?
Referenced as Pull Request for: # 10391
avatar FrankyDE
FrankyDE
12 Jun 2015

Steps to reproduce the issue

Install Joomla! and use in the user-name a "forbidden character like:
< > \ " ' % ; ( ) &

In my case the credentials where:
Admin-User: S9nFA7N7x7tL}jXOJqIx&vQk3jSF
JAdmin-Pass: msevXL0Stl,BV7szpufhMwo10^IV8SRs

In the installation process this user/password combination was accepted, installation went fine, but one could not log-in any more.

After I changed the username in the Database login was possible again.

Expected result

I would expect that during installation there would be a warning, that prevented me from choosing an username that renders the Superadministrator Login useless. Like the one that is used if one registers a new user in the backend.

Actual result

Installation with unusable username is possible. Therefore creating a not usable SuperAdmin account on installation

System information (as much as possible)

PHP Built On: Linux server11729.yco.de 3.2.0-4-amd64 #1 SMP Debian 3.2.65-1+deb7u1 x86_64
Database Version: 5.5.42-MariaDB-1~wheezy-log
Database Collation: utf8_general_ci
PHP Version: 5.4.39-0+deb7u2
Web Server: Apache
WebServer to PHP Interface: cgi-fcgi
Joomla! Version: Joomla! 3.4.1 Stable [ Ember ] 21-March-2015 20:30 GMT
Joomla! Platform Version: Joomla Platform 13.1.0 Stable [ Curiosity ] 24-Apr-2013 00:00 GMT
User Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.10; rv:38.0) Gecko/20100101 Firefox/38.0

Additional comments

avatar FrankyDE FrankyDE - open - 12 Jun 2015
avatar FrankyDE FrankyDE - change - 12 Jun 2015
Build 3.4.1 staging
avatar joomla-cms-bot joomla-cms-bot - change - 12 Jun 2015
Labels Added: ?
avatar brianteeman brianteeman - change - 12 Jun 2015
Status New Confirmed
avatar brianteeman brianteeman - change - 12 Jun 2015
Title
inadequate filtering of user-name during installation process
inadequate filtering of user-name during installation process
avatar brianteeman
brianteeman - comment - 12 Jun 2015

Confirmed


This comment was created with the J!Tracker Application at issues.joomla.org/joomla-cms/7158.

avatar mbabker
mbabker - comment - 12 Jun 2015

It has nothing to do with the JForm validation (which is what the first link points to). The install app doesn't use the JTable classes to insert data, so the check in JTableUser will never be reached.

At a quick glance, enough of the app might be in place to be able to use JTable to insert the super user (and inherently run its validations), but it may also still be a long shot.

avatar Achal-Aggarwal
Achal-Aggarwal - comment - 25 Jul 2015

How about using a validation rule to check/validate username on one or more than one criteria? It'll be simple and clean.

avatar framontb framontb - reference | a9dd7c1 - 10 May 16
avatar framontb
framontb - comment - 10 May 2016

I did a rule that apply to the admin_user field of the installation form. Please, see above.

avatar dgt41
dgt41 - comment - 10 May 2016

I think that the javascript validation will be a better bet here, so adding one more handler for admin-user similar to the one in validation.js:

        setHandler('username', function(value, element) {
            var regex = new RegExp("[\<|\>|\"|\'|\%|\;|\(|\)|\&]", "i");
            return !regex.test(value);
        });

Edit: I think the field was renamed from username to admin-user and thus the error

Edit 2: the type needs to be changed from text to username

avatar framontb
framontb - comment - 10 May 2016

Could you add logic in the javascript function to inform the user about what were the bad characters?

avatar dgt41
dgt41 - comment - 10 May 2016

Please test: #10391

avatar dgt41
dgt41 - comment - 10 May 2016

The characters are automagically removed in real time.

Edit NOT in real time but as soon as you press the next button

avatar zero-24 zero-24 - change - 10 May 2016
Status Confirmed Closed
Closed_Date 0000-00-00 00:00:00 2016-05-10 17:16:40
Closed_By zero-24
avatar joomla-cms-bot joomla-cms-bot - change - 10 May 2016
Closed_Date 2016-05-10 17:16:40 2016-05-10 17:16:41
Closed_By zero-24 joomla-cms-bot
avatar joomla-cms-bot joomla-cms-bot - close - 10 May 2016
avatar joomla-cms-bot joomla-cms-bot - close - 10 May 2016
avatar zero-24
zero-24 - comment - 10 May 2016

Set to "closed" on behalf of @zero-24 by The JTracker Application at issues.joomla.org/joomla-cms/7158

avatar zero-24
zero-24 - comment - 10 May 2016

Closing as we have a PR by @dgt41 here: #10391


This comment was created with the J!Tracker Application at issues.joomla.org/joomla-cms/7158.

avatar dgt41
dgt41 - comment - 10 May 2016

@framontb can you also make a PR with the server side validation, as that one is also correct!

Add a Comment

Login with GitHub to post a comment