You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
{{ message }}
This repository has been archived by the owner on Nov 25, 2020. It is now read-only.
When user id consists of Japanese character (for example “てすと”), meta.git makes commit with system default author (not user id) and wrong message like “–author= mail@mail.com”.
I guess that some sanitizing process make variable $userid empty at meta.git as a result.
In 6.x, author is properly set in commit log made by meta.git in any case. However, in 7.x, commit log made by meta.git is broken if user id consists of invalid chars for SANITIZE_EMAILCHARS.
I think any chars in userid should not be replaced by empty string at input process, and special chars should be escaped at output process.
for example,
keep original user id in variables always.
replace XSS chars to html char entity reference when you output user id to screen
escape special chars for ldap when you make ldap filter query
and so on.
If sanitizing input is mandatory for security reason, I suggest to validate input instead of sanitizing.
User id should be validated at getting result of listUsersPaginated() of AuthDriver, and users contains invalid chars in his user id should not be listed up. Sanitized user id may causes unexpected problems.
By the way, according to RFC6531, SMTPUTF8 permits international chars (above U+007F) encoded in UTF-8. I suggest to make SANITIZE_EMAILCHARS to permit international chars.
When user id consists of Japanese character (for example “てすと”), meta.git makes commit with system default author (not user id) and wrong message like “–author= mail@mail.com”.
I guess that some sanitizing process make variable $userid empty at meta.git as a result.
In 6.x, author is properly set in commit log made by meta.git in any case. However, in 7.x, commit log made by meta.git is broken if user id consists of invalid chars for SANITIZE_EMAILCHARS.
I think any chars in userid should not be replaced by empty string at input process, and special chars should be escaped at output process.
for example,
and so on.
If sanitizing input is mandatory for security reason, I suggest to validate input instead of sanitizing.
User id should be validated at getting result of listUsersPaginated() of AuthDriver, and users contains invalid chars in his user id should not be listed up. Sanitized user id may causes unexpected problems.
By the way, according to RFC6531, SMTPUTF8 permits international chars (above U+007F) encoded in UTF-8. I suggest to make SANITIZE_EMAILCHARS to permit international chars.
Note:
This issue is from https://pydio.com/forum/f/topic/after-upgrade-to-pydio-6-2-2-unable-to-login-if-user-id-includes-slash/
The text was updated successfully, but these errors were encountered: