Context Navigation

Modify ↓

#3991 closed defect (invalid)

Case sensitive Authentication, and Case in-sensitive Authorization.

Reported by:	andrew.krock@…	Owned by:	Christopher Lenz
Priority:	highest	Milestone:
Component:	admin/web	Version:	0.9.6
Severity:	critical	Keywords:
Cc:		Branch:
Release Notes:
API Changes:
Internal Changes:

Description

I recently had an issue with my trac install and one of my programers. I am useing the following plugins:

WebAdmin (from the trac website)
TracAccountManager (from trac-hacks)

My new programmer complained that he did not have the adequate permissions that he should have, so I created a test account named "test", and added it to the same permission-groups as that programmers account. All the permissions were set properly, the problem came from the fact that his account name contained uppercase letters. Creating an account called "TEST" and not enabling any permissions, gave me all the permissions assigned to the acount "test". To the login system "TEST" and "test" are completely different, however to the authorization (permission) system "TEST" and "test" are the exact same accounts, and furthermore will only apply the permissions set to the account "test" to both accounts when logged in.

I DO NOT, know if this bug is common to both form based login methods, and standard HTTP logins, however im guessing that it is. I do not have the time nor resources to test it however.

If it does exist in HTTP logins as well, this is a fairly sizable loophole in the trac security system, as anyone can register an account using any combination of uppercase letters for any of your users or even permission groups.

Attachments (0)

Change History (2)

comment:1 by andrew.krock@…, 18 years ago

After doing a little more poking around, it does look like the problem is comming from the AccountManagerPlugin.

comment:2 by anonymous, 18 years ago

Resolution:	→ invalid
Status:	new → closed

tracked the problem to AccountManagerPlugin and and ignore_auth_case setting.

Modify Ticket

Change Properties

Summary:
Description:	I recently had an issue with my trac install and one of my programers. I am useing the following plugins: * WebAdmin (from the trac website) * TracAccountManager (from trac-hacks) My new programmer complained that he did not have the adequate permissions that he should have, so I created a test account named "test", and added it to the same permission-groups as that programmers account. All the permissions were set properly, the problem came from the fact that his account name contained uppercase letters. Creating an account called "TEST" and not enabling any permissions, gave me all the permissions assigned to the acount "test". To the login system "TEST" and "test" are completely different, however to the authorization (permission) system "TEST" and "test" are the exact same accounts, and furthermore will only apply the permissions set to the account "test" to both accounts when logged in. I DO NOT, know if this bug is common to both form based login methods, and standard HTTP logins, however im guessing that it is. I do not have the time nor resources to test it however. If it does exist in HTTP logins as well, this is a fairly sizable loophole in the trac security system, as anyone can register an account using any combination of uppercase letters for any of your users or even permission groups. You may use WikiFormatting here.
Type:		Priority:
Milestone:		Component:
Version:		Severity:
Keywords:		Cc:	Set your email in Preferences
Branch:
Release Notes:
API Changes:
Internal Changes:

Action

leave as closed The owner will remain Christopher Lenz.

reopen The resolution will be deleted. Next status will be 'reopened'.

change ownership to The owner will be changed from Christopher Lenz to the specified user.

Add Comment

Your email or username:

E-mail address and name can be saved in the Preferences .

You may use WikiFormatting here.

Attachments ↑ Description ↑

Note: See TracTickets for help on using tickets.

Download in other formats: