• Do not register here on develop.twiki.org, login with your twiki.org account.
• Use View topic Item7848 for generic doc work for TWiki-6.1.1. Use View topic Item7851 for doc work on extensions that are not part of a release. More... Close
• Anything you create or change in standard webs (Main, TWiki, Sandbox etc) will be automatically reverted on every SVN update.
Does this site look broken?. Use the LitterTray web for test cases.

On Windows, if ntlm is switched on and a user tries to register their login name will be pre-populated in the following format

Domain\Username

Once the registration is completed the TWikiUsers page shows the login name as

DomainUsername

The slash has been stripped from between the domain and the username. This then breaks the linkage of login name and twiki name.

There are a number of solutions in the following page http://twiki.org/cgi-bin/view/Support/LoginNameAndNtlm but mostly they refer to stripping the Domain\ from the login name. This is a security issue as someone from Domain1\Username1 could log on as Domain2\Username1.

Utimately this means that everytime a user registers, the TWikiUsers page has to be updated to re-insert the slash.


Change line 1210 of lib/TWiki/UI/Register.pm from
                $value =~ s/[^\w]//g;
to
                #$value =~ s/[^\w]//g;
and try again. If it works now, please report back here and I'll check in the fix.

CC


Yes, this solved the problem. Thanks.

-- TWiki:Main.NiallMccullagh

Good. I checked in SVN 7413. There is a (small) risk of an exploit resulting from funny chars in a login name, though I can't find one myself. If anyone else can find one, I'll but them a beer! CC


dunno if it applies here or not, but the samba convention for dealing with the backslash character is to replace it with a plus sign: domain+username --MW

Doesn't apply here, I'm afraid CC


Sorry to be so stubborn. I am reopening this item because the attack with embedded newline in the login name which I've posted to twiki-dev still works. This is a security hole, so I'm categorizing it as a "Requirement". The fix is pretty easy: Applying the patch here does not break NTLM, because '\' is allowed in $TWiki::cfg{NameFilter}. (And I deleted the crap I've been writing earlier)
Index: lib/TWiki/UI/Register.pm
===================================================================
--- lib/TWiki/UI/Register.pm    (Revision 7462)
+++ lib/TWiki/UI/Register.pm    (Arbeitskopie)
@@ -1206,10 +1206,8 @@
             } elsif ( $name eq 'Confirm' ) {
                 $data->{passwordB} = $value;
             } elsif( $name eq 'LoginName' ) {
-                # Sanitise login name
-                #$value =~ s/[^\w]//g;
-                # commented out because login names need to be any
-                # printable char sequence, and may include utf-8.
+                # Sanitize login name consistently with Users.pm
+                $value =~ s/$TWiki::cfg{NameFilter}//go;
             }
 
             # 'WikiName' omitted because they can't
-- TWiki:Main.HaraldJoerg

SVN 7503 CC

ItemTemplate
Summary TWiki username with login name linkage fails if login name in the format of Domain\Username
ReportedBy NiallMccullagh
AppliesTo Engine
Component

Priority Urgent
CurrentState Closed
WaitingFor

Checkins 7413 7503
Edit | Attach | Watch | Print version | History: r10 < r9 < r8 < r7 < r6 | Backlinks | Raw View | Raw edit | More topic actions
Topic revision: r10 - 2005-11-17 - CrawfordCurrie
 
This site is powered by the TWiki collaboration platform Powered by PerlCopyright © 2008-2020 by the contributing authors. All material on this collaboration platform is the property of the contributing authors.
Ideas, requests, problems regarding TWiki? Send feedback