Bugs: During setup: password field truncated at 50 chars, multiple "bin/openfire" bugs, bug reporting process cumbersome

Murphy · September 3, 2007, 12:31pm

In the Openfire 3.3.2 binary tarball:

In the “Openfire Setup” web UI at “/setup/setup-datasource-standard.jsp” password field is needlessly (I assume) truncated at 50 characters. Users who wish to use a strong database password are prevented from doing so.
If the user that runs the startup script bin/openfire has openfire’s installation directory (e.g., “/opt/openfire”) as his home directory, the file “$db_file” (declared on line 12) conflicts with a pre-existing directory (.install4j). The startup script complains “/opt/openfire/.install4j is a directory.” Openfire’s installation directory is a reasonable choice for the home directory of a dedicated user (n.b., I haven’t gotten beyond the installation yet. I’m assuming it’s possible to run openfire as an unprivileged user.)
On line 12 of bin/openfire “$db_file” is set to “$HOME/.install4j”, yet the value “$HOME/.install4j” is referred to directly in three different places later in the script (meaning that a user that choses to change the assignment of “$db_file” will get unexpected behavior.)
It would be nice if it weren’t so much trouble to submit bugs. For example, would it be possible to allow anonymous users to post to a bug forum using CAPTCHAs? As far as I can determine, if a user wishes to report a bug, he’s must create an account first (…I could be wrong. I couldn’t find such a thing.)

Here’s a patch that addresses number’s 2 and 3 from above:

— openfire 2007-06-22 15:29:06.000000000 -0400

+++ openfire.new 2007-09-03 08:19:55.608542236 -0400

@@ -9,7 +9,7 @@

if [ -n “$INSTALL4J_NO_DB” ]; then

return 1

fi

db_file=$HOME/.install4j

db_file=$HOME/.install4j.db_file

if [ ! -f “$db_file” ]; then

return 1

fi

@@ -160,7 +160,7 @@

read file_jvm_home < “$app_home/.install4j/pref_jre.cfg”

test_jvm “$file_jvm_home”

if [ -z “$app_java_home” ] && [ $tested_jvm = “false” ]; then

```
   rm $HOME/.install4j
```

```
   rm $db_home
```

test_jvm “$file_jvm_home”

fi

@@ -201,7 +201,7 @@

read file_jvm_home < “$app_home/.install4j/inst_jre.cfg”

test_jvm “$file_jvm_home”

if [ -z “$app_java_home” ] && [ $tested_jvm = “false” ]; then

```
   rm $HOME/.install4j
```

```
   rm $db_file
```

test_jvm “$file_jvm_home”

fi

@@ -211,7 +211,7 @@

echo No suitable Java Virtual Machine could be found on your system.

echo The version of the JVM must be at least 1.5.

echo Please define INSTALL4J_JAVA_HOME to point to a suitable JVM.

echo You can also try to delete the JVM cache file $HOME/.install4j

echo You can also try to delete the JVM cache file $db_file

exit 83

fi

LG1 · September 3, 2007, 9:14pm

Hi,

the bug tracking system is a closed one, so even if you create a JIRA account you can not report bugs, one should do this in this forum here.

I guess that no one had the idea of using a longer password, I see little benefit in using a lot of characters. One should probably configure the database server to make sure that only the Openfire server and the DBA can connect and that after n failed logins the account will be locked. So there’s little need in a very long password.

I did create JM-1108 for the script issue while you may want to edit you post and use … around your patch - see http://www.igniterealtime.org/community/markuphelpfull.jspa - so one can read it.

LG