Over-zealous username validation in UI #1875

New Issue

Open

opened 2025-11-02 04:16:10 -06:00 by GiteaMirror · 10 comments

GiteaMirror commented 2025-11-02 04:16:10 -06:00

Owner

Copy Link

Originally created by @mrichar1 on GitHub (Jun 6, 2018).

• Gitea version (or commit ref): 1.4.1
• Git version: 1.8.3.1
• Operating system: Redhat EL7.4
• Database (use [x]):
  • PostgreSQL
  • MySQL
  • MSSQL
  • SQLite
• Can you reproduce the bug at https://try.gitea.io:
  • Yes (provide example URL)
  • No
  • Not relevant
• Log gist:

Description

We use kerberos via apache to authenticate hosts to gitea. Hosts have kerberos principals of the form git/host.example.com@EXAMPLE.COM which get translated to the username git/host.example.com

When we set ENABLE_REVERSE_PROXY_AUTO_REGISTRATION to true then these accounts are correctly created in gitea when the host runs git commands against our server. However since the account is 'new' it is not in the appropriate teams, so the first run fails, and we then have to set up team membership etc and re-run the processes.

To fix this I'm trying to pre-create these accounts using the UI - however when I try to create a new user with name git/host.example.com I receive the error Username must be valid alphanumeric, dash(-_) or dot characters.

Since auto-generated usernames with these characters seem to work fine, would it be possible to alter this validation to allow a broader range of usernames, filtering only those which would make gitea actually fail?

Originally created by @mrichar1 on GitHub (Jun 6, 2018). - Gitea version (or commit ref): 1.4.1 - Git version: 1.8.3.1 - Operating system: Redhat EL7.4 - Database (use `[x]`): - [x] PostgreSQL - [ ] MySQL - [ ] MSSQL - [ ] SQLite - Can you reproduce the bug at https://try.gitea.io: - [ ] Yes (provide example URL) - [ ] No - [x] Not relevant - Log gist: ## Description We use kerberos via apache to authenticate hosts to gitea. Hosts have kerberos principals of the form `git/host.example.com@EXAMPLE.COM` which get translated to the username `git/host.example.com` When we set `ENABLE_REVERSE_PROXY_AUTO_REGISTRATION` to `true` then these accounts are correctly created in gitea when the host runs git commands against our server. However since the account is 'new' it is not in the appropriate teams, so the first run fails, and we then have to set up team membership etc and re-run the processes. To fix this I'm trying to pre-create these accounts using the UI - however when I try to create a new user with name `git/host.example.com` I receive the error `Username must be valid alphanumeric, dash(-_) or dot characters.` Since auto-generated usernames with these characters seem to work fine, would it be possible to alter this validation to allow a broader range of usernames, filtering only those which would make gitea actually fail?

GiteaMirror added the type/proposaltopic/authentication labels 2025-11-02 04:16:10 -06:00

GiteaMirror commented 2025-11-02 04:16:11 -06:00

Author

Owner

Copy Link

@lafriks commented on GitHub (Jun 6, 2018):

/ can not be allowed as that could break functionality and even rise security issues

@lafriks commented on GitHub (Jun 6, 2018): `/` can not be allowed as that could break functionality and even rise security issues

GiteaMirror commented 2025-11-02 04:16:11 -06:00

Author

Owner

Copy Link

@mrichar1 commented on GitHub (Jun 6, 2018):

gitea currently allows / in usernames through auto-creation of accounts, and I have several accounts which seem to function correctly with such names. I guess this means that the auto-creation code doesn't follow the same codepath as the UI/API use?

I'm interested to know what security issues might arise from the username containing unexpected characters... I'd hope that all such fields were only ever used with appropriate escaping, with parameterized queries etc to avoid sql injection and similar issues.

I'd obviously be keen to keep / in usernames, since this is useful functionality to us - and I'd argue that it would be better to relax the validation and instead test what actually happens with extra characters.
That way the code can be improved to handle these cases, instead of arbitrarily limiting them because of the unknown effects they might have (especially since, as we can see here, there are unexpected routes to them existing!)

