Blocking characters at Password field

Author: lalitpct@gmail.com (lalitpct)

Need to allow only allow character (a-z, A-Z,0-9,#,@,*,!,%,_,#) in password field , I know i can get it done by individually scan  it  eg  scan id.dummy,";" if ($result>0)   message/error "Field has invalid characters."   return(-1) endif this is because security team raised a concern that its a vulnerability and any one can run Unix command using your uniface password field.

5 Comments

  1. This should do the trick (if executed e.g. in the Leave Field).

    variables   numeric vLen, i endvariables vLen = $length(FLD1) for i = 1 to vLen   if (FLD1[i:1] != '(@)(%#)(%@)(%*)(!)(%%)(%#)')     message/error "Field has invalid characters."     return(-1)   endif endfor

    Hope this helps. Kind regards, Daniel


    Author: diseli (daniel.iseli@uniface.com)
  2. On top of Daniel's sample code, here is some background on: - Syntax Strings for Pattern Matching - Password Fields - No Display Character - ...and a forum thread on this topic (Each list item is a clickable link)


    Author: Arjen van Vliet (arjen.van.vliet@uniface.com)
  3. Also, if you actually encode the password at client level (example below) there is no security vulnerability as the password is not passed as typed and therefore cannot be subject to 'injection' methods of hacking.  Example (in value changed trigger).  <$fieldname> = $encode("HEX",$encode("MD5",<$fieldname>))   That would encode "; rm -r *" as "BB83EAC4870042AB5755D3BF0F040C42", which obviously cannot be used to hack the unix command line.  Question being, how they think it can be used as a hack tool, when is it exposed to the operating system?  Are you talking about the userver password? Or the database password? Or a password you have built in to your app? 


    Author: Iain Sharp (i.sharp@pcisystems.co.uk)
  4. Iain Sharp said Also, if you actually encode the password at client level (example below) there is no security vulnerability as the password is not passed as typed and therefore cannot be subject to 'injection' methods of hacking.  Example (in value changed trigger).  <$fieldname> = $encode("HEX",$encode("MD5",<$fieldname>))   That would encode "; rm -r *" as "BB83EAC4870042AB5755D3BF0F040C42", which obviously cannot be used to hack the unix command line.  Question being, how they think it can be used as a hack tool, when is it exposed to the operating system?  Are you talking about the userver password? Or the database password? Or a password you have built in to your app?   

    its a db password. username/password from usysidx and before connecting to Sybase we need to check if the password is expired or will be expiring by using Sybase client isql. the only way I could think that was by executing command in unix "isql -U <username> -P <password>" via urouter connection. I validated lot of values in username as there we have limitation in allowed characters , but in password we didn't block any character.   with encode i need to decode at some point then execute , In that scenario how this will ensure os command don't get executed ??


    Author: lalitpct (lalitpct@gmail.com)
  5. diseli said This should do the trick (if executed e.g. in the Leave Field).
    variables<br />   numeric vLen, i<br /> endvariables<br /> vLen = $length(FLD1)<br /> for i = 1 to vLen<br />   if (FLD1[i:1] != '(@)(%#)(%@)(%*)(!)(%%)(%#)')<br />     message/error "Field has invalid characters."<br />     return(-1)<br />   endif<br /> endfor
    Hope this helps. Kind regards, Daniel  

    thanks will try this and looks better way to validate.


    Author: lalitpct (lalitpct@gmail.com)