and lengths (and possibly a sample `pwgen -r <forbidden characters> <length> 1` command) were documented.

Best,
Georg
Steps To Reproduce1. Configure a web UI user with a complex password such as SX~E5eMw21shy%z!!B!cZ0PiQ)ex+FOn$Q-A&iv~B3,x|dSGqxsP&4}Zm6iF;[6c6#>LcAvFArcL%d|J}Ae*NB.g8S?$}gJ4mqUH:6aS+Jh6Vtv^Qhno7$>FW24|t2gq
2. Copy paste username and password into the browser
3. Try to log in
TagsNo tags attached.
bareos-master: impact
bareos-master: action
bareos-19.2: impact
bareos-19.2: action
bareos-18.2: impact
bareos-18.2: action
bareos-17.2: impact
bareos-17.2: action
bareos-16.2: impact
bareos-16.2: action
bareos-15.2: impact
bareos-15.2: action
bareos-14.2: impact
bareos-14.2: action
bareos-13.2: impact
bareos-13.2: action
bareos-12.4: impact
bareos-12.4: action

Activities

bruno-at-bareos

bruno-at-bareos

2022-08-31 11:16

developer   ~0004737

Thanks for your report, the title is a bit misleading, as the problem seems to be present only with the webui.
Having a strong password like described work perfectly with dir<->bconsole for example.

We are now checking where the problem really occur.
bruno-at-bareos

bruno-at-bareos

2022-08-31 11:17

developer   ~0004738

Long or complicated password are truncated during POST operation with login form.
Those password work well with bconsole for example.
crameleon

crameleon

2022-08-31 11:28

reporter   ~0004739

Apologies, I did not consider it to be specific to the webui. Thanks for looking into this! Maybe the POST truncation could be adjusted in my Apache web server?
bruno-at-bareos

bruno-at-bareos

2022-08-31 11:38

developer   ~0004740

Actual research has proved that the length is important and the password for webui console should be less than 64 chars.
Maybe you can confirm this also on your installation so when our dev's will check this it will be more precise about the symptoms.
crameleon

crameleon

2022-09-02 19:00

reporter   ~0004741

Can confirm, with 64 characters it works fine!
crameleon

crameleon

2022-09-02 19:02

reporter   ~0004742

And I can also confirm, with one more character, so 65 in total, it returns the "Please provide a director, username and password." message.
frank

frank

2022-09-08 15:23

manager   ~0004744

Last edited: 2022-09-08 16:33

The form data input filter for password input is set to validate for a PW length between 1 and 64. We simply can remove the max value from the filter to not cause problems like this or set it to a value corresponding to what is allowed in configuration files.
frank

frank

2022-09-13 18:11

manager   ~0004747

Fix committed to bareos master branch with changesetid 16581.

Related Changesets

bareos: master d779c733

2022-09-08 15:09:16

frank

Ported: N/A

Details Diff
webui: fix password string length limitation

This PR removes the max string length value from the form data input
filter validator for the password input field to allow passwords
longer than 64 characters.

Fixes 0001480: password string length limitation
Affected Issues
0001480
mod - webui/module/Auth/src/Auth/Model/Auth.php Diff File

Issue History

Date Modified Username Field Change
2022-08-30 12:33 crameleon New Issue
2022-08-31 11:16 bruno-at-bareos Note Added: 0004737
2022-08-31 11:17 bruno-at-bareos Assigned To => bruno-at-bareos
2022-08-31 11:17 bruno-at-bareos Status new => acknowledged
2022-08-31 11:17 bruno-at-bareos Note Added: 0004738
2022-08-31 11:28 crameleon Note Added: 0004739
2022-08-31 11:38 bruno-at-bareos Note Added: 0004740
2022-08-31 11:38 bruno-at-bareos Assigned To bruno-at-bareos => frank
2022-09-02 19:00 crameleon Note Added: 0004741
2022-09-02 19:02 crameleon Note Added: 0004742
2022-09-08 15:13 frank Status acknowledged => confirmed
2022-09-08 15:13 frank Summary Document allowed password characters => password string length limitation
2022-09-08 15:23 frank Note Added: 0004744
2022-09-08 16:33 frank Note Edited: 0004744
2022-09-13 18:11 frank Changeset attached => bareos master d779c733
2022-09-13 18:11 frank Note Added: 0004747
2022-09-13 18:11 frank Status confirmed => resolved
2022-09-13 18:11 frank Resolution open => fixed