Closed georgejhunt closed 2 years ago
I've confirmed that this critical security fix works.
Thank you @georgejhunt for these very important patches to firstuseauthenticator!
Related:
Congrats on your first merged pull request in this project! :tada: Thank you for contributing, we are very proud of you! :heart:
Thanks! I've updated this to call the normalize_username
method, which encapsulates whatever JupyterHub does to normalize a username.
Prevent username with changed capitalization from taking over an existing username/password combination.
Root cause: jupyterhub lower-cases username, but firstuseauthenticator does not. So alternate capitalization of username gains access to, and creates a parallel path to user files (multiple capitalizations of username have access)