@mrichar1 commented on GitHub (Jun 6, 2018): gitea currently allows `/` in usernames through auto-creation of accounts, and I have several accounts which seem to function correctly with such names. I guess this means that the auto-creation code doesn't follow the same codepath as the UI/API use? I'm interested to know what security issues might arise from the username containing unexpected characters... I'd hope that all such fields were only ever used with appropriate escaping, with parameterized queries etc to avoid sql injection and similar issues. I'd obviously be keen to keep `/` in usernames, since this is useful functionality to us - and I'd argue that it would be better to relax the validation and instead test what actually happens with extra characters. That way the code can be improved to handle these cases, instead of arbitrarily limiting them because of the unknown effects they might have (especially since, as we can see here, there are unexpected routes to them existing!)

GiteaMirror commented 2025-11-02 04:16:11 -06:00

Author

Owner

Copy Link

@gszy commented on GitHub (Jul 29, 2018):

What’s your opinion on allowing @ in usernames?

@gszy commented on GitHub (Jul 29, 2018): What’s your opinion on allowing `@` in usernames?

GiteaMirror commented 2025-11-02 04:16:11 -06:00

Author

Owner

Copy Link

@lafriks commented on GitHub (Jul 29, 2018):

Also quite risky to break something. Would all git clients support such urls?

@lafriks commented on GitHub (Jul 29, 2018): Also quite risky to break something. Would all git clients support such urls?

GiteaMirror commented 2025-11-02 04:16:11 -06:00

Author

Owner

Copy Link

@gszy commented on GitHub (Jul 29, 2018):

TL; DR: don’t know…

git check-ref-format --branch 'a@a' returns 0, but man git-push doesn’t explain what characters are allowed in path/to/repo (in ssh://[user@]host.xz[:port]/path/to/repo.git/ example). Neither GitHub nor GitLab allow @ in usernames or project names.

@ is commonly used to mention a user or to refer to specific commit. Unless username’s first character is @ or it looks like me@something­‑that­‑looks­‑like­‑commit­‑SHA, that shouldn’t be a very big problem, though it would be if we could refer to branches, like me@master (could be solved with a config option).

@gszy commented on GitHub (Jul 29, 2018): TL; DR: don’t know… `git check-ref-format --branch 'a@a'` returns 0, but `man git-push` doesn’t explain what characters are allowed in `path/to/repo` (in `ssh://[user@]host.xz[:port]/path/to/repo.git/` example). Neither GitHub nor GitLab allow `@` in usernames or project names. `@` is commonly used to mention a user or to refer to specific commit. Unless username’s first character is `@` or it looks like `me@something­‑that­‑looks­‑like­‑commit­‑SHA`, that shouldn’t be a very big problem, though it would be if we could refer to branches, like `me@master` (could be solved with a config option).

GiteaMirror commented 2025-11-02 04:16:11 -06:00

Author

Owner

Copy Link

@lafriks commented on GitHub (Jul 29, 2018):

I do think that we should stick to current behaviour to not break things and keep compatibility with future changes (especially if we implement projects/groups under organizations).

@lafriks commented on GitHub (Jul 29, 2018): I do think that we should stick to current behaviour to not break things and keep compatibility with future changes (especially if we implement projects/groups under organizations).

GiteaMirror commented 2025-11-02 04:16:11 -06:00

Author

Owner

Copy Link

@cwchristerw commented on GitHub (Aug 16, 2020):

I need "-" to work in org name when transferring repo between orgs. When trying to transfer repository from "cwinfo-private" to "warengroup-private". UI will show error "The new owner name is not valid."

@cwchristerw commented on GitHub (Aug 16, 2020): I need "-" to work in org name when transferring repo between orgs. When trying to transfer repository from "cwinfo-private" to "warengroup-private". UI will show error "The new owner name is not valid."

GiteaMirror commented 2025-11-02 04:16:12 -06:00

Author

Owner

Copy Link

@silverwind commented on GitHub (May 31, 2024):

I think we should align our validation for org and repo name to a common denominator among forges like GitHub/GitLab. GitHub for example allow - as repo name, but not as a org name.

The most accurate description of what is allowed in repos is this:

it looks like github allows [A-Za-z0-9_.-], and transforms all other characters to "-".

For orgs:

The name may only contain alphanumeric characters or single hyphens, and cannot begin or end with a hyphen.

@silverwind commented on GitHub (May 31, 2024): I think we should align our validation for org and repo name to a common denominator among forges like GitHub/GitLab. GitHub for example allow `-` as repo name, but not as a org name. The most accurate description of what is allowed in repos is [this](https://stackoverflow.com/a/59082561/808699): > it looks like github allows [A-Za-z0-9_.-], and transforms all other characters to "-". For orgs: > The name may only contain alphanumeric characters or single hyphens, and cannot begin or end with a hyphen.

