-
Bug
-
Resolution: Duplicate
-
Major
-
None
-
Jenkins ver. 2.138.1
-
Powered by SuggestiMate
Use of % character in user password caused error in creating the user
[JENKINS-53733] % Character in Password Created Error in User Creation
I tried to create a user after initial installation of Jenkins but got errors and the user was not created. I repeated without % character in the password and the user was successfully created.
1. install jenkins (Windows)
2. enter the admin key
3. create admin user, but use a % sign in the password as the second last character, example "password%5"
Just hit this, as a software tester, I find it a bit troubling that web based apps are not validated for obvious vectors like the use of the % character in input values. Like the issue description says. When creating a first time admin account I hit this error, it's recoverable, so not a blocker, but it's very unexpected and not confidence building if it's the 1st thing you ever do in the platform.
java.lang.IllegalArgumentException: Not valid encoding '%5"'
at org.eclipse.jetty.util.UrlEncoded.decodeHexByte(UrlEncoded.java:889)
at org.eclipse.jetty.util.UrlEncoded.decodeUtf8To(UrlEncoded.java:522)
at org.eclipse.jetty.util.UrlEncoded.decodeTo(UrlEncoded.java:577)
at org.eclipse.jetty.server.Request.extractFormParameters(Request.java:551)
at org.eclipse.jetty.server.Request.extractContentParameters(Request.java:475)
at org.eclipse.jetty.server.Request.getParameters(Request.java:386)
Caused: org.eclipse.jetty.http.BadMessageException: 400: Unable to parse form content
at org.eclipse.jetty.server.Request.getParameters(Request.java:390)
at org.eclipse.jetty.server.Request.getParameterNames(Request.java:1049)
at javax.servlet.ServletRequestWrapper.getParameterNames(ServletRequestWrapper.java:212)
at org.kohsuke.stapler.RequestImpl.getParameterNames(RequestImpl.java:190)
at org.kohsuke.stapler.RequestImpl.bindParameters(RequestImpl.java:387)
at org.kohsuke.stapler.RequestImpl.bindParameters(RequestImpl.java:383)
at hudson.security.HudsonPrivateSecurityRealm$SignupInfo.<init>(HudsonPrivateSecurityRealm.java:573)
at hudson.security.HudsonPrivateSecurityRealm.validateAccountCreationForm(HudsonPrivateSecurityRealm.java:400)
at hudson.security.HudsonPrivateSecurityRealm.createAccountFromSetupWizard(HudsonPrivateSecurityRealm.java:320)
at jenkins.install.SetupWizard.doCreateAdminUser(SetupWizard.java:259)
at java.lang.invoke.MethodHandle.invokeWithArguments(Unknown Source)
at org.kohsuke.stapler.Function$MethodFunction.invoke(Function.java:396)
at org.kohsuke.stapler.Function$InstanceFunction.invoke(Function.java:408)
at org.kohsuke.stapler.interceptor.RequirePOST$Processor.invoke(RequirePOST.java:77)
at org.kohsuke.stapler.PreInvokeInterceptedFunction.invoke(PreInvokeInterceptedFunction.java:26)
at org.kohsuke.stapler.Function.bindAndInvoke(Function.java:212)
at org.kohsuke.stapler.Function.bindAndInvokeAndServeResponse(Function.java:145)
at org.kohsuke.stapler.MetaClass data-model-type="hudson.model.Hudson" id="jenkins" class="yui-skin-sam two-column jenkins-2.150.3" data-version="2.150.3"1.doDispatch(MetaClass.java:537)
at org.kohsuke.stapler.NameBasedDispatcher.dispatch(NameBasedDispatcher.java:58)
at org.kohsuke.stapler.Stapler.tryInvoke(Stapler.java:739)
Caused: javax.servlet.ServletException
at org.kohsuke.stapler.Stapler.tryInvoke(Stapler.java:789)
at org.kohsuke.stapler.Stapler.invoke(Stapler.java:870)
Reproduced with Jenkins 2.164.2 on Windows with the following password: g6%xTIS9N8*3
Edit: I would argue that this is a minor issue since it is easy to circumvent by using a password that does not contain a % character.
