EldoS | Feel safer!

Software components for data protection, secure storage and transfer

Critical fault in OAuth2 implementation with respect to leap year date

Also by EldoS: CallbackDisk
Create virtual disks backed by memory or custom location, expose disk images as disks and more.
#36043
Posted: 02/29/2016 04:59:13
by Krzysztof Koralewski (Standard support level)
Joined: 10/15/2014
Posts: 8

Hello,
I'm using pre-compiled version, can you publish fixed bpl, please. It's will be faster to repair may application and distribute it to my customers.

Regards
k&k
#36049
Posted: 02/29/2016 06:20:51
by Santiago CastaƱo Matilla (Standard support level)
Joined: 05/06/2014
Posts: 1

Thanks for this thread, was also affected by this bug, now distributing fix...
#36059
Posted: 02/29/2016 08:50:10
by Alexander Ionov (EldoS Corp.)

VCL edition packages have been updated. Please download your distribution of version 14.0.289 from the standard download location.

We are really sorry about the problems this issue might have caused you.

Please follow our updates on the issue here.


--
Best regards,
Alexander Ionov
#36064
Posted: 02/29/2016 12:37:39
by Stephan Mercier (Standard support level)
Joined: 11/27/2011
Posts: 14

We have the same situation here. Thousands of customers affected by such a junior mistake.
#36065
Posted: 02/29/2016 12:48:16
by Ken Ivanov (EldoS Corp.)

Hi Stephan,

We are really sorry about the issue. Indeed this is not something you would expect to come across in a serious product, and we are currently investigating how that could slip through our QA routine.

Please check our guidance here to find out how to fix the issue.

Ken
#36067
Posted: 02/29/2016 13:03:54
by Erich Kuba (Standard support level)
Joined: 05/16/2013
Posts: 38

Eldos,

I'm in a better mood (it's the 1st of March where I live), but that said, a quick code scan of the SBB source this morning reveals that there are indeed other areas in the source code where you are using this same technique of incrementing the year and reassembling the TDateTime with the EncodeDate() and EncodeDateTime() methods, which, as we've seen is very risky.

I suggest that you assign a developer to hunt and fix all of these areas urgently.

Please ask Eugene Mayevski to respond to post #36037.
#36069
Posted: 02/29/2016 13:11:34
by Erich Kuba (Standard support level)
Joined: 05/16/2013
Posts: 38

Also, please fix SBB V10. The bug remains in that version too.
#36071
Posted: 02/29/2016 14:10:27
by Ken Ivanov (EldoS Corp.)

Hi Erich,

Quote
I suggest that you assign a developer to hunt and fix all of these areas urgently.

We actually did. Build 289 is supposed to be a hot fix to help our customers recover from the issue as quickly as possible. In parallel to the build process, the rest of the functionality was checked for similar problems, so we can say more or less confidently that it's only TElHTTPSClient component that was subject to the leap year issue.

Yet, the issue can be hardly considered resolved until we trace its roots down to the primary cause, identify why the QA didn't spot it, and check the code extensively for similar issues. This is what we are dedicating a big share of our efforts now.

At the same time we are working on updating version 10 and others.

Thank you for your patience and sorry for causing troubles to your service.

Ken
#36073
Posted: 02/29/2016 14:45:02
by Erich Kuba (Standard support level)
Joined: 05/16/2013
Posts: 38

Quote
We actually did.

Look at the ParseWindowsFileListEntry method in SBSimpleFTPS.pas

This part could be potentially risky (if Y=100):
Code
  if Y < 50 then
    Inc(Y, 2000)
  else
    Inc(Y, 1900);
  FileInfo.FileDate := EncodeDate(Y, M, D);
#36074
Posted: 02/29/2016 14:54:51
by Erich Kuba (Standard support level)
Joined: 05/16/2013
Posts: 38

Also, look at UTCTimeToDate in SBUtils.pas

If (not FourDigitYear) and Y resolves to zero then we also probably have an issue here:
Code
  // year
  if FourDigitYear then
  begin
    Str := Copy(UTCTime, 1, 4);
    Y := Word(StrToIntDef(Str, 0));
  end
  else
  begin
    Str := Copy(UTCTime, 1, 2);
    Y := Word(StrToIntDef(Str, 0));
    if (Y >= 50) then
      Y := (1900 + Y)
    else
      Y := (2000 + Y);
  end;
Also by EldoS: CallbackProcess
A component to control process creation and termination in Windows and .NET applications.

Reply

Statistics

Topic viewed 6003 times

Number of guests: 11, registered members: 0, in total hidden: 0




|

Back to top

As of July 15, 2016 EldoS Corporation will operate as a division of /n software inc. For more information, please read the announcement.

Got it!