Modify

Opened 9 years ago

Closed 6 years ago

#2630 closed defect (fixed)

Registration of usernames which can corrupt a SvnServePasswordStore

Reported by: Chris Clearwater Owned by: Steffen Hoffmann
Priority: normal Component: AccountManagerPlugin
Severity: normal Keywords: precaution input username check
Cc: Trac Release: 0.11

Description

I am using SvnServePasswordStore so that svnserve shares accounts with Trac. I had a user register a username which began with "[exe]" and this caused corruption of the passwd file. The reason is because the SvnServePasswordStore format names sections by "[<section>]". AccountManagerPlugin should disallow usernames containing 'and?' when using SvnServePasswordStore.

Attachments (1)

ticket_2630_svnserve.patch (481 bytes) - added by John Hampton 8 years ago.
Patch to deny creation of usernames beginning with [

Download all attachments as: .zip

Change History (7)

comment:1 Changed 9 years ago by Chris Clearwater

The final line should read:

AccountManagerPlugin should disallow usernames containing any of the characters "[]" when using SvnServePasswordStore.

Changed 8 years ago by John Hampton

Attachment: ticket_2630_svnserve.patch added

Patch to deny creation of usernames beginning with [

comment:2 Changed 8 years ago by John Hampton

Owner: changed from Matt Good to John Hampton
Status: newassigned

Will you please try the attached patch?

comment:3 Changed 8 years ago by Sebastian Krysmanski

This is fixed by the patch provided in #5295.

comment:4 Changed 6 years ago by Steffen Hoffmann

Keywords: precaution input username check added
Owner: changed from John Hampton to Steffen Hoffmann
Status: assignednew
Summary: Users can register usernames which can corrupt a SvnServePasswordStore.Registration of user names which can corrupt a SvnServePasswordStore

comment:5 Changed 6 years ago by Steffen Hoffmann

Status: newassigned
Summary: Registration of user names which can corrupt a SvnServePasswordStoreRegistration of usernames which can corrupt a SvnServePasswordStore

Now there is a fix on the way as part of a bigger effort to enhance and extend username tests in register module, thanks to the patch provided mentioned above by manski.

comment:6 Changed 6 years ago by Steffen Hoffmann

Resolution: fixed
Status: assignedclosed

We've got some suggestions and even patches to improve checking for invalid usernames in the registration procedure. Therefore now we've added the following checks in [9260]:

  • against a list of reserved names (refs #5295)
  • against a admin-configurable character blacklist, by default containing
    • colon, since it's corrupting HtPasswdStore (closes #4682)
    • '[' and ']', since they're corrupting SvnServePasswordStore (closes #2630)

Additionally we're taking care of and instantly remove surrounding whitespace around usernames and email addresses (closes #7087).

Thanks to all contributors, especially to manski, for exceptional help by reviewing tickets and bundling related issues.

Modify Ticket

Change Properties
Set your email in Preferences
Action
as closed The owner will remain Steffen Hoffmann.
The resolution will be deleted. Next status will be 'reopened'.

Add Comment


E-mail address and name can be saved in the Preferences.

 
Note: See TracTickets for help on using tickets.