Stack trace:
java.lang.IllegalArgumentException: Not valid encoding '%xT'
{{ at org.eclipse.jetty.util.UrlEncoded.decodeHexByte(UrlEncoded.java:889)}}
{{ at org.eclipse.jetty.util.UrlEncoded.decodeUtf8To(UrlEncoded.java:522)}}
{{ at org.eclipse.jetty.util.UrlEncoded.decodeTo(UrlEncoded.java:577)}}
{{ at org.eclipse.jetty.server.Request.extractFormParameters(Request.java:551)}}
{{ at org.eclipse.jetty.server.Request.extractContentParameters(Request.java:475)}}
{{ at org.eclipse.jetty.server.Request.getParameters(Request.java:386)}}
Caused: org.eclipse.jetty.http.BadMessageException: 400: Unable to parse form content
{{ at org.eclipse.jetty.server.Request.getParameters(Request.java:390)}}
{{ at org.eclipse.jetty.server.Request.getParameterNames(Request.java:1049)}}
{{ at javax.servlet.ServletRequestWrapper.getParameterNames(ServletRequestWrapper.java:212)}}
{{ at org.kohsuke.stapler.RequestImpl.getParameterNames(RequestImpl.java:190)}}
{{ at org.kohsuke.stapler.RequestImpl.bindParameters(RequestImpl.java:387)}}
{{ at org.kohsuke.stapler.RequestImpl.bindParameters(RequestImpl.java:383)}}
{{ at hudson.security.HudsonPrivateSecurityRealm$SignupInfo.<init>(HudsonPrivateSecurityRealm.java:596)}}
{{ at hudson.security.HudsonPrivateSecurityRealm.validateAccountCreationForm(HudsonPrivateSecurityRealm.java:405)}}
{{ at hudson.security.HudsonPrivateSecurityRealm.createAccountFromSetupWizard(HudsonPrivateSecurityRealm.java:325)}}
{{ at jenkins.install.SetupWizard.doCreateAdminUser(SetupWizard.java:259)}}
{{ at java.lang.invoke.MethodHandle.invokeWithArguments(Unknown Source)}}
{{ at org.kohsuke.stapler.Function$MethodFunction.invoke(Function.java:396)}}
{{ at org.kohsuke.stapler.Function$InstanceFunction.invoke(Function.java:408)}}
{{ at org.kohsuke.stapler.interceptor.RequirePOST$Processor.invoke(RequirePOST.java:77)}}
{{ at org.kohsuke.stapler.PreInvokeInterceptedFunction.invoke(PreInvokeInterceptedFunction.java:26)}}
{{ at org.kohsuke.stapler.Function.bindAndInvoke(Function.java:212)}}
{{ at org.kohsuke.stapler.Function.bindAndInvokeAndServeResponse(Function.java:145)}}
{{ at org.kohsuke.stapler.MetaClass data-model-type="hudson.model.Hudson" id="jenkins" class="yui-skin-sam two-column jenkins-2.164.2" data-version="2.164.2"1.doDispatch(MetaClass.java:537)}}
{{ at org.kohsuke.stapler.NameBasedDispatcher.dispatch(NameBasedDispatcher.java:58)}}
{{ at org.kohsuke.stapler.Stapler.tryInvoke(Stapler.java:739)}}
Caused: javax.servlet.ServletException
{{ at org.kohsuke.stapler.Stapler.tryInvoke(Stapler.java:789)}}
{{ at org.kohsuke.stapler.Stapler.invoke(Stapler.java:870)}}
{{ at org.kohsuke.stapler.MetaClass>.doDispatch(MetaClass.java:221)}}
{{ at org.kohsuke.stapler.NameBasedDispatcher.dispatch(NameBasedDispatcher.java:58)}}
{{ at org.kohsuke.stapler.Stapler.tryInvoke(Stapler.java:739)}}
{{ at org.kohsuke.stapler.Stapler.invoke(Stapler.java:870)}}
{{ at org.kohsuke.stapler.Stapler.invoke(Stapler.java:668)}}
{{ at org.kohsuke.stapler.Stapler.service(Stapler.java:238)}}
{{ at javax.servlet.http.HttpServlet.service(HttpServlet.java:790)}}
{{ at org.eclipse.jetty.servlet.ServletHolder.handle(ServletHolder.java:865)}}
{{ at org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1655)}}
{{ at hudson.util.PluginServletFilter data-model-type="hudson.model.Hudson" id="jenkins" class="yui-skin-sam two-column jenkins-2.164.2" data-version="2.164.2".doFilter(PluginServletFilter.java:154)}}
