Searched hist:"5 f18fdf30e4325978c0fb77c25bf7eff96de9394" (Results 1 – 2 of 2) sorted by relevance
| /dokuwiki/lib/plugins/authplain/_test/ |
| H A D | escaping.test.php | 5f18fdf30e4325978c0fb77c25bf7eff96de9394 Tue Dec 14 16:44:48 UTC 2021 Andreas Gohr <andi@splitbrain.org> authplain: properly clean user names
The authplain module uses cleanID to clean usernames to make them valid
pagenames. However namespaces should not be used in usernames.
For that cleanUser and cleanGroup replaced columns in given names. But
depending on the wiki configuration useslash, semicolons and slashes may
also be used as namespace separators. cleanID would replace those with
colons, reintroducing colons into the names.
The problem was reported in a forum post where spammers tried to
register http addresses as user names:
https://forum.dokuwiki.org/d/19796-spammers-with-in-their-name
Users with colons were correctly saved (the colon is escaped in the user
file) but could probably not login (unless using a slash or semicolon
instead of the colon). Since usernames are cleaned in many places in
DokuWiki, such a logged in user was probably not recognized correctly.
Because of the proper colon escaping when saving the user file, I don't
see any security issue arising from this. Eg. it was not possible to
trip up the user loading mechanism.
Note: Previously created users containing colons can not be deleted via
the user manager, because displayed usernames are cleaned again, which
will remove the colons.
|
| /dokuwiki/lib/plugins/authplain/ |
| H A D | auth.php | 5f18fdf30e4325978c0fb77c25bf7eff96de9394 Tue Dec 14 16:44:48 UTC 2021 Andreas Gohr <andi@splitbrain.org> authplain: properly clean user names
The authplain module uses cleanID to clean usernames to make them valid
pagenames. However namespaces should not be used in usernames.
For that cleanUser and cleanGroup replaced columns in given names. But
depending on the wiki configuration useslash, semicolons and slashes may
also be used as namespace separators. cleanID would replace those with
colons, reintroducing colons into the names.
The problem was reported in a forum post where spammers tried to
register http addresses as user names:
https://forum.dokuwiki.org/d/19796-spammers-with-in-their-name
Users with colons were correctly saved (the colon is escaped in the user
file) but could probably not login (unless using a slash or semicolon
instead of the colon). Since usernames are cleaned in many places in
DokuWiki, such a logged in user was probably not recognized correctly.
Because of the proper colon escaping when saving the user file, I don't
see any security issue arising from this. Eg. it was not possible to
trip up the user loading mechanism.
Note: Previously created users containing colons can not be deleted via
the user manager, because displayed usernames are cleaned again, which
will remove the colons.
|