Account registration allows malformed data to be added to the password file

Bug #900314 reported by Jean-Paul Calderone on 2011-12-05
This bug affects 1 person
Affects Status Importance Assigned to Milestone
Twisted/Trac Integration

Bug Description

Trac account registration lets users (mostly spammers) put a \r in their username or password. It's frequently added at the end, presumably as part of some newline convention confusion. This is written straight out to the password file, where it confuses future attempts to read it. Fortunately the damage isn't catastrophic, but the particular credentials with the \r end up unreadable, and an error is written to the log each time one is encountered.

To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers