Context Navigation

Modify ↓

#2630 closed defect (fixed)

Registration of usernames which can corrupt a SvnServePasswordStore

Reported by:	Chris Clearwater	Owned by:	Steffen Hoffmann
Priority:	normal	Component:	AccountManagerPlugin
Severity:	normal	Keywords:	precaution input username check
Cc:		Trac Release:	0.11

Description

I am using SvnServePasswordStore so that svnserve shares accounts with Trac. I had a user register a username which began with "[exe]" and this caused corruption of the passwd file. The reason is because the SvnServePasswordStore format names sections by "[<section>]". AccountManagerPlugin should disallow usernames containing 'and?' when using SvnServePasswordStore.

Attachments (1)

ticket_2630_svnserve.patch (481 bytes) - added by John Hampton 16 years ago.: Patch to deny creation of usernames beginning with [

Download all attachments as: .zip

Change History (7)

comment:1 Changed 17 years ago by Chris Clearwater

The final line should read:

AccountManagerPlugin should disallow usernames containing any of the characters "[]" when using SvnServePasswordStore.

Changed 16 years ago by John Hampton

Attachment:	ticket_2630_svnserve.patch added

Patch to deny creation of usernames beginning with [

comment:2 Changed 16 years ago by John Hampton

Owner:	changed from Matt Good to John Hampton
Status:	new → assigned

Will you please try the attached patch?

comment:3 Changed 16 years ago by Sebastian Krysmanski

This is fixed by the patch provided in #5295.

comment:4 Changed 14 years ago by Steffen Hoffmann

Keywords:	precaution input username check added
Owner:	changed from John Hampton to Steffen Hoffmann
Status:	assigned → new
Summary:	Users can register usernames which can corrupt a SvnServePasswordStore. → Registration of user names which can corrupt a SvnServePasswordStore

comment:5 Changed 14 years ago by Steffen Hoffmann

Status:	new → assigned
Summary:	Registration of user names which can corrupt a SvnServePasswordStore → Registration of usernames which can corrupt a SvnServePasswordStore

Now there is a fix on the way as part of a bigger effort to enhance and extend username tests in register module, thanks to the patch provided mentioned above by manski.

comment:6 Changed 14 years ago by Steffen Hoffmann

Resolution:	→ fixed
Status:	assigned → closed

We've got some suggestions and even patches to improve checking for invalid usernames in the registration procedure. Therefore now we've added the following checks in [9260]:

against a list of reserved names (refs #5295)
against a admin-configurable character blacklist, by default containing
- colon, since it's corrupting HtPasswdStore (closes #4682)
- '[' and ']', since they're corrupting SvnServePasswordStore (closes #2630)

Additionally we're taking care of and instantly remove surrounding whitespace around usernames and email addresses (closes #7087).

Thanks to all contributors, especially to manski, for exceptional help by reviewing tickets and bundling related issues.

Modify Ticket

Change Properties

Summary:
Type:	Priority:
Component:	Severity:
Keywords:	Cc:	Set your email in Preferences
Trac Release:

Action

leave as closed The owner will remain Steffen Hoffmann.

reopen The resolution will be deleted. Next status will be 'reopened'.

Add Comment

Your email or username:

E-mail address and name can be saved in the Preferences.

You may use WikiFormatting here.

Attachments ↑ Description ↑

Note: See TracTickets for help on using tickets.

Download in other formats: