Single quotes in username are bad #1005

magicalbob · 2014-12-12T22:43:38Z

Adding a user with a single quote in username is accepted by graylog2-web-interface, but you can't log in with that user and you can't delete the user.

Add

        if (username.indexOf("'") > -1 ) {
          validationFailure( createUsernameField, "Username can't have quotes.");
          domElement.setCustomValidity('Username cannot have quotes.');
        } else {
          $.ajax({

.
.
.

          });
        }

to app/assets/javascripts/main.js stops anyone from doing something stupid like putting a single quote in a username.

I'm a newb and haven't worked out how to commit changes .......

The text was updated successfully, but these errors were encountered:

there were two issues: * the rest routes weren't url escaping the path parameters (this creates an implicit dependency on guava > 15.0!) * the api client used MessageFormat to create the path template, but that could kill certain unescaped characters like quotes now users with single or douple quotes in their username will be able to successfully log in fixes graylog-labs/graylog2-web-interface#1005 fixes graylog-labs/graylog2-web-interface#1006

kroepke added bug users labels Jan 12, 2015

kroepke added this to the 0.93 milestone Jan 12, 2015

kroepke self-assigned this Jan 20, 2015

kroepke closed this as completed in Graylog2/graylog2-server@aba165b Jan 20, 2015

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Single quotes in username are bad #1005

Single quotes in username are bad #1005

magicalbob commented Dec 12, 2014

Single quotes in username are bad #1005

Single quotes in username are bad #1005

Comments

magicalbob commented Dec 12, 2014