Page MenuHomePhabricator
Create Task
Maniphest T355615

Bitu allows creating usernames with first character lowercase
Closed, ResolvedPublicSecurity
Actions

Description

The LDAP cn attribute directly maps to the Wikitech account username, and due to MediaWiki title naming rules the first character only is case-insensitive and the canonical representation should be always uppercase. It seems like as of T355060: Bitu changes the provided username Bitu is no longer ensuring that the first character is uppercase allowing users such as cn: arinaigum (1) be created.

Filing initially as private since I don't know how Wikitech behaves with two accounts that only differ by the first character capitalization.

Details

SubjectRepoBranchLines +/-
Capitalize first character in CNs.operations/software/bitumaster+43 -4
Customize query in gerrit

Related Objects

Event Timeline

taavi created this task.Jan 22 2024, 10:35 PM
Restricted Application added a subscriber: Aklapper. · View Herald TranscriptJan 22 2024, 10:35 PM
SLyngshede-WMF changed the task status from Open to In Progress.Jan 23 2024, 8:52 AM
SLyngshede-WMF triaged this task as High priority.
SLyngshede-WMF added a comment.Jan 23 2024, 11:04 AM

Fix has been deployed, we'll just leave the task open for a bit, until we're sure that everything works.

SLyngshede-WMF closed this task as Resolved.Jan 23 2024, 2:28 PM
SLyngshede-WMF claimed this task.
taavi changed the visibility from "Custom Policy" to "Public (No Login Required)".Jan 23 2024, 2:29 PM
taavi changed the edit policy from "Custom Policy" to "All Users".
taavi added a comment.Jan 23 2024, 2:33 PM

How many users with a broken username are there? Do we want to do anything about those?

SLyngshede-WMF added a comment.Jan 23 2024, 2:44 PM

I just complied the list, there are 46. We can either go in and update their CN, I think that should be perfectly safe.

@MoritzMuehlenhoff what do you think, go in an modify the CNs or wait and see if someone complains?

SLyngshede-WMF added a comment.Jan 23 2024, 2:45 PM

I just need to double check, some are actually fixed.

SLyngshede-WMF added a comment.Jan 23 2024, 2:53 PM

Looking up each user in LDAP indicates that 24 might experience issues.

taavi mentioned this in T355591: Requesting access to wmf for arinaigum.Jan 25 2024, 7:45 PM
bd808 subscribed.Feb 12 2024, 6:39 PM

See T165795: Ldap auth extension vs. ldap vs. username Case for some historical context on LDAP cn values and MediaWiki that have led to some of this issue

SLyngshede-WMF moved this task from Backlog to Resolved on the Bitu board.Apr 11 2024, 10:45 AM
Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL · Credits