GiteaMirror commented 2025-11-02 04:16:12 -06:00

Author

Owner

Copy Link

@silverwind commented on GitHub (May 31, 2024):

So maybe these, and they could be made configurable I suppose.

• ^[A-Za-z0-9_.-]+$ for repos
• ^(?![-])[A-Za-z0-9]+(?:[-][A-Za-z0-9]+)*?(?<!-)$ for orgs

@silverwind commented on GitHub (May 31, 2024): So maybe these, and they could be made configurable I suppose. - `^[A-Za-z0-9_.-]+$` for repos - `^(?![-])[A-Za-z0-9]+(?:[-][A-Za-z0-9]+)*?(?<!-)$` for orgs

GiteaMirror commented 2025-11-02 04:16:12 -06:00

Author

Owner

Copy Link

@silverwind commented on GitHub (Sep 5, 2025):

As per https://github.com/go-gitea/gitea/issues/35408, org names, contrary to user names can at least end in a - and also --, so likely "cannot begin or end with a hyphen" does not apply to org names, only to user names.

@silverwind commented on GitHub (Sep 5, 2025): As per https://github.com/go-gitea/gitea/issues/35408, org names, contrary to user names can at least end in a `-` and also `--`, so likely "cannot begin or end with a hyphen" does not apply to org names, only to user names.

GiteaMirror referenced this issue 2025-11-02 12:02:18 -06:00

[PR #1875] [MERGED] Run unused test #16100

Sign in to join this conversation.

