• Do not register here on develop.twiki.org, login with your twiki.org account.
• Use View topic Item7848 for generic doc work for TWiki-6.1.1. Use View topic Item7851 for doc work on extensions that are not part of a release. More... Close
• Anything you create or change in standard webs (Main, TWiki, Sandbox etc) will be automatically reverted on every SVN update.
Does this site look broken?. Use the LitterTray web for test cases.

Item3812: Space in username not rejected when resetting password

Item Form Data

AppliesTo: Component: Priority: CurrentState: WaitingFor: TargetRelease ReleasedIn
Engine   Urgent Closed   minor 4.1.3, 4.2.0

Edit Form Data

Reported By:
Applies To:
Current State:
Waiting For:
Target Release:
Released In:


Users on my wiki are accustomed to using login names like "Joe Blog" rather than "JoeBlog". When they register on the wiki, they get the name "JoeBlog". Then they forget the name. And then try to reset the password for "Joe Blog". Which Twiki does without complaining (this is the bug). They get a mail to say the password was reset for "Joe Blog". A new line is created in .htpassword. But "Joe Blog" cannot log into the TWiki.

My favourite fix would be to remove the space from the username that is entered, so that "joe Blog" can login in as "JoeBlog".

-- TWiki:Main/JohnFitzpatrick - 26 Mar 2007

I am actually even more concerned that a name that does not exist ends up in .htpasswd

-- TWiki:Main.KennethLavrsen - 26 Mar 2007

Just tried a little more. You cannot create a "Kenneth Lavrsen" user in .htpasswd unless there is a "KennethLavrsen".

So it seems the reset password first removes the space when looking up if the user exists but then fail to remove the space when it adds the entry to .htpasswd. This needs to be fixed and I agree that TWiki should reject the user as unknown.

This is not directly a security issue. At least I do not know how one would abuse it. But just in case - lets us do this urgently. Ie. fix also in Patch branch.

-- TWiki:Main.KennethLavrsen - 26 Mar 2007

The fix on the patch branch needs to be explored. There was a comment there that suggested there may be a scenario where a missing user is OK. Please try registering a new user, bulk registering etc just to make sure. All the tests pass.


Summary Space in username not rejected when resetting password
ReportedBy TWiki:Main.JohnFitzpatrick
Codebase 4.1.1
SVN Range

AppliesTo Engine

Priority Urgent
CurrentState Closed

Checkins TWikirev:13288 TWikirev:13289
TargetRelease minor
ReleasedIn 4.1.3, 4.2.0
Edit | Attach | Watch | Print version | History: r9 < r8 < r7 < r6 < r5 | Backlinks | Raw View |  Raw edit | More topic actions
Topic revision: r9 - 2008-01-22 - KennethLavrsen
This site is powered by the TWiki collaboration platform Powered by PerlCopyright © 2008-2024 by the contributing authors. All material on this collaboration platform is the property of the contributing authors.
Ideas, requests, problems regarding TWiki? Send feedback