When user id consists of Japanese character (for example “てすと”), meta.git makes commit with system default author (not user id) and wrong message like “–author= mail@mail.com”.
I guess that some sanitizing process make variable $userid empty at meta.git as a result.
In 6.x, author is properly set in commit log made by meta.git in any case. However, in 7.x, commit log made by meta.git is broken if user id consists of invalid chars for SANITIZE_EMAILCHARS.
I think any chars in userid should not be replaced by empty string at input process, and special chars should be escaped at output process.
for example,
keep original user id in variables always.
replace XSS chars to html char entity reference when you output user id to screen
escape special chars for ldap when you make ldap filter query
and so on.
If sanitizing input is mandatory for security reason, I suggest to validate input instead of sanitizing.
User id should be validated at getting result of listUsersPaginated() of AuthDriver, and users contains invalid chars in his user id should not be listed up. Sanitized user id may causes unexpected problems.
By the way, according to RFC6531, SMTPUTF8 permits international chars (above U+007F) encoded in UTF-8. I suggest to make SANITIZE_EMAILCHARS to permit international chars.
When user id consists of Japanese character (for example “てすと”), meta.git makes commit with system default author (not user id) and wrong message like “–author= mail@mail.com”.
I guess that some sanitizing process make variable $userid empty at meta.git as a result. In 6.x, author is properly set in commit log made by meta.git in any case. However, in 7.x, commit log made by meta.git is broken if user id consists of invalid chars for SANITIZE_EMAILCHARS.
I think any chars in userid should not be replaced by empty string at input process, and special chars should be escaped at output process.
for example,
If sanitizing input is mandatory for security reason, I suggest to validate input instead of sanitizing. User id should be validated at getting result of listUsersPaginated() of AuthDriver, and users contains invalid chars in his user id should not be listed up. Sanitized user id may causes unexpected problems.
By the way, according to RFC6531, SMTPUTF8 permits international chars (above U+007F) encoded in UTF-8. I suggest to make SANITIZE_EMAILCHARS to permit international chars.
Note: This issue is from https://pydio.com/forum/f/topic/after-upgrade-to-pydio-6-2-2-unable-to-login-if-user-id-includes-slash/