Roundup Tracker - Issues

Issue 2550921

classification
Title: Can create login name with , in it. Confuses nosy list editing. Also can embed html tags.
Type: security Severity: normal
Components: Database, Web interface, Mail interface Versions:
process
Status: new Resolution:
Dependencies: Superseder:
Assigned To: Nosy List: ber, rouilj, schlatterbeck
Priority: normal Keywords: Effort-Low

Created on 2016-07-06 02:20 by rouilj, last changed 2017-02-26 03:57 by rouilj.

Messages
msg5766 Author: [hidden] (rouilj) Date: 2016-07-06 02:20
When registering need to validate login name.

I suggest preventing at least ',' but probably also space.

See: http://psf.upfronthosting.co.za/roundup/meta/issue583
msg5768 Author: [hidden] (rouilj) Date: 2016-07-06 03:01
Also need to limit for any username change (e.g. editing via the user
admin page).

Should this be an auditor or should it go in core?

-- rouilj
msg5878 Author: [hidden] (rouilj) Date: 2016-07-20 01:11
Login name of <b>demo</b> is allowed. Probably should restrict
login name to match [A-z0-9_.-]+ (C locale).

Although we do html encode things, probably better to sanitize
the login name at least.
msg5879 Author: [hidden] (schlatterbeck) Date: 2016-07-20 06:01
On Wed, Jul 20, 2016 at 01:11:38AM +0000, John Rouillard wrote:
> 
> John Rouillard added the comment:
> 
> Login name of <b>demo</b> is allowed. Probably should restrict
> login name to match [A-z0-9_.-]+ (C locale).
> 
> Although we do html encode things, probably better to sanitize
> the login name at least.

Good idea to limit the chars we allow in usernames.
Please allow "@", I have a tracker where we use the email address as
username (and authenticate against an IMAP server) for a simple helpdesk
application.

Ralf
-- 
Dr. Ralf Schlatterbeck                  Tel:   +43/2243/26465-16
Open Source Consulting                  www:   http://www.runtux.com
Reichergasse 131, A-3411 Weidling       email: office@runtux.com
msg5892 Author: [hidden] (rouilj) Date: 2016-08-13 01:17
Trawling the roundup code, the user class is just like any other class.
There is no special status/handling/choke points for the user class.

To do this I think I have to create an auditor on the user class to
validate the username. 

My plan was to allow the user to specify a regexp to validate the
attribute against (setting in tracker/config.ini).

(By default the regexp would allow all possible characters in an email
address so: rouilj-1+mya_ddr@users.example.com should be possible.
(I am also considering allowing % ! and $ in case there are uucp,
csnet or bitnet addresses out there 8-)).

However this is such a fundamental check, I wonder if I need to
implement it as a permanent auditor that is coded into hyperdb.py
or roundupdb.py somehow. I don't see any support for this type of
permanent auditor in existing code.

Also this idea kind of flies in the face of the requirement for the
trackers to define business logic. So you can cause roundup to
act weird is we get invalid chars into usernames

Anybody got a suggestion here?
msg5936 Author: [hidden] (rouilj) Date: 2017-02-26 03:57
I created an auditor in my tracker. Recording the details here in case
they are useful before we get the core fixed:

in existing userauditor.py added:

valid_username = re.compile('^[a-z0-9_@!%.-]+$', re.IGNORECASE)

at the top of the file.

Added to audit_user_fields:

    if 'username' in newvalues:
        if not valid_username.match(newvalues['username']):
            raise ValueError, "Username/Login Name must consist only of
the letters a-z (any case), digits 0-9 and the symbols: @._-!%"invalid
"%s"'%address


This should allow email addresses as usernames.
History
Date User Action Args
2017-02-26 03:57:16rouiljsetmessages: + msg5936
2016-08-13 01:17:29rouiljsetmessages: + msg5892
2016-07-20 06:01:47schlatterbecksetmessages: + msg5879
2016-07-20 01:11:38rouiljsetnosy: + schlatterbeck, ber
type: security
messages: + msg5878
title: Can create username with , in it. Confuses nosy list editing. -> Can create login name with , in it. Confuses nosy list editing. Also can embed html tags.
2016-07-06 03:01:39rouiljsetmessages: + msg5768
2016-07-06 02:20:15rouiljcreate