You are viewing a plain text version of this content. The canonical link for it is here.
Posted to notifications@couchdb.apache.org by GitBox <gi...@apache.org> on 2020/03/13 22:58:05 UTC

[GitHub] [couchdb-fauxton] jausions opened a new issue #1250: Fauxton accepts usernames/passwords with colon, semicolon, slash, or equal sign

jausions opened a new issue #1250: Fauxton accepts usernames/passwords with colon, semicolon, slash, or equal sign
URL: https://github.com/apache/couchdb-fauxton/issues/1250
 
 
   ## Description
   
   ### Semicolon `;`
   
   It is currently possible, via Fauxton, to create admin usernames starting with a semicolon `;`. We can log in with them, however upon restart of the CouchDB service, these accounts are not active anymore. Evidently, the usernames being added as they are to the .ini file they become comment lines.
   
   ### Slashes `/`
   
   For slashes, it is possible to submit the form on Fauxton to create a username (such as `withslash/`), but the slash itself is stripped when the account is actually created.
   
   ### Equal sign `=`
   
   For the equal sign, it is possible to create the account and to log in with it. However, upon restart of CouchDB, the remaining user name is the part before the equal sign with the password rehashed with the second part of the username (since CouchDB hashes the plaintext password in .ini file.)
   
   ### Colon `:`
   
   For the colon, it is possible to create the account and it persists in the .ini file. However the login does not work properly. Upon submitting the login form on Fauxton we get a valid JSON response from the server with the user info payload, but any subsequent requests fail.
   
   It is also a problem with Basic HTTP Authentication, as usernames can't have colons.
   
   ## Steps to Reproduce
   
   Fauxton : Your Account : Create Server Admin
   Username: `;semicolon`
   Username: `withslash/`
   Username: `my = user`
   Username: `with:colon`
   
   ## Expected Behaviour
   
   Don't allow such usernames to be created.
   
   ## Your Environment
   
   * CouchDB Version used: 2.3.1
   * Browser name and version: Chrome 77
   * Operating System and version: Windows 10

----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
 
For queries about this service, please contact Infrastructure at:
users@infra.apache.org


With regards,
Apache Git Services