Ticket #2630 (closed defect: fixed)

Opened 5 years ago

Last modified 3 years ago

Registration of usernames which can corrupt a SvnServePasswordStore

Reported by: det Assigned to: hasienda
Priority: normal Component: AccountManagerPlugin
Severity: normal Keywords: precaution input username check
Cc: Trac Release: 0.11

Description

I am using SvnServePasswordStore? so that svnserve shares accounts with Trac. I had a user register a username which began with "[exe]" and this caused corruption of the passwd file. The reason is because the SvnServePasswordStore? format names sections by "[<section>]". AccountManagerPlugin should disallow usernames containing ' and ?' when using SvnServePasswordStore?.

Attachments

ticket_2630_svnserve.patch (481 bytes) - added by pacopablo on 10/30/08 05:42:59.
Patch to deny creation of usernames beginning with [

Change History

02/23/08 20:38:54 changed by det

The final line should read:

AccountManagerPlugin should disallow usernames containing any of the characters "[]" when using SvnServePasswordStore?.

10/30/08 05:42:59 changed by pacopablo

  • attachment ticket_2630_svnserve.patch added.

Patch to deny creation of usernames beginning with [

10/30/08 05:43:25 changed by pacopablo

  • status changed from new to assigned.
  • owner changed from mgood to pacopablo.

Will you please try the attached patch?

05/28/09 14:10:56 changed by manski

This is fixed by the patch provided in #5295.

09/29/10 23:13:00 changed by hasienda

  • status changed from assigned to new.
  • owner changed from pacopablo to hasienda.
  • keywords set to precaution input username check.
  • summary changed from Users can register usernames which can corrupt a SvnServePasswordStore. to Registration of user names which can corrupt a SvnServePasswordStore.

10/02/10 00:56:16 changed by hasienda

  • status changed from new to assigned.
  • summary changed from Registration of user names which can corrupt a SvnServePasswordStore to Registration of usernames which can corrupt a SvnServePasswordStore.

Now there is a fix on the way as part of a bigger effort to enhance and extend username tests in register module, thanks to the patch provided mentioned above by manski.

10/07/10 14:37:24 changed by hasienda

  • status changed from assigned to closed.
  • resolution set to fixed.

We've got some suggestions and even patches to improve checking for invalid usernames in the registration procedure. Therefore now we've added the following checks in [9260]:

  • against a list of reserved names (refs #5295)
  • against a admin-configurable character blacklist, by default containing
    • colon, since it's corrupting HtPasswdStore (closes #4682)
    • '[' and ']', since they're corrupting SvnServePasswordStore (closes #2630)

Additionally we're taking care of and instantly remove surrounding whitespace around usernames and email addresses (closes #7087).

Thanks to all contributors, especially to manski, for exceptional help by reviewing tickets and bundling related issues.

Add/Change #2630 (Registration of usernames which can corrupt a SvnServePasswordStore)




Change Properties
Action