Skip to content
This repository has been archived by the owner on Sep 18, 2021. It is now read-only.

Encoding of special characters in username upon failed authentication #649

Closed
vanderkleij opened this issue Dec 18, 2014 · 5 comments
Closed
Assignees
Milestone

Comments

@vanderkleij
Copy link

Our usernames are in UPN format, that is [email protected]. If authentication fails, the user is shown the login form again with the username that he just entered. The "@" in the username then shows up as "\x40" however (user\x40domain.com).

This is due to a change in 7c8d92e that adds encoding of special characters in the username. Any encoding that is performed here is however encoded again in DefaultViewService.cs in BuildModel by SerializeObject. This causes the username to show up as user\x40domain.com.

I believe the fix is to just remove the javascript encoding introduced in 7c8d92e: any dangerous content in the username should get encoded by SerializeObject later on.

@brockallen brockallen self-assigned this Dec 18, 2014
@AdamDotNet
Copy link

I was just about to write a question like this!
I use MVC to write out a completely custom IViewService and that JavaScript encoding as mentioned by vanderkleij is getting that exact same @ => \x40 character.

If something down the road needs this encoding in the default IViewService, is there someway we can choose to encode or not? Perhaps in the IViewService

bool ShouldEncodeUsername { get; set; }

@brockallen
Copy link
Member

This is a security concern. We'll sort it out.

@brockallen
Copy link
Member

Ok, this has been fixed on dev. Please test to ensure it's now working for you. Thanks.

@AdamDotNet
Copy link

I have downloaded MyGet build 10149 and the @ remains an @ after a failed login as desired. For now though, I'll be sticking to the mainstream Nuget build. Thank you.

@brockallen
Copy link
Member

We'll be pushing a new NuGet in about a week for RC.

Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Projects
None yet
Development

No branches or pull requests

4 participants