issue2550921 - prevent usernames with characters ',' and '<', '>'

Can create login name with , in it. Confuses nosy list editing. Also
can embed html tags. Updated userauditor.py to prevent this.

Author: rouilj

CHANGES.txt

@@ -21,7 +21,10 @@ Fixed:
 - issue2550996 - Give better error message when running with -c
  (install as windows service) and pywin32 is not importable. Could use
  better testing on a windows box. (John Rouillard)
-
+- issue2550921 - Can create login name with , in it. Confuses nosy
+  list editing. Also can embed html tags. Updated userauditor.py
+  to prevent this. See updating.txt.
+  
 2019-10-23 2.0.0 alpha 0
 
 Features:

doc/upgrading.txt

@@ -112,6 +112,19 @@ or::
 
     if db.tx_Source in ['web', 'rest', 'xmlrpc', 'email-sig-openpgp', 'cli' ]:
 
+Update userauditor.py to restrict usernames
+-------------------------------------------
+
+A username can be created with embedded commas and < and >
+characters. Even though the < and > are usually escaped when
+displayed, the embedded comma makes it difficult to edit lists of
+users as they are comma separated.
+
+If you have not modified your tracker's userauditor.py, you can just
+copy the userauditor.py from the classic template into your tracker's
+detectors directory. Otherwise merge the changes from the template
+userauditor.py. https://issues.roundup-tracker.org/issue2550921 may be
+helpful.
 
 Migrating from 1.5.1 to 1.6.0
 =============================

share/roundup/templates/classic/detectors/userauditor.py

@@ -27,6 +27,8 @@
 email_rfc = re.compile('^' + email_regexp[0] + '@' + email_regexp[1] + '$', re.IGNORECASE)
 email_local = re.compile('^' + email_regexp[0] + '$', re.IGNORECASE)
 
+valid_username = re.compile('^[a-z0-9_@!%.+-]+$', re.IGNORECASE)
+
 def valid_address(address):
     ''' If we see an @-symbol in the address then check against the full
         RFC syntax. Otherwise it is a local-only address so only check
@@ -54,8 +56,13 @@ def audit_user_fields(db, cl, nodeid, newvalues):
         - email address is unique
         - roles specified exist
         - timezone is valid
+        - username matches A-z0-9_-.@!+% (email symbols)
     '''
 
+    if 'username' in newvalues:
+        if not valid_username.match(newvalues['username']):
+            raise ValueError("Username/Login Name must consist only of the letters a-z (any case), digits 0-9 and the symbols: @._-!+%")
+        
     for address in get_addresses(newvalues):
         if not valid_address(address):
             raise ValueError('Email address syntax is invalid "%s"'%address)

share/roundup/templates/devel/detectors/userauditor.py

@@ -27,6 +27,8 @@
 email_rfc = re.compile('^' + email_regexp[0] + '@' + email_regexp[1] + '$', re.IGNORECASE)
 email_local = re.compile('^' + email_regexp[0] + '$', re.IGNORECASE)
 
+valid_username = re.compile('^[a-z0-9_@!%.+-]+$', re.IGNORECASE)
+
 def valid_address(address):
     ''' If we see an @-symbol in the address then check against the full
         RFC syntax. Otherwise it is a local-only address so only check
@@ -54,8 +56,13 @@ def audit_user_fields(db, cl, nodeid, newvalues):
         - email address is unique
         - roles specified exist
         - timezone is valid
+        - username matches A-z0-9_-.@!+% (email symbols)
     '''
 
+    if 'username' in newvalues:
+        if not valid_username.match(newvalues['username']):
+            raise ValueError("Username/Login Name must consist only of the letters a-z (any case), digits 0-9 and the symbols: @._-!+%")
+        
     for address in get_addresses(newvalues):
         if not valid_address(address):
             raise ValueError('Email address syntax is invalid "%s"'%address)

share/roundup/templates/jinja2/detectors/userauditor.py

@@ -27,6 +27,8 @@
 email_rfc = re.compile('^' + email_regexp[0] + '@' + email_regexp[1] + '$', re.IGNORECASE)
 email_local = re.compile('^' + email_regexp[0] + '$', re.IGNORECASE)
 
+valid_username = re.compile('^[a-z0-9_@!%.+-]+$', re.IGNORECASE)
+
 def valid_address(address):
     ''' If we see an @-symbol in the address then check against the full
         RFC syntax. Otherwise it is a local-only address so only check
@@ -54,8 +56,13 @@ def audit_user_fields(db, cl, nodeid, newvalues):
         - email address is unique
         - roles specified exist
         - timezone is valid
+        - username matches A-z0-9_-.@!+% (email symbols)
     '''
 
+    if 'username' in newvalues:
+        if not valid_username.match(newvalues['username']):
+            raise ValueError("Username/Login Name must consist only of the letters a-z (any case), digits 0-9 and the symbols: @._-!+%")
+        
     for address in get_addresses(newvalues):
         if not valid_address(address):
             raise ValueError('Email address syntax is invalid "%s"'%address)

share/roundup/templates/minimal/detectors/userauditor.py

@@ -27,6 +27,8 @@
 email_rfc = re.compile('^' + email_regexp[0] + '@' + email_regexp[1] + '$', re.IGNORECASE)
 email_local = re.compile('^' + email_regexp[0] + '$', re.IGNORECASE)
 
+valid_username = re.compile('^[a-z0-9_@!%.+-]+$', re.IGNORECASE)
+
 def valid_address(address):
     ''' If we see an @-symbol in the address then check against the full
         RFC syntax. Otherwise it is a local-only address so only check
@@ -54,8 +56,13 @@ def audit_user_fields(db, cl, nodeid, newvalues):
         - email address is unique
         - roles specified exist
         - timezone is valid
+        - username matches A-z0-9_-.@!+% (email symbols)
     '''
 
+    if 'username' in newvalues:
+        if not valid_username.match(newvalues['username']):
+            raise ValueError("Username/Login Name must consist only of the letters a-z (any case), digits 0-9 and the symbols: @._-!+%")
+        
     for address in get_addresses(newvalues):
         if not valid_address(address):
             raise ValueError('Email address syntax is invalid "%s"'%address)

share/roundup/templates/responsive/detectors/userauditor.py

@@ -27,6 +27,8 @@
 email_rfc = re.compile('^' + email_regexp[0] + '@' + email_regexp[1] + '$', re.IGNORECASE)
 email_local = re.compile('^' + email_regexp[0] + '$', re.IGNORECASE)
 
+valid_username = re.compile('^[a-z0-9_@!%.+-]+$', re.IGNORECASE)
+
 def valid_address(address):
     ''' If we see an @-symbol in the address then check against the full
         RFC syntax. Otherwise it is a local-only address so only check
@@ -54,8 +56,13 @@ def audit_user_fields(db, cl, nodeid, newvalues):
         - email address is unique
         - roles specified exist
         - timezone is valid
+        - username matches A-z0-9_-.@!+% (email symbols)
     '''
 
+    if 'username' in newvalues:
+        if not valid_username.match(newvalues['username']):
+            raise ValueError("Username/Login Name must consist only of the letters a-z (any case), digits 0-9 and the symbols: @._-!+%")
+        
     for address in get_addresses(newvalues):
         if not valid_address(address):
             raise ValueError('Email address syntax is invalid "%s"'%address)

test/test_userauditor.py

@@ -102,4 +102,22 @@ def testGoodRoles(self):
         # check for all-whitespace (treat as no role)
         self.db.user.set(userid, roles='   ')
 
+    def testBadUsernames(self):
+        ''' ky,le raises:
+        ValueError: Username/Login Name must consist only of the letters a-z (any case), digits 0-9 and the symbols: @._-!+%
+        '''
+
+        for name in [ "ky'le", "ky<br>le" ]:
+            with self.assertRaises(ValueError) as ctx:
+                self.db.user.create(username=name,
+                                    address='[email protected]',
+                                    realname='Kyle Broflovski', roles='User')
+                self.assertEqual(str(ctx.exception), "Username/Login Name must "
+                                 "consist only of the letters a-z (any case), "
+                                 "digits 0-9 and the symbols: @._-!%")
+
+        self.db.user.create(username='[email protected]',
+            address='[email protected]',
+            realname='Kyle Broflovski', roles='User')
+
 # vim: filetype=python sts=4 sw=4 et si