Page MenuHomePhabricator
Create Task
Maniphest T4593

Non-printing characters allowed in registration
Closed, ResolvedPublic
Actions

Description

Author: jellochuu

Description:
The latest software upgrade at Wikipedia and other Wikimedia projects
reintroduces an old problem which allows registration of accounts containing
non-printing characters such as ­. This can allow vandals to "pretend"
to be someone else. For example, a vandal can regiser a username like
Grunt%C2%AD (not actually using %C2%AD but by placing the non-printing character
in the field...). I registered an account like this by creating a blank HTML
with only the content &­ and then Ctrl+A, Ctrl+C'ing it.

Version: 1.5.x
Severity: enhancement
URL: ­http://en.wikipedia.org/wiki/User:%C2%AD%C2%AD%C2%ADBug_account%C2%AD%C2%AD%C2%AD

Details

Reference
bz2593

Related Objects
Search...

StatusSubtypeAssignedTask
 InvalidNoneT5985 character conversion (tracking)
 ResolvedNoneT4593 Non-printing characters allowed in registration
 ResolvedNoneT3524 Usernames should use unicode whitelist

Event Timeline

bzimport raised the priority of this task from to Low.Nov 21 2014, 8:37 PM
bzimport added projects: MediaWiki-User-login-and-signup, TestMe.
bzimport set Reference to bz2593.
bzimport added a subscriber: Unknown Object (MLST).
bzimport created this task.Jun 28 2005, 10:28 PM
bzimport added a comment.Jun 29 2005, 10:03 PM

plugwash wrote:

imho the allowed stuff in usernames should be based on a whitelist. Using a
blacklist means that you will always risk missing stuff that vandals would find
usefull.

bzimport added a comment.Jul 1 2005, 4:53 PM

usenet wrote:

See also Bug 2290: user impersonation using homographs for a wider perspective...

bzimport added a comment.Oct 14 2005, 2:51 PM

gangleri wrote:

see also

bug 1524: usernames should use unicode whitelist

bzimport added a comment.Nov 28 2012, 11:56 AM

a.koppad wrote:

I tried to login within a "#$$%%%%" which throws the login error, "You have not specified a valid user name.". I also tried to do Ctrl^C, Ctrl^V, and other fields that I could think of. The form does allow you to enter illegal characters. So this issue is resolved for now.

bzimport added a comment.Nov 28 2012, 12:13 PM

a.koppad wrote:

Hi,

I am sorry about the last sentence in the last post. I meant to say I tested and tried to reproduce the error but with no success.

Aklapper added a comment.Nov 28 2012, 1:55 PM

(In reply to comment #4)

I tried to login within a "#$$%%%%"

These are visible, printable characters. Comment 0 mentions "non-printing characters". See http://en.wikipedia.org/wiki/Non-printing_character

I tried on test2.wikipedia.org (version 1.21wmf5) to create an account as Maly­acko (save as HTML file, open it in browser, copy from the browser display, as described in comment 0).

RESULT:

Login error
The name "Maly­acko" is not allowed to prevent confusing or spoofed usernames: Contains unassigned character U+00AD. Please choose another name.

So I consider this FIXED as there is a check in place (though I don't know where a blacklist or whitelist is located though, and which exact characters are covered by it).

Aklapper mentioned this in T29446: U+200B ZERO WIDTH SPACE allowed in page titles.Jul 22 2015, 5:10 PM
Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL