passwordauth: Don't allow registering accounts that look like openids.
Also prohibit @ in account names, in case the file regexp was relaxed to allow it.master
parent
804144402b
commit
85a529db3d
|
@ -251,6 +251,12 @@ sub formbuilder_setup (@) {
|
||||||
my $name=shift;
|
my $name=shift;
|
||||||
length $name &&
|
length $name &&
|
||||||
$name=~/$config{wiki_file_regexp}/ &&
|
$name=~/$config{wiki_file_regexp}/ &&
|
||||||
|
# don't allow registering
|
||||||
|
# accounts that look like
|
||||||
|
# openids, or email
|
||||||
|
# addresses, even if the
|
||||||
|
# file regexp allows it
|
||||||
|
$name!~/[\/:\@]/ &&
|
||||||
! IkiWiki::userinfo_get($name, "regdate");
|
! IkiWiki::userinfo_get($name, "regdate");
|
||||||
},
|
},
|
||||||
);
|
);
|
||||||
|
|
|
@ -9,6 +9,7 @@ ikiwiki (3.20150330) UNRELEASED; urgency=medium
|
||||||
they don't have an openid.
|
they don't have an openid.
|
||||||
* Converted openid-selector into a more generic loginselector helper
|
* Converted openid-selector into a more generic loginselector helper
|
||||||
plugin.
|
plugin.
|
||||||
|
* passwordauth: Don't allow registering accounts that look like openids.
|
||||||
|
|
||||||
-- Joey Hess <id@joeyh.name> Tue, 28 Apr 2015 12:24:08 -0400
|
-- Joey Hess <id@joeyh.name> Tue, 28 Apr 2015 12:24:08 -0400
|
||||||
|
|
||||||
|
|
|
@ -94,3 +94,13 @@ Thoughts?
|
||||||
> I always find it a little ackward that i have two different accounts on this wiki: one for OpenID, and the other (regular account) for email notifications (because of [[bugs/notifyemail_fails_with_some_openid_providers/]]). It seems to me those accounts should just be merged as one, ie. I was expecting to be able to choose a username when i registered with openid.
|
> I always find it a little ackward that i have two different accounts on this wiki: one for OpenID, and the other (regular account) for email notifications (because of [[bugs/notifyemail_fails_with_some_openid_providers/]]). It seems to me those accounts should just be merged as one, ie. I was expecting to be able to choose a username when i registered with openid.
|
||||||
>
|
>
|
||||||
> Also, when you talk about "separating authentication from authorization", i immediately thought of [[todo/ACL/]] and [[todo/Zoned_ikiwiki/]], so i thought i could mention those... having stability in the usernames would help in the design of those... --[[anarcat]]
|
> Also, when you talk about "separating authentication from authorization", i immediately thought of [[todo/ACL/]] and [[todo/Zoned_ikiwiki/]], so i thought i could mention those... having stability in the usernames would help in the design of those... --[[anarcat]]
|
||||||
|
|
||||||
|
> I'm not against this, but I don't anticipate having resources to do any
|
||||||
|
> work on it either. --[[Joey]]
|
||||||
|
|
||||||
|
> I have fixed passwordauth to not let urls be registered. It seems this
|
||||||
|
> was not quite a security hole; it didn't let registering a name that
|
||||||
|
> already existed, so if an openid was an admin, as long as the user logged
|
||||||
|
> in using that openid, someone else couldn't come along and passwordauth
|
||||||
|
> collide with it. (Might be exploitable if you could guess an openid that
|
||||||
|
> was going to be added as an admin though.) --[[Joey]]
|
||||||
|
|
Loading…
Reference in New Issue