Uploaded image for project: 'XWiki Platform'
  1. XWiki Platform
  2. XWIKI-23272

Abusive modification of the cached document when resetting a password

    XMLWordPrintable

Details

    • Unknown
    • N/A
    • N/A

    Description

      Steps to reproduce

      1. Log out
      2. Click "Log-in" > "Forgot your password"
      3. Fill in an username (existent or not)
      4. Click "Reset password" button

      Expected results

      No warnings are displayed.

      Actual results

      The following stacktrace is displayed in XWiki logs:

      2025-06-04 18:38:33,621 [http-nio-1115-exec-3 - http://localhost:1115/xwiki/authenticate/wiki/xwiki/resetpassword] WARN  c.x.x.d.XWikiDocument          - Abusive modification of the cached document [xwiki:XWiki.U1()]
java.lang.IllegalStateException: Abusive modification of the cached document
        at com.xpn.xwiki.doc.XWikiDocument.setMetaDataDirty(XWikiDocument.java:2457)
        at com.xpn.xwiki.objects.BaseElement.setOwnerDocument(BaseElement.java:522)
        at com.xpn.xwiki.objects.BaseObject.set(BaseObject.java:380)
        at org.xwiki.security.authentication.internal.DefaultResetPasswordManager.requestResetPassword(DefaultResetPasswordManager.java:179)
        at org.xwiki.security.authentication.script.AuthenticationScriptService.requestResetPassword(AuthenticationScriptService.java:203)
        at java.base/jdk.internal.reflect.DirectMethodHandleAccessor.invoke(DirectMethodHandleAccessor.java:103)
        at java.base/java.lang.reflect.Method.invoke(Method.java:580)
        at org.apache.velocity.util.introspection.UberspectImpl$VelMethodImpl.doInvoke(UberspectImpl.java:571)
        at org.apache.velocity.util.introspection.UberspectImpl$VelMethodImpl.invoke(UberspectImpl.java:554)
        at org.xwiki.velocity.introspection.MethodArgumentsUberspector$ConvertingVelMethod.invoke(MethodArgumentsUberspector.java:306)
        at org.apache.velocity.runtime.parser.node.ASTMethod.execute(ASTMethod.java:221)
        at org.apache.velocity.runtime.parser.node.ASTReference.execute(ASTReference.java:368)
        at org.apache.velocity.runtime.parser.node.ASTReference.value(ASTReference.java:704)
        at org.apache.velocity.runtime.parser.node.ASTExpression.value(ASTExpression.java:75)
        at org.apache.velocity.runtime.parser.node.ASTSetDirective.render(ASTSetDirective.java:242)
        at org.apache.velocity.runtime.parser.node.ASTBlock.render(ASTBlock.java:147)
        at org.xwiki.velocity.internal.directive.TryCatchDirective.render(TryCatchDirective.java:86)
        at org.apache.velocity.runtime.parser.node.ASTDirective.render(ASTDirective.java:304)
        at org.apache.velocity.runtime.parser.node.ASTBlock.render(ASTBlock.java:147)
        at org.apache.velocity.runtime.parser.node.SimpleNode.render(SimpleNode.java:439)
        at org.apache.velocity.runtime.parser.node.ASTIfStatement.render(ASTIfStatement.java:190)
        at org.apache.velocity.runtime.parser.node.ASTBlock.render(ASTBlock.java:147)
        at org.apache.velocity.runtime.parser.node.ASTElseIfStatement.render(ASTElseIfStatement.java:108)
        at org.apache.velocity.runtime.parser.node.ASTIfStatement.render(ASTIfStatement.java:190)
        at org.apache.velocity.runtime.parser.node.SimpleNode.render(SimpleNode.java:439)
        at org.apache.velocity.Template.merge(Template.java:358)
        at org.apache.velocity.Template.merge(Template.java:262)
        at org.xwiki.velocity.internal.InternalVelocityEngine.evaluate(InternalVelocityEngine.java:233)
        at com.xpn.xwiki.internal.template.VelocityTemplateEvaluator.evaluateContent(VelocityTemplateEvaluator.java:107)
        at com.xpn.xwiki.internal.template.TemplateAsyncRenderer.evaluateContent(TemplateAsyncRenderer.java:219)
        at com.xpn.xwiki.internal.template.TemplateAsyncRenderer.renderVelocity(TemplateAsyncRenderer.java:174)
        at com.xpn.xwiki.internal.template.TemplateAsyncRenderer.render(TemplateAsyncRenderer.java:135)
        at com.xpn.xwiki.internal.template.TemplateAsyncRenderer.render(TemplateAsyncRenderer.java:54)
        at org.xwiki.rendering.async.internal.DefaultAsyncRendererExecutor.lambda$syncRender$0(DefaultAsyncRendererExecutor.java:284)
        at com.xpn.xwiki.internal.security.authorization.DefaultAuthorExecutor.call(DefaultAuthorExecutor.java:98)
        at org.xwiki.rendering.async.internal.DefaultAsyncRendererExecutor.syncRender(DefaultAsyncRendererExecutor.java:284)
