[katello-devel] Username constraint
Lukas Zapletal
lzap at redhat.com
Wed Jan 25 13:52:06 UTC 2012
Hey,
I was working in very interesting bug today, looks like a bug in Rails3
or httpd proxy module. But I hit other issue.
Since we use HTTP BASIC auth for our CLI client (which is fine - it is
safe over HTTPS) we MUST NOT allow ":" character in the username. On top
of that, this character MUST NOT appear in the UTF-8 encoded sequence.
The reason is very simple - for HTTP BASIC AUTH the encoding scheme is
base64_encode(username:password)
and servers/stacks, including Rails3, just decode the stuff and then
split the string into two with the limit of two. If there is a ":"
character, authentication will likely fail.
The very same for rhsm which also sends out HTTP BASIC headers. But
jbowes confirmed me candlepin usernames are only [a-zA-Z] or something.
So only Katello issue.
It is easy to put a constraint for the ":" character, but if we support
UTF-8 usernames, we should add one additional test when user is created.
Username must not contain ":" in the clear form, and also in the UTF-8
form.
What you think? Should we raise a RFE RHBZ?
LZ
--
Later,
Lukas Zapletal | E32E400A
RHN Satellite Engineering
Red Hat Czech s.r.o. Brno
More information about the katello-devel
mailing list