passwordauth: Don't allow registering accounts that look like openids.

Also prohibit @ in account names, in case the file regexp was relaxed to
allow it.

diff --git a/IkiWiki/Plugin/passwordauth.pm b/IkiWiki/Plugin/passwordauth.pm
index 7c01bb3ffe11b0f7d36160e69de957efb659ffb7..3bdd9de2ed01919ab2fa6559ba6658977bac7628 100644 (file)
--- a/IkiWiki/Plugin/passwordauth.pm
+++ b/IkiWiki/Plugin/passwordauth.pm
@@ -251,6 +251,12 @@ sub formbuilder_setup (@) {
                                                my $name=shift;
                                                length $name &&
                                                $name=~/$config{wiki_file_regexp}/ &&
                                                my $name=shift;
                                                length $name &&
                                                $name=~/$config{wiki_file_regexp}/ &&

+                                               # don't allow registering
+                                               # accounts that look like
+                                               # openids, or email
+                                               # addresses, even if the
+                                               # file regexp allows it
+                                               $name!~/[\/:\@]/ &&

                                                ! IkiWiki::userinfo_get($name, "regdate");
                                        },
                                );
                                                ! IkiWiki::userinfo_get($name, "regdate");
                                        },
                                );

diff --git a/debian/changelog b/debian/changelog
index 45801567fe03c033172f0a589c2b0ed3ffdf7ada..19f6dfbdb902331267a04e5b2fa7372e23078722 100644 (file)
--- a/debian/changelog
+++ b/debian/changelog
@@ -9,6 +9,7 @@ ikiwiki (3.20150330) UNRELEASED; urgency=medium
     they don't have an openid.
   * Converted openid-selector into a more generic loginselector helper
     plugin.
     they don't have an openid.
   * Converted openid-selector into a more generic loginselector helper
     plugin.

+  * passwordauth: Don't allow registering accounts that look like openids.

 
  -- Joey Hess <id@joeyh.name>  Tue, 28 Apr 2015 12:24:08 -0400
 
 
  -- Joey Hess <id@joeyh.name>  Tue, 28 Apr 2015 12:24:08 -0400
 

diff --git a/doc/todo/separate_authentication_from_authorization.mdwn b/doc/todo/separate_authentication_from_authorization.mdwn
index 4a602babff00e9a0946e1a427f1c458132f48de6..de7c5b7631314bd49891f8b4313cf11be6f8039d 100644 (file)
--- a/doc/todo/separate_authentication_from_authorization.mdwn
+++ b/doc/todo/separate_authentication_from_authorization.mdwn
@@ -94,3 +94,13 @@ Thoughts?
 > I always find it a little ackward that i have two different accounts on this wiki: one for OpenID, and the other (regular account) for email notifications (because of [[bugs/notifyemail_fails_with_some_openid_providers/]]). It seems to me those accounts should just be merged as one, ie. I was expecting to be able to choose a username when i registered with openid.
 > 
 > Also, when you talk about "separating authentication from authorization", i immediately thought of [[todo/ACL/]] and [[todo/Zoned_ikiwiki/]], so i thought i could mention those... having stability in the usernames would help in the design of those... --[[anarcat]]
 > I always find it a little ackward that i have two different accounts on this wiki: one for OpenID, and the other (regular account) for email notifications (because of [[bugs/notifyemail_fails_with_some_openid_providers/]]). It seems to me those accounts should just be merged as one, ie. I was expecting to be able to choose a username when i registered with openid.
 > 
 > Also, when you talk about "separating authentication from authorization", i immediately thought of [[todo/ACL/]] and [[todo/Zoned_ikiwiki/]], so i thought i could mention those... having stability in the usernames would help in the design of those... --[[anarcat]]

+
+> I'm not against this, but I don't anticipate having resources to do any
+> work on it either. --[[Joey]]
+
+> I have fixed passwordauth to not let urls be registered. It seems this
+> was not quite a security hole; it didn't let registering a name that
+> already existed, so if an openid was an admin, as long as the user logged
+> in using that openid, someone else couldn't come along and passwordauth
+> collide with it. (Might be exploitable if you could guess an openid that
+> was going to be added as an admin though.) --[[Joey]]