Modify

Opened 7 years ago

Closed 4 years ago

#2630 closed defect (fixed)

Registration of usernames which can corrupt a SvnServePasswordStore

Reported by: det Owned by: hasienda
Priority: normal Component: AccountManagerPlugin
Severity: normal Keywords: precaution input username check
Cc: Trac Release: 0.11

Description

I am using SvnServePasswordStore so that svnserve shares accounts with Trac. I had a user register a username which began with "[exe]" and this caused corruption of the passwd file. The reason is because the SvnServePasswordStore format names sections by "[<section>]". AccountManagerPlugin should disallow usernames containing 'and?' when using SvnServePasswordStore.

Attachments (1)

ticket_2630_svnserve.patch (481 bytes) - added by pacopablo 6 years ago.
Patch to deny creation of usernames beginning with [

Download all attachments as: .zip

Change History (7)

comment:1 Changed 7 years ago by det

The final line should read:

AccountManagerPlugin should disallow usernames containing any of the characters "[]" when using SvnServePasswordStore.

Changed 6 years ago by pacopablo

Patch to deny creation of usernames beginning with [

comment:2 Changed 6 years ago by pacopablo

  • Owner changed from mgood to pacopablo
  • Status changed from new to assigned

Will you please try the attached patch?

comment:3 Changed 5 years ago by manski

This is fixed by the patch provided in #5295.

comment:4 Changed 4 years ago by hasienda

  • Keywords precaution input username check added
  • Owner changed from pacopablo to hasienda
  • Status changed from assigned to new
  • Summary changed from Users can register usernames which can corrupt a SvnServePasswordStore. to Registration of user names which can corrupt a SvnServePasswordStore

comment:5 Changed 4 years ago by hasienda

  • Status changed from new to assigned
  • Summary changed from Registration of user names which can corrupt a SvnServePasswordStore to Registration of usernames which can corrupt a SvnServePasswordStore

Now there is a fix on the way as part of a bigger effort to enhance and extend username tests in register module, thanks to the patch provided mentioned above by manski.

comment:6 Changed 4 years ago by hasienda

  • Resolution set to fixed
  • Status changed from assigned to closed

We've got some suggestions and even patches to improve checking for invalid usernames in the registration procedure. Therefore now we've added the following checks in [9260]:

  • against a list of reserved names (refs #5295)
  • against a admin-configurable character blacklist, by default containing
    • colon, since it's corrupting HtPasswdStore (closes #4682)
    • '[' and ']', since they're corrupting SvnServePasswordStore (closes #2630)

Additionally we're taking care of and instantly remove surrounding whitespace around usernames and email addresses (closes #7087).

Thanks to all contributors, especially to manski, for exceptional help by reviewing tickets and bundling related issues.

Add Comment

Modify Ticket

Action
as closed The owner will remain hasienda.
The resolution will be deleted. Next status will be 'reopened'.
Author


E-mail address and user name can be saved in the Preferences.

 
Note: See TracTickets for help on using tickets.