        at org.xwiki.rendering.async.internal.DefaultAsyncRendererExecutor.render(DefaultAsyncRendererExecutor.java:267)
        at org.xwiki.rendering.async.internal.block.DefaultBlockAsyncRendererExecutor.render(DefaultBlockAsyncRendererExecutor.java:154)
        at com.xpn.xwiki.internal.template.InternalTemplateManager.render(InternalTemplateManager.java:907)
        at com.xpn.xwiki.internal.template.InternalTemplateManager.renderFromSkin(InternalTemplateManager.java:869)
        at com.xpn.xwiki.internal.template.InternalTemplateManager.render(InternalTemplateManager.java:856)
        at com.xpn.xwiki.internal.template.InternalTemplateManager.renderNoException(InternalTemplateManager.java:811)
        at com.xpn.xwiki.internal.template.InternalTemplateManager.renderNoException(InternalTemplateManager.java:803)
        at com.xpn.xwiki.internal.template.DefaultTemplateManager.renderNoException(DefaultTemplateManager.java:79)
        at com.xpn.xwiki.internal.template.DefaultTemplateManager.renderNoException(DefaultTemplateManager.java:73)
        at org.xwiki.template.script.TemplateScriptService.render(TemplateScriptService.java:54)
        at java.base/jdk.internal.reflect.DirectMethodHandleAccessor.invoke(DirectMethodHandleAccessor.java:103)
        at java.base/java.lang.reflect.Method.invoke(Method.java:580)
        at org.apache.velocity.util.introspection.UberspectImpl$VelMethodImpl.doInvoke(UberspectImpl.java:571)
        at org.apache.velocity.util.introspection.UberspectImpl$VelMethodImpl.invoke(UberspectImpl.java:554)
        at org.apache.velocity.runtime.parser.node.ASTMethod.execute(ASTMethod.java:221)
        at org.apache.velocity.runtime.parser.node.ASTReference.execute(ASTReference.java:368)
        at org.apache.velocity.runtime.parser.node.ASTReference.render(ASTReference.java:492)
        at org.apache.velocity.runtime.parser.node.ASTBlock.render(ASTBlock.java:147)
        at org.apache.velocity.runtime.directive.VelocimacroProxy.render(VelocimacroProxy.java:217)
        at org.apache.velocity.runtime.directive.RuntimeMacro.render(RuntimeMacro.java:331)
        at org.apache.velocity.runtime.directive.RuntimeMacro.render(RuntimeMacro.java:261)
        at org.apache.velocity.runtime.parser.node.ASTDirective.render(ASTDirective.java:304)
        at org.apache.velocity.runtime.parser.node.SimpleNode.render(SimpleNode.java:439)
        at org.apache.velocity.Template.merge(Template.java:358)
        at org.apache.velocity.Template.merge(Template.java:262)
        at org.xwiki.velocity.internal.InternalVelocityEngine.evaluate(InternalVelocityEngine.java:233)
        at com.xpn.xwiki.internal.template.VelocityTemplateEvaluator.evaluateContent(VelocityTemplateEvaluator.java:107)
        at com.xpn.xwiki.internal.template.TemplateAsyncRenderer.evaluateContent(TemplateAsyncRenderer.java:219)
        at com.xpn.xwiki.internal.template.TemplateAsyncRenderer.renderVelocity(TemplateAsyncRenderer.java:174)
        at com.xpn.xwiki.internal.template.TemplateAsyncRenderer.render(TemplateAsyncRenderer.java:135)
        at com.xpn.xwiki.internal.template.TemplateAsyncRenderer.render(TemplateAsyncRenderer.java:54)
        at org.xwiki.rendering.async.internal.DefaultAsyncRendererExecutor.lambda$syncRender$0(DefaultAsyncRendererExecutor.java:284)
        at com.xpn.xwiki.internal.security.authorization.DefaultAuthorExecutor.call(DefaultAuthorExecutor.java:98)
        at org.xwiki.rendering.async.internal.DefaultAsyncRendererExecutor.syncRender(DefaultAsyncRendererExecutor.java:284)
        at org.xwiki.rendering.async.internal.DefaultAsyncRendererExecutor.render(DefaultAsyncRendererExecutor.java:267)
        at org.xwiki.rendering.async.internal.block.DefaultBlockAsyncRendererExecutor.render(DefaultBlockAsyncRendererExecutor.java:154)
        at com.xpn.xwiki.internal.template.InternalTemplateManager.render(InternalTemplateManager.java:907)
        at com.xpn.xwiki.internal.template.InternalTemplateManager.renderFromSkin(InternalTemplateManager.java:869)
        at com.xpn.xwiki.internal.template.InternalTemplateManager.renderFromSkin(InternalTemplateManager.java:849)
        at com.xpn.xwiki.internal.template.InternalTemplateManager.render(InternalTemplateManager.java:835)
        at com.xpn.xwiki.internal.template.DefaultTemplateManager.render(DefaultTemplateManager.java:91)
        at com.xpn.xwiki.internal.template.DefaultTemplateManager.render(DefaultTemplateManager.java:85)
