Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

The username format should be stricter #21640

Closed
wolfogre opened this issue Oct 31, 2022 · 1 comment · Fixed by #20136
Closed

The username format should be stricter #21640

wolfogre opened this issue Oct 31, 2022 · 1 comment · Fixed by #20136
Labels
type/bug
Milestone
1.19.0

Comments

@wolfogre
Copy link
Member

wolfogre commented Oct 31, 2022
edited
Loading

Description

The current username format check is

Username should contain only alphanumeric, dash ('-'), underscore ('_') and dot ('.') characters.

But I think it should be stricter, maybe

Username should contain only alphanumeric, dash ('-'), underscore ('_') and dot ('.') characters, and cannot begin or end with non-alphanumeric, consecutive non-alphanumerics are also not allowed.

What GitHub does:

Username may only contain alphanumeric characters or single hyphens, and cannot begin or end with a hyphen.

You might think this is a suggestion, not a Bug Report, so let me show you the bug.

  1. Create a user named test..test;
  2. Create a repo with default README.md.
  3. Edit the file online and click "Commit Changes", not "Create a new branch".

I also think we can find the cause and fix the bug, but why not restrict the username format to avoid it?

image

Gitea Version

main@9b3e2c545

Can you reproduce the bug on the Gitea demo site?

Yes

Log Gist

No response

Screenshots

No response

Git Version

No response

Operating System

No response

How are you running Gitea?

Binary file.

Database

PostgreSQL
@wxiaoguang
Copy link
Contributor

wxiaoguang commented Oct 31, 2022
edited
Loading

There are a lot of (incorrect) checks

(Just FYI) See #20136 (comment)

@wolfogre wolfogre mentioned this issue Nov 1, 2022
Merged
@lunny lunny added this to the 1.19.0 milestone Nov 1, 2022
lunny added a commit that referenced this issue Nov 4, 2022
@wxiaoguang @wolfogre
@lunny @delvh
Improve valid user name check (#20136)
2900dc9 
Close #21640

Before: Gitea can create users like ".xxx" or "x..y", which is not
ideal, it's already a consensus that dot filenames have special
meanings, and `a..b` is a confusing name when doing cross repo compare.

After: stricter

Co-authored-by: Jason Song <i@wolfogre.com>
Co-authored-by: Lunny Xiao <xiaolunwen@gmail.com>
Co-authored-by: delvh <dev.lh@web.de>
@go-gitea go-gitea locked and limited conversation to collaborators May 3, 2023
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
type/bug
Projects
None yet
Milestone
1.19.0
Development

Successfully merging a pull request may close this issue.

Improve valid user name check wxiaoguang/gitea
3 participants
@lunny @wxiaoguang @wolfogre