On Windows, if ntlm is switched on and a user tries to register their login name will be pre-populated in the following format
Domain\Username
Once the registration is completed the
TWikiUsers page shows the login name as
DomainUsername
The slash has been stripped from between the domain and the username. This then breaks the linkage of login name and twiki name.
There are a number of solutions in the following page
http://twiki.org/cgi-bin/view/Support/LoginNameAndNtlm
but mostly they refer to stripping the Domain\ from the login name. This is a security issue as someone from Domain1\Username1
could log on as Domain2\Username1.
Utimately this means that everytime a user registers, the
TWikiUsers page has to be updated to re-insert the slash.
Change line 1210 of lib/TWiki/UI/Register.pm from
$value =~ s/[^\w]//g;
to
#$value =~ s/[^\w]//g;
and try again. If it works now, please report back here and I'll check in the fix.
CC
Yes, this solved the problem. Thanks.
--
TWiki:Main.NiallMccullagh
Good. I checked in SVN 7413. There is a (small) risk of an exploit resulting from funny chars in a login name, though I can't find one myself. If anyone else can find one, I'll but them a beer!
CC
dunno if it applies here or not, but the samba convention for dealing with the backslash character is to replace it with a plus sign:
domain+username
--
MW
Doesn't apply here, I'm afraid
CC
Sorry to be so stubborn. I am reopening this item because the attack with embedded newline in the login name which I've posted to twiki-dev still works. This
is a security hole, so I'm categorizing it as a "Requirement". The fix is pretty easy: Applying the patch here does not break NTLM, because '\' is allowed in
$TWiki::cfg{NameFilter}
.
(And I deleted the crap I've been writing earlier)
Index: lib/TWiki/UI/Register.pm
===================================================================
--- lib/TWiki/UI/Register.pm (Revision 7462)
+++ lib/TWiki/UI/Register.pm (Arbeitskopie)
@@ -1206,10 +1206,8 @@
} elsif ( $name eq 'Confirm' ) {
$data->{passwordB} = $value;
} elsif( $name eq 'LoginName' ) {
- # Sanitise login name
- #$value =~ s/[^\w]//g;
- # commented out because login names need to be any
- # printable char sequence, and may include utf-8.
+ # Sanitize login name consistently with Users.pm
+ $value =~ s/$TWiki::cfg{NameFilter}//go;
}
# 'WikiName' omitted because they can't
--
TWiki:Main.HaraldJoerg
SVN 7503
CC