No Branch/Tag Specified

Branches Tags

main

release/v1.25

release/v1.24

release/v1.23

release/v1.22

release/v1.21

release/v1.20

release/v1.19

release/v1.18

release/v1.17

release/v1.16

release/v1.15

release/v1.14

release/v1.13

release/v1.12

release/v1.11

release/v1.10

release/v1.9

release/v1.8

v1.25.3

v1.25.2

v1.25.1

v1.25.0

v1.24.7

v1.25.0-rc0

v1.26.0-dev

v1.24.6

v1.24.5

v1.24.4

v1.24.3

v1.24.2

v1.24.1

v1.24.0

v1.23.8

v1.24.0-rc0

v1.25.0-dev

v1.23.7

v1.23.6

v1.23.5

v1.23.4

v1.23.3

v1.23.2

v1.23.1

v1.23.0

v1.23.0-rc0

v1.24.0-dev

v1.22.6

v1.22.5

v1.22.4

v1.22.3

v1.22.2

v1.22.1

v1.22.0

v1.23.0-dev

v1.22.0-rc1

v1.21.11

v1.22.0-rc0

v1.21.10

v1.21.9

v1.21.8

v1.21.7

v1.21.6

v1.21.5

v1.21.4

v1.21.3

v1.21.2

v1.20.6

v1.21.1

v1.21.0

v1.21.0-rc2

v1.21.0-rc1

v1.20.5

v1.22.0-dev

v1.21.0-rc0

v1.20.4

v1.20.3

v1.20.2

v1.20.1

v1.20.0

v1.19.4

v1.21.0-dev

v1.20.0-rc2

v1.20.0-rc1

v1.20.0-rc0

v1.19.3

v1.19.2

v1.19.1

v1.19.0

v1.19.0-rc1

v1.20.0-dev

v1.19.0-rc0

v1.18.5

v1.18.4

v1.18.3

v1.18.2

v1.18.1

v1.18.0

v1.17.4

v1.18.0-rc1

v1.19.0-dev

v1.18.0-rc0

v1.17.3

v1.17.2

v1.17.1

v1.17.0

v1.17.0-rc2

v1.16.9

v1.17.0-rc1

v1.18.0-dev

v1.16.8

v1.16.7

v1.16.6

v1.16.5

v1.16.4

v1.16.3

v1.16.2

v1.16.1

v1.16.0

v1.15.11

v1.17.0-dev

v1.16.0-rc1

v1.15.10

v1.15.9

v1.15.8

v1.15.7

v1.15.6

v1.15.5

v1.15.4

v1.15.3

v1.15.2

v1.15.1

v1.14.7

v1.15.0

v1.15.0-rc3

v1.14.6

v1.15.0-rc2

v1.14.5

v1.16.0-dev

v1.15.0-rc1

v1.14.4

v1.14.3

v1.14.2

v1.14.1

v1.14.0

v1.13.7

v1.14.0-rc2

v1.13.6

v1.13.5

v1.14.0-rc1

v1.15.0-dev

v1.13.4

v1.13.3

v1.13.2

v1.13.1

v1.13.0

v1.12.6

v1.13.0-rc2

v1.14.0-dev

v1.13.0-rc1

v1.12.5

v1.12.4

v1.12.3

v1.12.2

v1.12.1

v1.11.8

v1.12.0

v1.11.7

v1.12.0-rc2

v1.11.6

v1.12.0-rc1

v1.13.0-dev

v1.11.5

v1.11.4

v1.11.3

v1.10.6

v1.12.0-dev

v1.11.2

v1.10.5

v1.11.1

v1.10.4

v1.11.0

v1.11.0-rc2

v1.10.3

v1.11.0-rc1

v1.10.2

v1.10.1

v1.10.0

v1.9.6

v1.9.5

v1.10.0-rc2

v1.11.0-dev

v1.10.0-rc1

v1.9.4

v1.9.3

v1.9.2

v1.9.1

v1.9.0

v1.9.0-rc2

v1.10.0-dev

v1.9.0-rc1

v1.8.3

v1.8.2

v1.8.1

v1.8.0

v1.8.0-rc3

v1.7.6

v1.8.0-rc2

v1.7.5

v1.8.0-rc1

v1.9.0-dev

v1.7.4

v1.7.3

v1.7.2

v1.7.1

v1.7.0

v1.7.0-rc3

v1.6.4

v1.7.0-rc2

v1.6.3

v1.7.0-rc1

v1.7.0-dev

v1.6.2

v1.6.1

v1.6.0

v1.6.0-rc2

v1.5.3

v1.6.0-rc1

v1.6.0-dev

v1.5.2

v1.5.1

v1.5.0

v1.5.0-rc2

v1.5.0-rc1

v1.5.0-dev

v1.4.3

v1.4.2

v1.4.1

v1.4.0

v1.4.0-rc3

v1.4.0-rc2

v1.3.3

v1.4.0-rc1

v1.3.2

v1.3.1

v1.3.0

v1.3.0-rc2

v1.3.0-rc1

v1.2.3

v1.2.2

v1.2.1

v1.2.0

v1.2.0-rc3

v1.2.0-rc2

v1.1.4

v1.2.0-rc1

v1.1.3

v1.1.2

v1.1.1

v1.1.0

v1.0.2

v1.0.1

v1.0.0

v0.9.99

Labels

Clear labels

$20

$250

$50

$500

backport/done

💎 Bounty

docs-update-needed

good first issue

hacktoberfest

issue/bounty

issue/confirmed

issue/critical

issue/duplicate

issue/needs-feedback

issue/not-a-bug

issue/regression

issue/stale

issue/workaround

lgtm/need 2

modifies/api

modifies/translation

outdated/backport/v1.18

outdated/theme/markdown

outdated/theme/timetracker

performance/bigrepo

performance/cpu

performance/memory

performance/speed

pr/breaking

proposal/accepted

proposal/rejected

pr/wip

pull-request

Mirrored from GitHub Pull Request

reviewed/wontfix

💰 Rewarded

skip-changelog

status/blocked

topic/accessibility

topic/api

topic/authentication

topic/build

topic/code-linting

topic/commit-signing

topic/content-rendering

topic/deployment

topic/distribution

topic/federation

topic/gitea-actions

topic/issues

topic/lfs

topic/mobile

topic/moderation

topic/packages

topic/pr

topic/projects

topic/repo

topic/repo-migration

topic/security

topic/theme

topic/ui

topic/ui-interaction

topic/ux

topic/webhooks

topic/wiki

type/bug

type/deprecation

type/docs

type/enhancement

type/feature

type/miscellaneous

type/proposal

type/question

type/refactoring

type/summary

type/testing

type/upstream

No Label topic/authentication type/proposal

Milestone

No items

No Milestone

Projects

Clear projects

No project

Assignees

Clear assignees

GiteaMirror ninjasurge

No Assignees

1 Participants

Notifications

Subscribe

Due Date

No due date set.

Dependencies

No dependencies set.

Reference: github-starred/gitea#1875