Bug 784599

Summary: Usernames must not contain colon
Product: [Retired] Katello Reporter: Lukas Zapletal <lzap>
Component: WebUIAssignee: Jason E. Rist <jrist>
Status: CLOSED NOTABUG QA Contact: Katello QA List <katello-qa-list>
Severity: low Docs Contact:
Priority: unspecified    
Version: 1.XCC: bkearney, mmccune, ppokorny
Target Milestone: ---Keywords: Triaged
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2012-07-04 12:00:27 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:

Description Lukas Zapletal 2012-01-25 14:19:23 UTC 
Since we use HTTP BASIC auth for our CLI client (which is fine - it is
safe over HTTPS) we MUST NOT allow ":" character in the username. On top
of that, this character MUST NOT appear in the UTF-8 encoded sequence.

The reason is very simple - for HTTP BASIC AUTH the encoding scheme is

base64_encode(username:password)

and servers/stacks, including Rails3, just decode the stuff and then
split the string into two with the limit of two. If there is a ":"
character, authentication will likely fail.

The very same for rhsm which also sends out HTTP BASIC headers. But
jbowes confirmed me candlepin usernames are only [a-zA-Z] or something.
So only Katello issue.

It is easy to put a constraint for the ":" character, but if we support
UTF-8 usernames, we should add one additional test when user is created.
Username must not contain ":" in the clear form, and also in the UTF-8
form.

So the task is to disallow usernames:

a) with ":" character in the username

b) with ":" character in the username UTF-8 sequence (so to read it byte by byte and to compare it against colon)
Comment 1 Lukas Zapletal 2012-01-25 14:32:09 UTC 
Oh I am apparently not as clever as UTF-8 encoding creators. Thank to the encoding it can never happen any sequence ever encodes a ":" byte. ;-)

So we just need to check for the ":" character. Simple.
Comment 2 Pavel Pokorny 2012-07-04 09:50:16 UTC 
There is no need to check for colon because username is validated by [1] and can only contain alpha numerals, '_' and '-'.

So we can close this bug, am I right?

[1] https://github.com/Katello/katello/blob/master/src/app/models/username_validator.rb