Opened 16 years ago
Closed 14 years ago
#2630 closed defect (fixed)
Registration of usernames which can corrupt a SvnServePasswordStore
| Reported by: | Chris Clearwater | Owned by: | Steffen Hoffmann |
|---|---|---|---|
| Priority: | normal | Component: | AccountManagerPlugin |
| Severity: | normal | Keywords: | precaution input username check |
| Cc: | Trac Release: | 0.11 |
Description
I am using SvnServePasswordStore so that svnserve shares accounts with Trac. I had a user register a username which began with "[exe]" and this caused corruption of the passwd file. The reason is because the SvnServePasswordStore format names sections by "[<section>]". AccountManagerPlugin should disallow usernames containing 'and?' when using SvnServePasswordStore.
Attachments (1)
Change History (7)
comment:1 Changed 16 years ago by
Changed 16 years ago by
| Attachment: | ticket_2630_svnserve.patch added |
|---|
Patch to deny creation of usernames beginning with [
comment:2 Changed 16 years ago by
| Owner: | changed from Matt Good to John Hampton |
|---|---|
| Status: | new → assigned |
Will you please try the attached patch?
comment:4 Changed 14 years ago by
| Keywords: | precaution input username check added |
|---|---|
| Owner: | changed from John Hampton to Steffen Hoffmann |
| Status: | assigned → new |
| Summary: | Users can register usernames which can corrupt a SvnServePasswordStore. → Registration of user names which can corrupt a SvnServePasswordStore |
comment:5 Changed 14 years ago by
| Status: | new → assigned |
|---|---|
| Summary: | Registration of user names which can corrupt a SvnServePasswordStore → Registration of usernames which can corrupt a SvnServePasswordStore |
Now there is a fix on the way as part of a bigger effort to enhance and extend username tests in register module, thanks to the patch provided mentioned above by manski.
comment:6 Changed 14 years ago by
| Resolution: | → fixed |
|---|---|
| Status: | assigned → closed |
We've got some suggestions and even patches to improve checking for invalid usernames in the registration procedure. Therefore now we've added the following checks in [9260]:
- against a list of reserved names (refs #5295)
- against a admin-configurable character blacklist, by default containing
Additionally we're taking care of and instantly remove surrounding whitespace around usernames and email addresses (closes #7087).
Thanks to all contributors, especially to manski, for exceptional help by reviewing tickets and bundling related issues.
The final line should read:
AccountManagerPlugin should disallow usernames containing any of the characters "[]" when using SvnServePasswordStore.