Modify

Opened 6 years ago

Closed 4 years ago

#4682 closed defect (fixed)

Registration of user names with colon could corrupt htpasswd file

Reported by: Mitar Owned by: hasienda
Priority: normal Component: AccountManagerPlugin
Severity: normal Keywords: precaution input username check
Cc: mmitar@… Trac Release: 0.11

Description

It should not allow registration of usernames with a : in them as they tend to break htpasswd file.

Attachments (0)

Change History (3)

comment:1 Changed 5 years ago by manski

This is fixed by the patch provided in #5295.

comment:2 Changed 4 years ago by hasienda

  • Keywords precaution input username check added
  • Owner changed from mgood to hasienda
  • Summary changed from Username with a : to Registration of user names with colon could corrupt htpasswd file

comment:3 Changed 4 years ago by hasienda

  • Resolution set to fixed
  • Status changed from new to closed

We've got some suggestions and even patches to improve checking for invalid usernames in the registration procedure. Therefore now we've added the following checks in [9260]:

  • against a list of reserved names (refs #5295)
  • against a admin-configurable character blacklist, by default containing
    • colon, since it's corrupting HtPasswdStore (closes #4682)
    • '[' and ']', since they're corrupting SvnServePasswordStore (closes #2630)

Additionally we're taking care of and instantly remove surrounding whitespace around usernames and email addresses (closes #7087).

Thanks to all contributors, especially to manski, for exceptional help by reviewing tickets and bundling related issues.

Add Comment

Modify Ticket

Action
as closed .
The resolution will be deleted. Next status will be 'reopened'.
Author


E-mail address and user name can be saved in the Preferences.

 
Note: See TracTickets for help on using tickets.