Item3812: Space in username not rejected when resetting password

Users on my wiki are accustomed to using login names like "Joe Blog" rather than "JoeBlog". When they register on the wiki, they get the name "JoeBlog". Then they forget the name. And then try to reset the password for "Joe Blog". Which Twiki does without complaining (this is the bug). They get a mail to say the password was reset for "Joe Blog". A new line is created in .htpassword. But "Joe Blog" cannot log into the TWiki.

My favourite fix would be to remove the space from the username that is entered, so that "joe Blog" can login in as "JoeBlog".

-- TWiki:Main/JohnFitzpatrick - 26 Mar 2007

I am actually even more concerned that a name that does not exist ends up in .htpasswd

-- TWiki:Main.KennethLavrsen - 26 Mar 2007

Just tried a little more. You cannot create a "Kenneth Lavrsen" user in .htpasswd unless there is a "KennethLavrsen".

So it seems the reset password first removes the space when looking up if the user exists but then fail to remove the space when it adds the entry to .htpasswd. This needs to be fixed and I agree that TWiki should reject the user as unknown.

This is not directly a security issue. At least I do not know how one would abuse it. But just in case - lets us do this urgently. Ie. fix also in Patch branch.

-- TWiki:Main.KennethLavrsen - 26 Mar 2007

The fix on the patch branch needs to be explored. There was a comment there that suggested there may be a scenario where a missing user is OK. Please try registering a new user, bulk registering etc just to make sure. All the tests pass.

CC