News:

SMF 2.1.4 has been released! Take it for a spin! Read more.

Main Menu

Username Special Characters Bug?

Started by Looking, April 23, 2018, 08:48:33 AM

Previous topic - Next topic

Looking

I've noticed that when a user has a Username that has a special Swedish character SMF does not treat it uniquely. For instance: FredrikÖ and FredrikO is seen the 'same' so if I try to change the password for FredrikO it won't work unless I make FredrikO something like FredrikOa.

GigaWatt

Just tried registering a new user (FredrikÖ) on my forum. The username is displayed correctly.

"This is really a generic concept about human thinking - when faced with large tasks we're naturally inclined to try to break them down into a bunch of smaller tasks that together make up the whole."

"A 500 error loosely translates to the webserver saying, "WTF?"..."

Looking

That is not what I am pointing at. I am saying that if you have a member named "FredrikÖ" and one named "FredrikO" that SMF will have a problem updating the password of one.

GigaWatt

You're right. Actually, I can't even register a user named FredrikO if a user FredrikÖ already exists.

Quote(FredrikO) This name is already in use by another member.
"This is really a generic concept about human thinking - when faced with large tasks we're naturally inclined to try to break them down into a bunch of smaller tasks that together make up the whole."

"A 500 error loosely translates to the webserver saying, "WTF?"..."


Illori



shawnb61

Sounds like a collation problem...  I wonder if name must use binary collation?   
Address the process rather than the outcome.  Then, the outcome becomes more likely.   - Fripp

Looking

I have not dived into it to check, but it seems to be a bug.

Aleksi "Lex" Kilpinen

I wonder, I wouldn't think the username would have anything to do with changing passwords.
What version exactly? What do you mean "it won't work" - what are the actual symptoms?

EDIT:
I just registered 2 users on my own ( Finnish UTF-8 ) forum - TestiOppilas and TestiÖppilas - and was unable to reproduce this problem.

I gave them different individual passwords, both worked.
I logged in and changed passwords for both of them succesfully, they still worked.
I changed passwords for them as Admin, they still worked.
Slava
Ukraini!


"Before you allow people access to your forum, especially in an administrative position, you must be aware that that person can seriously damage your forum. Therefore, you should only allow people that you trust, implicitly, to have such access." -Douglas

How you can help SMF

Looking

SMF 2. In the case of the names I gave it would say password updated successfully but not actually update the password. I would imagine and update like this would be based on ID but something is related to the name and special characters. Please test it on a UTF-8 SMF and see using the characters above.

Illori

i know to create the password hash it uses the username, so maybe that is part of the issue?

Aleksi "Lex" Kilpinen

Please see my edit above. I was able to reproduce the behavior GigaWatt described though, but that is another thing completely.
Slava
Ukraini!


"Before you allow people access to your forum, especially in an administrative position, you must be aware that that person can seriously damage your forum. Therefore, you should only allow people that you trust, implicitly, to have such access." -Douglas

How you can help SMF

Looking

Aleksi, if changed the password via Admin for each account were you able to login with each account using the new password?

Aleksi "Lex" Kilpinen

Slava
Ukraini!


"Before you allow people access to your forum, especially in an administrative position, you must be aware that that person can seriously damage your forum. Therefore, you should only allow people that you trust, implicitly, to have such access." -Douglas

How you can help SMF

Looking

I wonder if this may be linked to a database that was changed to UTF-8 then?

Illori pointed out that it uses Username for verification, I may have to re-code that to work with ID instead.

Aleksi "Lex" Kilpinen

It might have something to do with your database setup yes - mine is also originally converted from an ISO 8859-1 installation, but has also been exported and imported more than once since then. Perhaps your conversion isn't complete?
Slava
Ukraini!


"Before you allow people access to your forum, especially in an administrative position, you must be aware that that person can seriously damage your forum. Therefore, you should only allow people that you trust, implicitly, to have such access." -Douglas

How you can help SMF

Illori

Quote from: Looking on April 24, 2018, 12:46:02 PM
Illori pointed out that it uses Username for verification, I may have to re-code that to work with ID instead.

i did not say for verification, i said for the password hash, which is for security. you really dont want to change that to use the ID as that will make it less secure.

Aleksi "Lex" Kilpinen

#18
Actually, sorry for doubleposting - But I just realized, GigaWatt was actually on to something with this, and I am just running slow today.
It should not be possible to register two names with only that difference, and because it isn't ( even for Admin ) I had to add another detail to set those 2 accounts apart.
Did not come to think of that - On a vanilla SMF 2.0 it should be impossible to end up in the situation you are in. ( And to my knowledge, that is intentional - not a bug )

EDIT: I believe you may end up in this situation if you originally were running 1.1.19 / 2.0.6 or older version of SMF, and had since upgraded. This limitation was, to my knowledge, introduced to negate Username Unicode Homoglyph Spoofing Weakness Vulnerability (CVE-2013-7236) in older versions.
Slava
Ukraini!


"Before you allow people access to your forum, especially in an administrative position, you must be aware that that person can seriously damage your forum. Therefore, you should only allow people that you trust, implicitly, to have such access." -Douglas

How you can help SMF

GigaWatt

Quote from: Aleksi "Lex" Kilpinen on April 24, 2018, 12:23:15 PM
I just registered 2 users on my own ( Finnish UTF-8 ) forum - TestiOppilas and TestiÖppilas - and was unable to reproduce this problem.

I couldn't register 2 users, one with an "O" character in the username and the other with the Ö character. The script kept returning the error I posted in this thread (my previous post).

And my forum is UTF-8 compatible. The English language files are not, but the database is converted and UTF-8 compatible.
"This is really a generic concept about human thinking - when faced with large tasks we're naturally inclined to try to break them down into a bunch of smaller tasks that together make up the whole."

"A 500 error loosely translates to the webserver saying, "WTF?"..."

Advertisement: