Creating a user with a null password, salt, or hash threw a NullPointerException.

0337086c · Thomas Mueller · cdec23b9 · 0337086c · 0337086c · 0337086c
--- a/h2/src/docsrc/html/changelog.html
+++ b/h2/src/docsrc/html/changelog.html
@@ -20,7 +20,8 @@ Change Log
 <h1>Change Log</h1>

 <h2>Next Version (unreleased)</h2>
-<ul><li>Foreign key: don't add a single column index if column 
+<ul><li>Creating a user with a null password, salt, or hash threw a NullPointerException.
+</li><li>Foreign key: don't add a single column index if column
    is leading key of existing index.
 </li><li>Pull request #4: Creating and removing temporary tables was getting
    slower and slower over time, because an internal object id was allocated but

--- a/h2/src/main/org/h2/command/ddl/AlterUser.java
+++ b/h2/src/main/org/h2/command/ddl/AlterUser.java
@@ -12,8 +12,6 @@ import org.h2.engine.Session;
 import org.h2.engine.User;
 import org.h2.expression.Expression;
 import org.h2.message.DbException;
-import org.h2.security.SHA256;
-import org.h2.util.StringUtils;

 /**
 * This class represents the statements
@@ -63,15 +61,6 @@ public class AlterUser extends DefineCommand {
        this.password = password;
    }

-    private char[] getCharArray(Expression e) {
-        return e.optimize(session).getValue(session).getString().toCharArray();
-    }
-
-    private byte[] getByteArray(Expression e) {
-        return StringUtils.convertHexToBytes(
-                e.optimize(session).getValue(session).getString());
-    }
-
    @Override
    public int update() {
        session.commit(true);
@@ -82,12 +71,9 @@ public class AlterUser extends DefineCommand {
                session.getUser().checkAdmin();
            }
            if (hash != null && salt != null) {
-                user.setSaltAndHash(getByteArray(salt), getByteArray(hash));
+                CreateUser.setSaltAndHash(user, session, salt, hash);
            } else {
-                String name = newName == null ? user.getName() : newName;
-                char[] passwordChars = getCharArray(password);
-                byte[] userPasswordHash = SHA256.getKeyPasswordHash(name, passwordChars);
-                user.setUserPasswordHash(userPasswordHash);
+                CreateUser.setPassword(user, session, password);
            }
            break;
        case CommandInterface.ALTER_USER_RENAME:

--- a/h2/src/main/org/h2/command/ddl/CreateUser.java
+++ b/h2/src/main/org/h2/command/ddl/CreateUser.java
@@ -45,13 +45,26 @@ public class CreateUser extends DefineCommand {
        this.password = password;
    }

-    private char[] getCharArray(Expression e) {
-        return e.optimize(session).getValue(session).getString().toCharArray();
+    static void setSaltAndHash(User user, Session session, Expression salt, Expression hash) {
+        user.setSaltAndHash(getByteArray(session, salt), getByteArray(session, hash));
    }

-    private byte[] getByteArray(Expression e) {
-        return StringUtils.convertHexToBytes(
-                e.optimize(session).getValue(session).getString());
+    private static byte[] getByteArray(Session session, Expression e) {
+        String s = e.optimize(session).getValue(session).getString();
+        return s == null ? new byte[0] : StringUtils.convertHexToBytes(s);
+    }
+
+    static void setPassword(User user, Session session, Expression password) {
+        String pwd = password.optimize(session).getValue(session).getString();
+        char[] passwordChars = pwd == null ? new char[0] : pwd.toCharArray();
+        byte[] userPasswordHash;
+        String userName = user.getName();
+        if (userName.length() == 0 && passwordChars.length == 0) {
+            userPasswordHash = new byte[0];
+        } else {
+            userPasswordHash = SHA256.getKeyPasswordHash(userName, passwordChars);
+        }
+        user.setUserPasswordHash(userPasswordHash);
    }

    @Override
@@ -73,16 +86,9 @@ public class CreateUser extends DefineCommand {
        user.setAdmin(admin);
        user.setComment(comment);
        if (hash != null && salt != null) {
-            user.setSaltAndHash(getByteArray(salt), getByteArray(hash));
+            setSaltAndHash(user, session, salt, hash);
        } else if (password != null) {
-            char[] passwordChars = getCharArray(password);
-            byte[] userPasswordHash;
-            if (userName.length() == 0 && passwordChars.length == 0) {
-                userPasswordHash = new byte[0];
-            } else {
-                userPasswordHash = SHA256.getKeyPasswordHash(userName, passwordChars);
-            }
-            user.setUserPasswordHash(userPasswordHash);
+            setPassword(user, session, password);
        } else {
            throw DbException.throwInternalError();
        }

--- a/h2/src/test/org/h2/test/db/TestRights.java
+++ b/h2/src/test/org/h2/test/db/TestRights.java
@@ -34,6 +34,7 @@ public class TestRights extends TestBase {

    @Override
    public void test() throws SQLException {
+        testNullPassword();
        testLinkedTableMeta();
        testGrantMore();
        testOpenNonAdminWithMode();
@@ -48,6 +49,17 @@ public class TestRights extends TestBase {
        deleteDb("rights");
    }

+    private void testNullPassword() throws SQLException {
+        deleteDb("rights");
+        Connection conn = getConnection("rights");
+        stat = conn.createStatement();
+        stat.execute("create user test password null");
+        stat.execute("alter user test set password null");
+        stat.execute("create user test2 salt null hash null");
+        stat.execute("alter user test set salt null hash null");
+        conn.close();
+    }
+
    private void testLinkedTableMeta() throws SQLException {
        deleteDb("rights");
        Connection conn = getConnection("rights");