[GitHub] [couchdb-fauxton] jausions opened a new issue #1250: Fauxton accepts usernames/passwords with colon, semicolon, slash, or equal sign

Fri, 13 Mar 2020 15:58:51 -0700 

jausions opened a new issue #1250: Fauxton accepts usernames/passwords with 
colon, semicolon, slash, or equal sign
URL: https://github.com/apache/couchdb-fauxton/issues/1250
 
 
   ## Description
   
   ### Semicolon `;`
   
   It is currently possible, via Fauxton, to create admin usernames starting 
with a semicolon `;`. We can log in with them, however upon restart of the 
CouchDB service, these accounts are not active anymore. Evidently, the 
usernames being added as they are to the .ini file they become comment lines.
   
   ### Slashes `/`
   
   For slashes, it is possible to submit the form on Fauxton to create a 
username (such as `withslash/`), but the slash itself is stripped when the 
account is actually created.
   
   ### Equal sign `=`
   
   For the equal sign, it is possible to create the account and to log in with 
it. However, upon restart of CouchDB, the remaining user name is the part 
before the equal sign with the password rehashed with the second part of the 
username (since CouchDB hashes the plaintext password in .ini file.)
   
   ### Colon `:`
   
   For the colon, it is possible to create the account and it persists in the 
.ini file. However the login does not work properly. Upon submitting the login 
form on Fauxton we get a valid JSON response from the server with the user info 
payload, but any subsequent requests fail.
   
   It is also a problem with Basic HTTP Authentication, as usernames can't have 
colons.
   
   ## Steps to Reproduce
   
   Fauxton : Your Account : Create Server Admin
   Username: `;semicolon`
   Username: `withslash/`
   Username: `my = user`
   Username: `with:colon`
   
   ## Expected Behaviour
   
   Don't allow such usernames to be created.
   
   ## Your Environment
   
   * CouchDB Version used: 2.3.1
   * Browser name and version: Chrome 77
   * Operating System and version: Windows 10

----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
 
For queries about this service, please contact Infrastructure at:
[email protected]


With regards,
Apache Git Services

Reply via email to