{{ at hudson.security.HudsonPrivateSecurityRealm$3.doFilter(HudsonPrivateSecurityRealm.java:932)}}
{{ at hudson.util.PluginServletFilter data-model-type="hudson.model.Hudson" id="jenkins" class="yui-skin-sam two-column jenkins-2.164.2" data-version="2.164.2".doFilter(PluginServletFilter.java:151)}}
{{ at jenkins.install.SetupWizard data-model-type="hudson.model.Hudson" id="jenkins" class="yui-skin-sam two-column jenkins-2.164.2" data-version="2.164.2".doFilter(SetupWizard.java:633)}}
{{ at hudson.util.PluginServletFilter data-model-type="hudson.model.Hudson" id="jenkins" class="yui-skin-sam two-column jenkins-2.164.2" data-version="2.164.2".doFilter(PluginServletFilter.java:151)}}
{{ at jenkins.telemetry.impl.UserLanguages$AcceptLanguageFilter.doFilter(UserLanguages.java:128)}}
{{ at hudson.util.PluginServletFilter data-model-type="hudson.model.Hudson" id="jenkins" class="yui-skin-sam two-column jenkins-2.164.2" data-version="2.164.2".doFilter(PluginServletFilter.java:151)}}
{{ at hudson.util.PluginServletFilter.doFilter(PluginServletFilter.java:157)}}
{{ at org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1642)}}
{{ at hudson.security.csrf.CrumbFilter.doFilter(CrumbFilter.java:99)}}
{{ at org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1642)}}
{{ at hudson.security.ChainedServletFilter data-model-type="hudson.model.Hudson" id="jenkins" class="yui-skin-sam two-column jenkins-2.164.2" data-version="2.164.2".doFilter(ChainedServletFilter.java:84)}}
{{ at hudson.security.UnwrapSecurityExceptionFilter.doFilter(UnwrapSecurityExceptionFilter.java:51)}}
{{ at hudson.security.ChainedServletFilter data-model-type="hudson.model.Hudson" id="jenkins" class="yui-skin-sam two-column jenkins-2.164.2" data-version="2.164.2".doFilter(ChainedServletFilter.java:87)}}
{{ at jenkins.security.ExceptionTranslationFilter.doFilter(ExceptionTranslationFilter.java:117)}}
{{ at hudson.security.ChainedServletFilter data-model-type="hudson.model.Hudson" id="jenkins" class="yui-skin-sam two-column jenkins-2.164.2" data-version="2.164.2".doFilter(ChainedServletFilter.java:87)}}
{{ at org.acegisecurity.providers.anonymous.AnonymousProcessingFilter.doFilter(AnonymousProcessingFilter.java:125)}}
{{ at hudson.security.ChainedServletFilter data-model-type="hudson.model.Hudson" id="jenkins" class="yui-skin-sam two-column jenkins-2.164.2" data-version="2.164.2".doFilter(ChainedServletFilter.java:87)}}
{{ at org.acegisecurity.ui.rememberme.RememberMeProcessingFilter.doFilter(RememberMeProcessingFilter.java:142)}}
{{ at hudson.security.ChainedServletFilter data-model-type="hudson.model.Hudson" id="jenkins" class="yui-skin-sam two-column jenkins-2.164.2" data-version="2.164.2".doFilter(ChainedServletFilter.java:87)}}
{{ at org.acegisecurity.ui.AbstractProcessingFilter.doFilter(AbstractProcessingFilter.java:271)}}
{{ at hudson.security.ChainedServletFilter data-model-type="hudson.model.Hudson" id="jenkins" class="yui-skin-sam two-column jenkins-2.164.2" data-version="2.164.2".doFilter(ChainedServletFilter.java:87)}}
{{ at jenkins.security.BasicHeaderProcessor.doFilter(BasicHeaderProcessor.java:93)}}
{{ at hudson.security.ChainedServletFilter data-model-type="hudson.model.Hudson" id="jenkins" class="yui-skin-sam two-column jenkins-2.164.2" data-version="2.164.2".doFilter(ChainedServletFilter.java:87)}}
