EldoS | Feel safer!

Software components for data protection, secure storage and transfer

Critical fault in OAuth2 implementation with respect to leap year date

Also by EldoS: MsgConnect
Cross-platform protocol-independent communication framework for building peer-to-peer and client-server applications and middleware components.
Posted: 02/29/2016 04:59:13
by Krzysztof Koralewski (Standard support level)
Joined: 10/15/2014
Posts: 8

I'm using pre-compiled version, can you publish fixed bpl, please. It's will be faster to repair may application and distribute it to my customers.

Posted: 02/29/2016 06:20:51
by Santiago CastaƱo Matilla (Standard support level)
Joined: 05/06/2014
Posts: 1

Thanks for this thread, was also affected by this bug, now distributing fix...
Posted: 02/29/2016 08:50:10
by Alexander Ionov (EldoS Corp.)

VCL edition packages have been updated. Please download your distribution of version 14.0.289 from the standard download location.

We are really sorry about the problems this issue might have caused you.

Please follow our updates on the issue here.

Best regards,
Alexander Ionov
Posted: 02/29/2016 12:37:39
by Stephan Mercier (Standard support level)
Joined: 11/27/2011
Posts: 14

We have the same situation here. Thousands of customers affected by such a junior mistake.
Posted: 02/29/2016 12:48:16
by Ken Ivanov (EldoS Corp.)

Hi Stephan,

We are really sorry about the issue. Indeed this is not something you would expect to come across in a serious product, and we are currently investigating how that could slip through our QA routine.

Please check our guidance here to find out how to fix the issue.

Posted: 02/29/2016 13:03:54
by Erich Kuba (Standard support level)
Joined: 05/16/2013
Posts: 38


I'm in a better mood (it's the 1st of March where I live), but that said, a quick code scan of the SBB source this morning reveals that there are indeed other areas in the source code where you are using this same technique of incrementing the year and reassembling the TDateTime with the EncodeDate() and EncodeDateTime() methods, which, as we've seen is very risky.

I suggest that you assign a developer to hunt and fix all of these areas urgently.

Please ask Eugene Mayevski to respond to post #36037.
Posted: 02/29/2016 13:11:34
by Erich Kuba (Standard support level)
Joined: 05/16/2013
Posts: 38

Also, please fix SBB V10. The bug remains in that version too.
Posted: 02/29/2016 14:10:27
by Ken Ivanov (EldoS Corp.)

Hi Erich,

I suggest that you assign a developer to hunt and fix all of these areas urgently.

We actually did. Build 289 is supposed to be a hot fix to help our customers recover from the issue as quickly as possible. In parallel to the build process, the rest of the functionality was checked for similar problems, so we can say more or less confidently that it's only TElHTTPSClient component that was subject to the leap year issue.

Yet, the issue can be hardly considered resolved until we trace its roots down to the primary cause, identify why the QA didn't spot it, and check the code extensively for similar issues. This is what we are dedicating a big share of our efforts now.

At the same time we are working on updating version 10 and others.

Thank you for your patience and sorry for causing troubles to your service.

Posted: 02/29/2016 14:45:02
by Erich Kuba (Standard support level)
Joined: 05/16/2013
Posts: 38

We actually did.

Look at the ParseWindowsFileListEntry method in SBSimpleFTPS.pas

This part could be potentially risky (if Y=100):
  if Y < 50 then
    Inc(Y, 2000)
    Inc(Y, 1900);
  FileInfo.FileDate := EncodeDate(Y, M, D);
Posted: 02/29/2016 14:54:51
by Erich Kuba (Standard support level)
Joined: 05/16/2013
Posts: 38

Also, look at UTCTimeToDate in SBUtils.pas

If (not FourDigitYear) and Y resolves to zero then we also probably have an issue here:
  // year
  if FourDigitYear then
    Str := Copy(UTCTime, 1, 4);
    Y := Word(StrToIntDef(Str, 0));
    Str := Copy(UTCTime, 1, 2);
    Y := Word(StrToIntDef(Str, 0));
    if (Y >= 50) then
      Y := (1900 + Y)
      Y := (2000 + Y);
Also by EldoS: CallbackProcess
A component to control process creation and termination in Windows and .NET applications.



Topic viewed 5542 times

Number of guests: 6, registered members: 0, in total hidden: 0


Back to top

As of July 15, 2016 EldoS Corporation will operate as a division of /n software inc. For more information, please read the announcement.

Got it!