Ticket #7575 (closed defect: duplicate)

Opened 3 years ago

Last modified 2 years ago

Supplying username allows \r in name

Reported by: anonymous Assigned to: pacopablo
Priority: normal Component: AccountManagerPlugin
Severity: normal Keywords: user register name check
Cc: Trac Release: 0.11

Description

I constantly get users in the database which have been created by spammers. It is impossible to delete these, when they have a \r in the username, as all WEB-interface fail to handle these correctly. Creating such users should be prevented.

Attachments

Change History

10/01/10 23:11:19 changed by hasienda

  • status changed from new to closed.
  • keywords set to user register name check.
  • resolution set to duplicate.

The proposed patch for #5295 allows for white-listing arbitrary usernames by admin-supplied regexp.

Certainly there are applications, that could still allow \r in usernames, so we shouldn't hard-code a solution for this issue anyway. Previously I tended to not implement the regexp extension introduced by a patch to the aforementioned ticket, but now this is a valid use case.

I have still to think about a meaningful error message, since reporting a regexp to the average user in cleartext, as was suggested, looks definitely flawed to me.

Anyway, we'll stick to the pre-existing proposal.

(follow-up: ↓ 3 ) 01/03/11 00:50:07 changed by anonymous

Well, when the "\r" in user name is supported, then the remaining functions also need to support it - namely the delete user function :-)

(in reply to: ↑ 2 ) 01/03/11 01:19:44 changed by hasienda

Replying to anonymous:

Well, when the "\r" in user name is supported, then the remaining functions also need to support it - namely the delete user function :-)

Good point, one more to think it twice again. Admittedly I've not thought much about that lately.

Add/Change #7575 (Supplying username allows \r in name)




Change Properties
Action