{{ at org.acegisecurity.context.HttpSessionContextIntegrationFilter.doFilter(HttpSessionContextIntegrationFilter.java:249)}}
{{ at hudson.security.HttpSessionContextIntegrationFilter2.doFilter(HttpSessionContextIntegrationFilter2.java:67)}}
{{ at hudson.security.ChainedServletFilter data-model-type="hudson.model.Hudson" id="jenkins" class="yui-skin-sam two-column jenkins-2.164.2" data-version="2.164.2".doFilter(ChainedServletFilter.java:87)}}
{{ at hudson.security.ChainedServletFilter.doFilter(ChainedServletFilter.java:90)}}
{{ at hudson.security.HudsonFilter.doFilter(HudsonFilter.java:171)}}
{{ at org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1642)}}
{{ at org.kohsuke.stapler.compression.CompressionFilter.doFilter(CompressionFilter.java:49)}}
{{ at org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1642)}}
{{ at hudson.util.CharacterEncodingFilter.doFilter(CharacterEncodingFilter.java:82)}}
{{ at org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1642)}}
{{ at org.kohsuke.stapler.DiagnosticThreadNameFilter.doFilter(DiagnosticThreadNameFilter.java:30)}}
{{ at org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1642)}}
{{ at org.eclipse.jetty.servlet.ServletHandler.doHandle(ServletHandler.java:533)}}
{{ at org.eclipse.jetty.server.handler.ScopedHandler.handle(ScopedHandler.java:146)}}
{{ at org.eclipse.jetty.security.SecurityHandler.handle(SecurityHandler.java:524)}}
{{ at org.eclipse.jetty.server.handler.HandlerWrapper.handle(HandlerWrapper.java:132)}}
{{ at org.eclipse.jetty.server.handler.ScopedHandler.nextHandle(ScopedHandler.java:257)}}
{{ at org.eclipse.jetty.server.session.SessionHandler.doHandle(SessionHandler.java:1595)}}
{{ at org.eclipse.jetty.server.handler.ScopedHandler.nextHandle(ScopedHandler.java:255)}}
{{ at org.eclipse.jetty.server.handler.ContextHandler.doHandle(ContextHandler.java:1340)}}
{{ at org.eclipse.jetty.server.handler.ScopedHandler.nextScope(ScopedHandler.java:203)}}
{{ at org.eclipse.jetty.servlet.ServletHandler.doScope(ServletHandler.java:473)}}
{{ at org.eclipse.jetty.server.session.SessionHandler.doScope(SessionHandler.java:1564)}}
{{ at org.eclipse.jetty.server.handler.ScopedHandler.nextScope(ScopedHandler.java:201)}}
{{ at org.eclipse.jetty.server.handler.ContextHandler.doScope(ContextHandler.java:1242)}}
{{ at org.eclipse.jetty.server.handler.ScopedHandler.handle(ScopedHandler.java:144)}}
{{ at org.eclipse.jetty.server.handler.HandlerWrapper.handle(HandlerWrapper.java:132)}}
{{ at org.eclipse.jetty.server.Server.handle(Server.java:503)}}
{{ at org.eclipse.jetty.server.HttpChannel.handle(HttpChannel.java:364)}}
{{ at org.eclipse.jetty.server.HttpConnection.onFillable(HttpConnection.java:260)}}
{{ at org.eclipse.jetty.io.AbstractConnection$ReadCallback.succeeded(AbstractConnection.java:305)}}
{{ at org.eclipse.jetty.io.FillInterest.fillable(FillInterest.java:103)}}
{{ at org.eclipse.jetty.io.ChannelEndPoint>.run(ChannelEndPoint.java:118)}}
{{ at org.eclipse.jetty.util.thread.QueuedThreadPool.runJob(QueuedThreadPool.java:765)}}
{{ at org.eclipse.jetty.util.thread.QueuedThreadPool>.run(QueuedThreadPool.java:683)}}
{
}
Please provide more information about what you attempted to do, what you expected to happen, and what exactly happened instead.