Page MenuHomePhabricator
Create Task
Maniphest T28854

Invalid username errors goes unchecked
Closed, ResolvedPublic
Actions

Description

Author: kwi

Description:
Adds checks for invalid usernames.

Note: I encountered this issue on a wiki with very specific rules on username composition. Errors are unlikely (but not impossible) on vanilla installs.

Per the code docs, User::newFromName returns a "User object, or false if the username is invalid (e.g. if it contains illegal characters or is an IP address). If the username is not present in the database, the result will be a user object with a name, zero user ID and default settings." Username validity may, among other things, be constrained by plugins through the AuthPlugin interface.

Due to the creation of "mock" User objects for non-existent users with valid usernames, and since almost any name is valid by default, newFromName rarely returns false on vanilla installs. This explains why a lot of code doesn't handle the case where the result is false.

Note that User::newFromName can return false even when the validate argument is false, as getCanonicalName always performs at least minimal validation (no '#' in names).

In an attempt to fix these errors, I've reviewed all invocations of User::newFromName in r80702.

For maintenance scripts, simply dying with an error message seems reasonable.

For include files, I've tried to handle invalid usernames appropriately.

For the last 4 files in the attached diff, I'm unsure how to properly handle the error condition. The diff for these files consist only of a FIXME code comment indicating the problem.

Version: 1.18.x
Severity: minor

Attached:

invalid-usernames-fix.diff11 KBDownload

Details

Reference
bz26854

Event Timeline

bzimport raised the priority of this task from to Medium.Nov 21 2014, 11:18 PM
bzimport added a project: MediaWiki-User-login-and-signup.
bzimport set Reference to bz26854.
bzimport added a subscriber: Unknown Object (MLST).
bzimport created this task.Jan 21 2011, 9:29 PM
bzimport added a comment.Nov 10 2011, 2:38 AM

sumanah wrote:

Søren Løvborg, I'm sorry for the wait. Thanks for the patch. I'm adding the "need-review" keyword to ask developers to review your patch. Thanks for contributing.

Catrope added a comment.Nov 20 2011, 11:30 AM

Applied most of the patch in r103745, and fixed SpecialContributions and SpecialDeletedContributions in r103751.

bzimport added a comment.Nov 20 2011, 7:55 PM

kwi wrote:

Thanks guys, much appreciated.

Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL