You are here: Foswiki>Tasks Web>Item13839 (16 Nov 2015, GeorgeClark)Edit Attach

Item13839: UserMapping: validateRegistrationField is too strict on usernames - unable to add users containing underscore.

pencil
Priority: Urgent
Current State: Closed
Released In: 2.0.3
Target Release: patch
Applies To: Engine
Component: UserMapping
Branches: master
Reported By: JanKrueger
Waiting For:
Last Change By: GeorgeClark
Foswiki::UserMapping::validateRegistrationField recently (distro:1f82ab0c) became stricter about validating registration fields, passing most of them through Foswiki::entityEncode.

Unfortunately, entityEncode encodes quite a few more characters than the ones that are problematic in terms of content validation, such as special characters from TML. One candidate that sticks out is the underscore (_). This turns any attempt to use the username foo_bar into foo&95;bar.

This affects not only registrations but also, for example, adding users to groups. The code in Foswiki::UI::Register::addUserToGroup filters each entry through the validation function, so that an attempt to add foo_bar to a group actually adds foo&95;bar which is nonsense.

The existing code in validateRegistrationField already has a special case for user names, matching them against {LoginNameFilterIn}. This is probably sufficient and the function should return the value as-is if this check passes.

-- JanKrueger - 04 Nov 2015

Patch to try:
diff --git a/core/lib/Foswiki/UserMapping.pm b/core/lib/Foswiki/UserMapping.pm
index fe49884..6c8803e 100644
--- a/core/lib/Foswiki/UserMapping.pm
+++ b/core/lib/Foswiki/UserMapping.pm
@@ -566,11 +566,15 @@ sub validateRegistrationField {
 
     return $_[2] if ( lc( $_[1] ) eq 'loginname' );
 
-    if (   ( lc( $_[1] ) eq 'username' )
-        && length( $_[2] )
-        && !( $_[2] =~ m/$Foswiki::cfg{LoginNameFilterIn}/ ) )
-    {
-        throw Error::Simple( Foswiki::entityEncode("Invalid $_[1]") );
+    if ( lc( $_[1] ) eq 'username' ) {
+        if ( length( $_[2] )
+            && !( $_[2] =~ m/$Foswiki::cfg{LoginNameFilterIn}/ ) )
+        {
+            throw Error::Simple( Foswiki::entityEncode("Invalid $_[1]") );
+        }
+        else {
+            return $_[2];
+        }
     }
 
     # Don't check contents of password - it's never displayed.

-- GeorgeClark - 04 Nov 2015
 

ItemTemplate edit

Summary UserMapping: validateRegistrationField is too strict on usernames - unable to add users containing underscore.
ReportedBy JanKrueger
Codebase 2.0.2, trunk
SVN Range
AppliesTo Engine
Component UserMapping
Priority Urgent
CurrentState Closed
WaitingFor
Checkins distro:f853dd1b0a1f
TargetRelease patch
ReleasedIn 2.0.3
CheckinsOnBranches master
trunkCheckins
masterCheckins distro:f853dd1b0a1f
ItemBranchCheckins
Release01x01Checkins
Topic revision: r3 - 16 Nov 2015, GeorgeClark - This page was cached on 01 Oct 2016 - 03:32.

The copyright of the content on this website is held by the contributing authors, except where stated elsewhere. See Copyright Statement. Creative Commons License