Details
-
Bug
-
Resolution: Fixed
-
Medium
-
3.12.3, 3.13
-
3.12
-
Description
if you invoke the ForgotPassword action without a user name, it throws a NullPointer exception
java.lang.NullPointerException at com.atlassian.core.user.UserUtils.resetPassword(UserUtils.java:310) at com.atlassian.jira.web.action.user.ForgotPassword.doPassword(ForgotPassword.java:29) at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39) at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
The validation code does not detect the null user name and then incorrectly trys to reset its password. It needs to detect a null username and present the error as intended.
The offending method is doPasswordValidation
protected void doPasswordValidation() { if (!UserUtils.existsUser(username)) { addError("username", getText("forgotpassword.error.usernameDoesNotExist")); } }
This would appear to have been in the product for a long time.