[J!1.5] Apostrophe causing problems with login

[Kashmiri]

Hi,

I have developed an authentication plugin for a client to have users
login from another database.

That external db has emails with apostrophes and some of the users are
not able to login.

I see that in com_user controller we have
$credentials['username'] = JRequest::getVar('username', '', 'method',
'username');
and that removes apostrophes.

Is there any solution to this without hacking the core?

Thanks,

Version: J! 1.5

[Nicholas K. Dionysopoulos]

Hi,

Your problem is actually due to the security features of the Joomla! Platform. If you take a look at libraries/joomla/filter/filterinput.php around line 204 you will see the username filter's code:

$result = (string) preg_replace('/[\x00-\x1F\x7F<>"\'%&]/', '', $source);

So, there you have it. The single quote (apostrophe) is filtered out of the username, causing the issue you mentioned. There is a good reason why Joomla! doesn't allow single quotes in the username. Single and double quotes can be used to leverage a SQL injection attack vector on vulnerable components. modules and plugins to execute arbitrary SQL commands against the site's database. By filtering these out, Joomla! makes sure that this is not an option (at least not by manipulating the username). Apart from editing the external database so that usernames don't include single quotes or hacking the core (not recommended!) there is no other workaround.

Best regards,

-- 
Nicholas K. Dionysopoulos
Lead Developer, AkeebaBackup.com

Web: http://www.AkeebaBackup.com

Blog: http://www.dionysopoulos.me/blog

--
You received this message because you are subscribed to the Google Groups "Joomla! General Development" group.
To post to this group, send an email to joomla-de...@googlegroups.com.
To unsubscribe from this group, send email to joomla-dev-gene...@googlegroups.com.
For more options, visit this group at http://groups.google.com/group/joomla-dev-general?hl=en-GB.

[Nick Savov]

@Nicholas,
The only thing is that he mentioned that the apostrophe was for emails not
usernames. Does what you said still apply?

@Kashmiri
If the emails are the company's emails you might consider suggesting to
them to assign more standard email address without an apostrophe. As far
as I know and if memory serves me right, most major email companies
(gmail, yahoo, hotmail) don't allow apostrophes because there are many
implications from using them (with security being one such issue as
Nicholas mentioned).

Kind regards,
Nick

>> (mailto:joomla-de...@googlegroups.com).

>> To unsubscribe from this group, send email to
>> joomla-dev-gene...@googlegroups.com

>> (mailto:joomla-dev-gene...@googlegroups.com).

[Nicholas K. Dionysopoulos]

Hi Nick,

The code from the Joomla! Framework I copied to my last post is the "username" filter type. The incoming usernames are passed through this filter so a username of "joseph d'adriatique" would become "joseph dadriatique" (notice the missing quote) and the login would subsequently fail as the username being authenticated does not exist. I really didn't care to take a look at the code for the email, but the single quote is anyway -at least as far as I know- neither a valid email username character, nor a valid domain name character so Joomla! should rightfully decline to process an email address containing quotes as a valid address.

Best regards,

-- 
Nicholas K. Dionysopoulos
Lead Developer, AkeebaBackup.com

Web: http://www.AkeebaBackup.com

Blog: http://www.dionysopoulos.me/blog

[Nick Savov]

OK, that's what I was thinking as well. Hopefully that should help
Kashmiri come up with an informed decision.

Cheers,
Nick

>> > Lead Developer, AkeebaBackup.com (http://AkeebaBackup.com)

[Kashmiri]

Hi,

Thanks for taking the time to look into this

We are using emails to authenticate users but same goes for username
as they have apostrophes as well. e.g o'brian and o'br...@website.com

@Nick
Changing emails is out of question as these emails are of the people
who are members of my client and we do not have access to their email
addresses. Yes all major companies don't allow apostrophes, however
there is still quite a lot out there who still using them in their own
email systems (this statement is based on the database I am working
with as my client has lot of companies as their members). There are a
lot of French, Irish and other European names that use apostrophes and
we can not tell them all to change their emails.

@Nicholas
Thanks for sharing the code, I think if we do go ahead for a hack it
would be better to deal with it in controller instead of changing
filterinput.php as that might be used/needed in other code. Can a
single apostrophe in an email/username be a security risk on its own
(Lets say if only one apostrophe is allowed)?

Regards

[Marius van Rijnsoever]

Hi,

You would have a couple of options:

1:Change the email address
(not an option as is understandable)

2:Make core Joomla changes to the filter
(could have security implications)

3: Use JFusion to keep the same names without security implications
This would involve creating a JFusion plugin. JFusion automatically
handles this Joomla limitation with the help of an extra table. The
original username is stored in this jfusion table (which is used for
initial authentication) and then also stores a "safe" username in the
joomla user table o'br...@website.com will turn into
o_b...@website.com in the jos_user table. However this is all done
automatically and the user does not know about this (they login with
o'br...@website.com).

Another advantage of using JFusion for an authentication plugin is
that you can then automatically use many other features like usersync,
etc.

A basic introduction can be found on:
http://www.jfusion.org/docs/doku.php?id=dev;intro

You can see other jfusion example plugins on:
http://code.google.com/p/jfusion/source/browse/branches/1.6.x/administrator/components/com_jfusion/plugins/

Let me now if you need any more info.

Thanks, Marius

[Marius van Rijnsoever]

Or you could also replicate this yourself.

Create your own username "lookup" table and filter out the ' in your own code.
Your table will need a userid column (where the jos_user userid is for
that user) and a column to store the original unfiltered username.
This lookup table will prevent people with trying to hack an account.
Ie they can not login with o_b...@website.com into
o'br...@website.com account

Thanks, Marius

[Nick Savov]

Wow, that's cool...and smart!!

Cheers,
Nick

[Kashmiri]

Thanks Marius,

Seems like a good work around, we will look into it.

Regards