Modify ↓
#7575 closed defect (duplicate)
Supplying username allows \r in name
| Reported by: | anonymous | Owned by: | John Hampton |
|---|---|---|---|
| Priority: | normal | Component: | AccountManagerPlugin |
| Severity: | normal | Keywords: | user register name check |
| Cc: | Trac Release: | 0.11 |
Description
I constantly get users in the database which have been created by spammers. It is impossible to delete these, when they have a \r in the username, as all WEB-interface fail to handle these correctly. Creating such users should be prevented.
Attachments (0)
Change History (3)
comment:1 Changed 14 years ago by
| Keywords: | user register name check added |
|---|---|
| Resolution: | → duplicate |
| Status: | new → closed |
comment:2 follow-up: 3 Changed 14 years ago by
Well, when the "\r" in user name is supported, then the remaining functions also need to support it - namely the delete user function :-)
comment:3 Changed 14 years ago by
Replying to anonymous:
Well, when the "\r" in user name is supported, then the remaining functions also need to support it - namely the delete user function :-)
Good point, one more to think it twice again. Admittedly I've not thought much about that lately.
Note: See
TracTickets for help on using
tickets.
The proposed patch for #5295 allows for white-listing arbitrary usernames by admin-supplied regexp.
Certainly there are applications, that could still allow \r in usernames, so we shouldn't hard-code a solution for this issue anyway. Previously I tended to not implement the regexp extension introduced by a patch to the aforementioned ticket, but now this is a valid use case.
I have still to think about a meaningful error message, since reporting a regexp to the average user in cleartext, as was suggested, looks definitely flawed to me.
Anyway, we'll stick to the pre-existing proposal.