cross
New Foswiki release 2.1.6 is available with important security fixes.
Sourceforge foswiki email lists being discontinued. Subscribe to the new Foswiki announce and discuss lists at MailingLists
You are here: Foswiki>Tasks Web>Item13839 (16 Nov 2015, GeorgeClark)Edit Attach

Item13839: UserMapping: validateRegistrationField is too strict on usernames - unable to add users containing underscore.

pencil
Priority: Urgent
Current State: Closed
Released In: 2.0.3
Target Release: patch
Applies To: Engine
Component: UserMapping
Branches: master
Reported By: JanKrueger
Waiting For:
Last Change By: GeorgeClark
Foswiki::UserMapping::validateRegistrationField recently (distro:1f82ab0c) became stricter about validating registration fields, passing most of them through Foswiki::entityEncode.

Unfortunately, entityEncode encodes quite a few more characters than the ones that are problematic in terms of content validation, such as special characters from TML. One candidate that sticks out is the underscore (_). This turns any attempt to use the username foo_bar into foo&95;bar.

This affects not only registrations but also, for example, adding users to groups. The code in Foswiki::UI::Register::addUserToGroup filters each entry through the validation function, so that an attempt to add foo_bar to a group actually adds foo&95;bar which is nonsense.

The existing code in validateRegistrationField already has a special case for user names, matching them against {LoginNameFilterIn}. This is probably sufficient and the function should return the value as-is if this check passes.

-- JanKrueger - 04 Nov 2015

Patch to try:
diff --git a/core/lib/Foswiki/UserMapping.pm b/core/lib/Foswiki/UserMapping.pm
index fe49884..6c8803e 100644
--- a/core/lib/Foswiki/UserMapping.pm
+++ b/core/lib/Foswiki/UserMapping.pm
@@ -566,11 +566,15 @@ sub validateRegistrationField {
 
     return $_[2] if ( lc( $_[1] ) eq 'loginname' );
 
-    if (   ( lc( $_[1] ) eq 'username' )
-        && length( $_[2] )
-        && !( $_[2] =~ m/$Foswiki::cfg{LoginNameFilterIn}/ ) )
-    {
-        throw Error::Simple( Foswiki::entityEncode("Invalid $_[1]") );
+    if ( lc( $_[1] ) eq 'username' ) {
+        if ( length( $_[2] )
+            && !( $_[2] =~ m/$Foswiki::cfg{LoginNameFilterIn}/ ) )
+        {
+            throw Error::Simple( Foswiki::entityEncode("Invalid $_[1]") );
+        }
+        else {
+            return $_[2];
+        }
     }
 
     # Don't check contents of password - it's never displayed.

-- GeorgeClark - 04 Nov 2015
 

ItemTemplate edit

Summary UserMapping: validateRegistrationField is too strict on usernames - unable to add users containing underscore.
ReportedBy JanKrueger
Codebase 2.0.2, trunk
SVN Range
AppliesTo Engine
Component UserMapping
Priority Urgent
CurrentState Closed
WaitingFor
Checkins distro:f853dd1b0a1f
TargetRelease patch
ReleasedIn 2.0.3
CheckinsOnBranches master
trunkCheckins
masterCheckins distro:f853dd1b0a1f
ItemBranchCheckins
Release01x01Checkins
Topic revision: r3 - 16 Nov 2015, GeorgeClark - This page was cached on 21 Mar 2018 - 20:41.

The copyright of the content on this website is held by the contributing authors, except where stated elsewhere. See Copyright Statement. Creative Commons License