Skip to content

Login form interprets usernames with only whitespace as the admin account #1790

New issue
New issue
Closed
#1796
Closed
Login form interprets usernames with only whitespace as the admin account#1790
#1796
Labels
topic/securitySomething leaks user information or is otherwise vulnerable. Should be fixed!type/bug
Milestone
 
1.2.0
@cstyles

Description

@cstyles
cstyles
opened on May 24, 2017
  • Gitea version (or commit ref): 1.1.1
  • Git version: 2.13.0
  • Operating system: Arch Linux
  • Database (use [x]):
    • PostgreSQL
    • MySQL
    • MSSQL
    • SQLite
  • Can you reproduce the bug at https://try.gitea.io:
    • Yes (provide example URL)
    • No
    • Not relevant
  • Log gist:

Description

On the login page ("/user/login"), if the user enters a username that is just whitespace, Gitea will interpret the username as the admin account created during the setup process. So if the user enters a space in the username field and the admin account's password in the password field, it will log in successfully even if they don't know the admin username. It looks like the issue is in "models/login_source.go" around line 642:

user = &User{LowerName: strings.ToLower(strings.TrimSpace(username))}

After being trimmed of whitespace, the username string is empty. I believe this causes the lookup to return the first user account. Replacing that line with the following code fixed the issue for me but I haven't thoroughly tested it:

trimmedUsername := strings.TrimSpace(username)
if len(trimmedUsername) == 0 {
	return nil, ErrUserNotExist{0, username, 0}
}
user = &User{LowerName: strings.ToLower(trimmedUsername)}

Metadata

Metadata

Assignees

No one assigned

    Labels

    topic/securitySomething leaks user information or is otherwise vulnerable. Should be fixed!type/bug

    Type

    No type

    Projects

    No projects

    Milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions