Account registration allows malformed data to be added to the password file
Bug #900314 reported by
Jean-Paul Calderone
This bug affects 1 person
| Affects | Status | Importance | Assigned to | Milestone | |
|---|---|---|---|---|---|
| Twisted/Trac Integration |
New
|
Undecided
|
Unassigned | ||
Bug Description
Trac account registration lets users (mostly spammers) put a \r in their username or password. It's frequently added at the end, presumably as part of some newline convention confusion. This is written straight out to the password file, where it confuses future attempts to read it. Fortunately the damage isn't catastrophic, but the particular credentials with the \r end up unreadable, and an error is written to the log each time one is encountered.
To post a comment you must log in.
