[Bug 26854] New: Invalid username errors goes unchecked

Fri, 21 Jan 2011 13:29:53 -0800 

https://bugzilla.wikimedia.org/show_bug.cgi?id=26854

           Summary: Invalid username errors goes unchecked
           Product: MediaWiki
           Version: 1.18-svn
          Platform: All
        OS/Version: All
            Status: NEW
          Keywords: patch
          Severity: minor
          Priority: Normal
         Component: User login
        AssignedTo: wikibugs-l@lists.wikimedia.org
        ReportedBy: k...@kwi.dk


Created attachment 8017
  --> https://bugzilla.wikimedia.org/attachment.cgi?id=8017
Adds checks for invalid usernames.

Note: I encountered this issue on a wiki with very specific rules on username
composition. Errors are unlikely (but not impossible) on vanilla installs.

Per the code docs, User::newFromName returns a "User object, or false if the
username is invalid (e.g. if it contains illegal characters or is an IP
address). If the username is not present in the database, the result will be a
user object with a name, zero user ID and default settings." Username validity
may, among other things, be constrained by plugins through the AuthPlugin
interface.

Due to the creation of "mock" User objects for non-existent users with valid
usernames, and since almost any name is valid by default, newFromName rarely
returns false on vanilla installs. This explains why a lot of code doesn't
handle the case where the result is false.

Note that User::newFromName can return false even when the validate argument is
false, as getCanonicalName always performs at least minimal validation (no '#'
in names).

In an attempt to fix these errors, I've reviewed all invocations of
User::newFromName in r80702.

For maintenance scripts, simply dying with an error message seems reasonable. 

For include files, I've tried to handle invalid usernames appropriately.

For the last 4 files in the attached diff, I'm unsure how to properly handle
the error condition. The diff for these files consist only of a FIXME code
comment indicating the problem.

-- 
Configure bugmail: https://bugzilla.wikimedia.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.
You are on the CC list for the bug.

_______________________________________________
Wikibugs-l mailing list
Wikibugs-l@lists.wikimedia.org
https://lists.wikimedia.org/mailman/listinfo/wikibugs-l

Reply via email to