View Issue Details

IDProjectCategoryView StatusLast Update
0025097mantisbtauthenticationpublic2020-03-15 15:23
Reporterjingshaochen Assigned Todregad  
PrioritynormalSeveritymajorReproducibilityalways
Status closedResolutionfixed 
PlatformLinuxOSUbuntu 16.04OS Version16.04
Product Version2.18.0 
Target Version2.24.0Fixed in Version2.24.0 
Summary0025097: login username is not trimmed
Description

When an LDAP user with username log in, if he/she put space in front or at the end of the username, he will still be authenticated and logged in, however, user table will have a new entry with the spaces as username.

This is not desirable at least.

Steps To Reproduce
  1. use LDAP authentication
  2. login with a valid username and password
  3. check the user is created in user table
  4. now log out and log in again, with a space in front of the username, and the valid password
  5. log in succeed
  6. however, check user table, there will be another user created with username: username (with the space in front)
TagsNo tags attached.

Relationships

has duplicate 0023831 closedatrol Leading space of username should be trimmed when login 

Activities

jingshaochen

jingshaochen

2018-12-18 20:34

reporter   ~0061080

suggest fix is to add a trim in login_password_page.php file:

$f_username              = trim(gpc_get_string( 'username', '' ));
dregad

dregad

2020-01-29 10:39

developer   ~0063536

I just tested and I can't reproduce this behavior with Active Directory, the LDAP search fails:

2020-01-29 10:07 EST LDAP ldap_api.php:346 ldap_authenticate_by_username() Searching for (&(sAMAccountName=  USERNAME))
2020-01-29 10:07 EST LDAP ldap_api.php:377 ldap_authenticate_by_username() No matching entries found

Maybe this affects other types of LDAP (did not test). Regardless, it fully makes sense to ignore leading/trailing whitespace in this context, so I'll add the trim() call as suggested.

See PR https://github.com/mantisbt/mantisbt/pull/1619

Related Changesets

MantisBT: master 73fc958a

2020-01-29 05:34

dregad


Details Diff
Trim username on login

When an LDAP user adds spaces before or after their username when
logging in, they will be authenticated successfully and logged in, but
Mantis will create a new entry in the user table including the spaces.

Fixes 0025097
Affected Issues
0025097
mod - login_password_page.php Diff File