uaa icon indicating copy to clipboard operation
uaa copied to clipboard

Published 20 hours ago verified publisher icon cloudfoundry

uaa should not allow user creation with invalid email address(having special characters except @)

Open sravankumar777 opened this issue 4 years ago • 2 comments

SECURITY NOTICE: If you have found a security problem in the UAA, please do not file a public github issue. Instead, please send an email to [email protected]

Thanks for taking the time to file an issue. You'll minimize back and forth and help us help you more effectively by answering all of the following questions as specifically and completely as you can.

What version of UAA are you running?

UAA Version: 60.2

What output do you see from curl <YOUR_UAA>/info -H'Accept: application/json' cf login(first time login to CF) with invalid email addess. Example: email id: sravan@example-cf.com

How are you deploying the UAA?

I am deploying the UAA

  • using a bosh release I downloaded from bosh.io
  • using cf-deployment

What did you do?

  1. Login to CF as first time user with invalid special character. sravan@example-cf.com
  2. Login was successful, even though the '@' symbol is not appropriate.

What did you expect to see? What goal are you trying to achieve with the UAA?

  1. User login with invalid special characters should not be allowed.
hi @uaateam,
We encountered a specific issue with special characters with username and email address on uaadb.
1. We had a CF user, who logged in for first time with email id like below.
  email id: sravan@example-cf.com
  Login to cf environment is successful & user details in included in uaadb.
2. While trying to assign this particular cf user into any organization, it always fails.
  cf set-org-role [email protected] <org name> <org role>
  Error message:
  FAILED
  Server error, status code: 404, error code: 20003, message: The user could not be found
There was difference of characters while doing cf login & cf set-org-role.
cf login was performed with @example-cf.com
cf set-org-role was performed with @example-cf.com
$ echo @ | xxd
00000000: efbc a00a                                ....
$ echo @ | xxd
00000000: 400a                                     @.
We believe, this character validation should be performed while doing the cf login.
CAPI Version: 1.66.0
UAA Version: 60.2

Slack conversation: https://cloudfoundry.slack.com/archives/C03FXANBV/p1574128025127300

sravankumar777 avatar Nov 21 '19 02:11 sravankumar777

We have created an issue in Pivotal Tracker to manage this:

https://www.pivotaltracker.com/story/show/169884651

The labels on this github issue will be updated when the story is started.

cf-gitbot avatar Nov 21 '19 02:11 cf-gitbot

Already registered pivotal tracker ticket https://www.pivotaltracker.com/n/projects/997278/stories/169845668

sravankumar777 avatar Nov 21 '19 02:11 sravankumar777