wohali
commented
4 years ago @jausions Thanks for the very complete description. This probably should be filed in https://github.com/apache/couchdb-fauxton , unless they are also problems if you directly edit local.ini and place these values in there. Can you test? We should add those issues into apache/couchdb#2188 .
Description
Semicolon
;It is currently possible, via Fauxton, to create admin usernames starting with a semicolon
;. We can log in with them, however upon restart of the CouchDB service, these accounts are not active anymore. Evidently, the usernames being added as they are to the .ini file they become comment lines.Slashes
/For slashes, it is possible to submit the form on Fauxton to create a username (such as
withslash/), but the slash itself is stripped when the account is actually created.Equal sign
=For the equal sign, it is possible to create the account and to log in with it. However, upon restart of CouchDB, the remaining user name is the part before the equal sign with the password rehashed with the second part of the username (since CouchDB hashes the plaintext password in .ini file.)
Colon
:For the colon, it is possible to create the account and it persists in the .ini file. However the login does not work properly. Upon submitting the login form on Fauxton we get a valid JSON response from the server with the user info payload, but any subsequent requests fail.
It is also a problem with Basic HTTP Authentication, as usernames can't have colons.
Steps to Reproduce
Fauxton : Your Account : Create Server Admin Username:
;semicolonUsername:withslash/Username:my = userUsername:with:colonExpected Behaviour
Don't allow such usernames to be created.
Your Environment