[katello-devel] Username constraint

Jason Rist jrist at redhat.com
Wed Jan 25 13:58:59 UTC 2012


On Wed 25 Jan 2012 06:52:06 AM MST, Lukas Zapletal wrote:
> Hey,
>
> I was working in very interesting bug today, looks like a bug in Rails3
> or httpd proxy module. But I hit other issue.
>
> Since we use HTTP BASIC auth for our CLI client (which is fine - it is
> safe over HTTPS) we MUST NOT allow ":" character in the username. On top
> of that, this character MUST NOT appear in the UTF-8 encoded sequence.
>
> The reason is very simple - for HTTP BASIC AUTH the encoding scheme is
>
> base64_encode(username:password)
>
> and servers/stacks, including Rails3, just decode the stuff and then
> split the string into two with the limit of two. If there is a ":"
> character, authentication will likely fail.
>
> The very same for rhsm which also sends out HTTP BASIC headers. But
> jbowes confirmed me candlepin usernames are only [a-zA-Z] or something.
> So only Katello issue.
>
> It is easy to put a constraint for the ":" character, but if we support
> UTF-8 usernames, we should add one additional test when user is created.
> Username must not contain ":" in the clear form, and also in the UTF-8
> form.
>
> What you think? Should we raise a RFE RHBZ?
>
> LZ
>

I think it's perfectly reasonable to limit usernames to not include a 
colon (:).

-J

-- 
Jason E. Rist
Senior Software Engineer
Systems Management and Cloud Enablement
Red Hat, Inc.
+1.919.754.4048
Freenode: jrist




More information about the katello-devel mailing list