[katello-devel] Username constraint
Bryan Kearney
bkearney at redhat.com
Wed Jan 25 14:00:12 UTC 2012
On 01/25/2012 08:58 AM, Jason Rist wrote:
> On Wed 25 Jan 2012 06:52:06 AM MST, Lukas Zapletal wrote:
>> Hey,
>>
>> I was working in very interesting bug today, looks like a bug in Rails3
>> or httpd proxy module. But I hit other issue.
>>
>> Since we use HTTP BASIC auth for our CLI client (which is fine - it is
>> safe over HTTPS) we MUST NOT allow ":" character in the username. On top
>> of that, this character MUST NOT appear in the UTF-8 encoded sequence.
>>
>> The reason is very simple - for HTTP BASIC AUTH the encoding scheme is
>>
>> base64_encode(username:password)
>>
>> and servers/stacks, including Rails3, just decode the stuff and then
>> split the string into two with the limit of two. If there is a ":"
>> character, authentication will likely fail.
>>
>> The very same for rhsm which also sends out HTTP BASIC headers. But
>> jbowes confirmed me candlepin usernames are only [a-zA-Z] or something.
>> So only Katello issue.
>>
>> It is easy to put a constraint for the ":" character, but if we support
>> UTF-8 usernames, we should add one additional test when user is created.
>> Username must not contain ":" in the clear form, and also in the UTF-8
>> form.
>>
>> What you think? Should we raise a RFE RHBZ?
>>
>> LZ
>>
>
> I think it's perfectly reasonable to limit usernames to not include a
> colon (:).
>
> -J
>
+1
-- bk
More information about the katello-devel
mailing list