        at com.xpn.xwiki.XWiki.evaluateTemplate(XWiki.java:2570)
        at com.xpn.xwiki.web.Utils.parseTemplate(Utils.java:180)
        at org.xwiki.security.authentication.internal.resource.AuthenticationResourceReferenceHandler.handleAction(AuthenticationResourceReferenceHandler.java:122)
        at org.xwiki.security.authentication.internal.resource.AuthenticationResourceReferenceHandler.handle(AuthenticationResourceReferenceHandler.java:96)
        at org.xwiki.resource.internal.DefaultResourceReferenceHandlerChain.handleNext(DefaultResourceReferenceHandlerChain.java:79)
        at org.xwiki.resource.internal.AbstractResourceReferenceHandlerManager.handle(AbstractResourceReferenceHandlerManager.java:82)
        at org.xwiki.resource.servlet.ResourceReferenceHandlerServlet.handleResourceReference(ResourceReferenceHandlerServlet.java:160)
        at org.xwiki.resource.servlet.ResourceReferenceHandlerServlet.service(ResourceReferenceHandlerServlet.java:90)
        at jakarta.servlet.http.HttpServlet.service(HttpServlet.java:710)
        at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:130)
        at org.xwiki.container.servlet.filters.internal.SetHTTPHeaderFilter.doFilter(SetHTTPHeaderFilter.java:66)
        at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:109)
        at org.apache.catalina.core.ApplicationDispatcher.invoke(ApplicationDispatcher.java:514)
        at org.apache.catalina.core.ApplicationDispatcher.processRequest(ApplicationDispatcher.java:334)
        at org.apache.catalina.core.ApplicationDispatcher.forward(ApplicationDispatcher.java:263)
        at org.xwiki.resource.servlet.RoutingFilter.doFilter(RoutingFilter.java:148)
        at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:109)
        at org.xwiki.container.servlet.filters.internal.SavedRequestRestorerFilter.doFilter(SavedRequestRestorerFilter.java:211)
        at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:109)
        at org.xwiki.container.servlet.filters.internal.SafeRedirectFilter.doFilter(SafeRedirectFilter.java:106)
        at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:109)
        at org.xwiki.container.servlet.filters.internal.ResolveRelativeRedirectFilter.doFilter(ResolveRelativeRedirectFilter.java:129)
        at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:109)
        at org.xwiki.container.servlet.filters.internal.SetCharacterEncodingFilter.doFilter(SetCharacterEncodingFilter.java:120)
        at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:109)
        at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:167)
        at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:79)
        at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:483)
        at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:116)
        at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:93)
        at org.apache.catalina.valves.AbstractAccessLogValve.invoke(AbstractAccessLogValve.java:666)
        at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:74)
        at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:343)
        at org.apache.coyote.http11.Http11Processor.service(Http11Processor.java:396)
        at org.apache.coyote.AbstractProcessorLight.process(AbstractProcessorLight.java:63)
        at org.apache.coyote.AbstractProtocol$ConnectionHandler.process(AbstractProtocol.java:903)
        at org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.doRun(NioEndpoint.java:1744)
        at org.apache.tomcat.util.net.SocketProcessorBase.run(SocketProcessorBase.java:52)
        at org.apache.tomcat.util.threads.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149)
        at org.apache.tomcat.util.threads.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:637)
        at org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:59)
        at java.base/java.lang.Thread.run(Thread.java:1583)

       

      Attachments

        Issue Links

          is related to

          Bug - A problem which impairs or prevents the functions of the product. XWIKI-23316 Abusive modification of the cached document still occurs when resetting a password

          • Major - Major loss of function.
          • Closed

          Activity

            People

              tmortagne Thomas Mortagne
              iandriuta Ilie Andriuta
              Votes:
              0 Vote for this issue
              Watchers:
              1 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved: