TRUNK-3933: added list of fake security question to confuse the cracker #273

harshadura · 2013-04-12T03:31:18Z

Forgotten Password Form Leaks Valid Usernames

https://tickets.openmrs.org/browse/TRUNK-3933

wluyima · 2013-06-12T04:50:42Z

web/src/main/java/org/openmrs/web/controller/ForgotPasswordFormController.java

@@ -125,8 +128,16 @@ protected ModelAndView onSubmit(HttpServletRequest request, HttpServletResponse
 					Context.removeProxyPrivilege(PrivilegeConstants.VIEW_USERS);
 				}

-				if (user == null || user.getSecretQuestion() == null || user.getSecretQuestion().equals("")) {
+				if (username.equals("") || username.equals(null)) {


Use StringUtils.isBlank so that you catch whitespaces

dkayiwa · 2014-01-23T17:44:57Z

Closing because author abandoned it.

…e login card (openmrs#273) Co-authored-by: grace potma <67400059+gracepotma@users.noreply.github.com>

TRUNK-3933: added list of fake security question to confuse the cracker

1ec9ff5

wluyima reviewed Jun 12, 2013
View reviewed changes

dkayiwa closed this Jan 23, 2014

RandilaP pushed a commit to RandilaP/openmrs-core that referenced this pull request Jul 31, 2023

Removed height declaration so that error messages are displayed on th…

50b89bc

…e login card (openmrs#273) Co-authored-by: grace potma <67400059+gracepotma@users.noreply.github.com>

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

TRUNK-3933: added list of fake security question to confuse the cracker #273

TRUNK-3933: added list of fake security question to confuse the cracker #273

harshadura commented Apr 12, 2013

wluyima Jun 12, 2013

dkayiwa commented Jan 23, 2014

TRUNK-3933: added list of fake security question to confuse the cracker #273

TRUNK-3933: added list of fake security question to confuse the cracker #273

Conversation

harshadura commented Apr 12, 2013

wluyima Jun 12, 2013

Choose a reason for hiding this comment

dkayiwa commented Jan 23, 2014