[#7158] - inadequate filtering of user-name during installation process
- Closed
- 10 May 2016
- Urgent
- Build: master
- # 7158
Steps to reproduce the issue
Install Joomla! and use in the user-name a "forbidden character like:
< > \ " ' % ; ( ) &
In my case the credentials where:
Admin-User: S9nFA7N7x7tL}jXOJqIx&vQk3jSF
JAdmin-Pass: msevXL0Stl,BV7szpufhMwo10^IV8SRs
In the installation process this user/password combination was accepted, installation went fine, but one could not log-in any more.
After I changed the username in the Database login was possible again.
Expected result
I would expect that during installation there would be a warning, that prevented me from choosing an username that renders the Superadministrator Login useless. Like the one that is used if one registers a new user in the backend.
Actual result
Installation with unusable username is possible. Therefore creating a not usable SuperAdmin account on installation
System information (as much as possible)
PHP Built On: Linux server11729.yco.de 3.2.0-4-amd64 #1 SMP Debian 3.2.65-1+deb7u1 x86_64
Database Version: 5.5.42-MariaDB-1~wheezy-log
Database Collation: utf8_general_ci
PHP Version: 5.4.39-0+deb7u2
Web Server: Apache
WebServer to PHP Interface: cgi-fcgi
Joomla! Version: Joomla! 3.4.1 Stable [ Ember ] 21-March-2015 20:30 GMT
Joomla! Platform Version: Joomla Platform 13.1.0 Stable [ Curiosity ] 24-Apr-2013 00:00 GMT
User Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.10; rv:38.0) Gecko/20100101 Firefox/38.0
Additional comments
| Build | 3.4.1 | ⇒ | staging |
joomla-cms-bot
- | Labels |
Added:
?
|
||
| Status | New | ⇒ | Confirmed |
| Title |
|
||||||
https://github.com/joomla/joomla-cms/blob/staging/installation/model/setup.php#L420
$data['admin_user'] will be not validate!
https://github.com/joomla/joomla-cms/blob/staging/libraries/joomla/table/user.php#L190-L195
This is a check from com_users
It has nothing to do with the JForm validation (which is what the first link points to). The install app doesn't use the JTable classes to insert data, so the check in JTableUser will never be reached.
At a quick glance, enough of the app might be in place to be able to use JTable to insert the super user (and inherently run its validations), but it may also still be a long shot.
How about using a validation rule to check/validate username on one or more than one criteria? It'll be simple and clean.
I did a rule that apply to the admin_user field of the installation form. Please, see above.
I think that the javascript validation will be a better bet here, so adding one more handler for admin-user similar to the one in validation.js:
setHandler('username', function(value, element) {
var regex = new RegExp("[\<|\>|\"|\'|\%|\;|\(|\)|\&]", "i");
return !regex.test(value);
});Edit: I think the field was renamed from username to admin-user and thus the error
Edit 2: the type needs to be changed from text to username
Could you add logic in the javascript function to inform the user about what were the bad characters?
The characters are automagically removed in real time.
Edit NOT in real time but as soon as you press the next button
| Status | Confirmed | ⇒ | Closed |
| Closed_Date | 0000-00-00 00:00:00 | ⇒ | 2016-05-10 17:16:40 |
| Closed_By | ⇒ | zero-24 |
| Closed_Date | 2016-05-10 17:16:40 | ⇒ | 2016-05-10 17:16:41 |
| Closed_By | zero-24 | ⇒ | joomla-cms-bot |
Set to "closed" on behalf of @zero-24 by The JTracker Application at issues.joomla.org/joomla-cms/7158
Closing as we have a PR by @dgt41 here: #10391
This comment was created with the J!Tracker Application at issues.joomla.org/joomla-cms/7158.
Confirmed
This comment was created with the J!Tracker Application at issues.joomla.org/joomla-cms/7158.