-
Improvement
-
Resolution: Fixed
-
Minor
-
None
Got into case during the fix of JENKINS-33600. I do not see any exploits in the code, but seems SECURITY-166 by campbellr was not enough aggressive in String checking.
This code allows non-trimmed restricted usernames, hence I was able to create the " anonymous " account with "Anonymous " full name. The same can be done for SYSTEM as well. UIs do not present such trailing spaces, hence UI looks to be "fine"
I have not obvious exploits in the code, but this logic gap may be a security issue if a plugin does not work with user IDs with spaces.
Is it a security issue or should we handle it as a common bug?
- is related to
-
JENKINS-39009 User#isIdOrFullnameAllowed() should disallow system names with special symbols
-
- Open
-
[JENKINS-35967] Hardening: Jenkins should not allow creating users like " system " or "anonymous "
Summary | Original: Jenkins allows creating users like " system " or "anonymous" | New: Jenkins allows creating users like " system " or "anonymous " |
Link | New: This issue is related to SECURITY-166 [ SECURITY-166 ] |
Component/s | New: core [ 15593 ] | |
Component/s | Original: core [ 15738 ] | |
Key |
Original:
|
New:
|
Workflow | Original: Security v1.2 [ 171993 ] | New: JNJira [ 172595 ] |
Project | Original: Security Issues [ 10180 ] | New: Jenkins [ 10172 ] |
Status | Original: Untriaged [ 10001 ] | New: Open [ 1 ] |
Assignee | New: Oleg Nenashev [ oleg_nenashev ] |
Status | Original: Open [ 1 ] | New: In Progress [ 3 ] |
Workflow | Original: JNJira [ 172595 ] | New: JNJira + In-Review [ 185774 ] |
Link | New: This issue is related to JENKINS-39009 [ JENKINS-39009 ] |
Resolution | New: Fixed [ 1 ] | |
Status | Original: In Progress [ 3 ] | New: Resolved [ 5 ] |
Issue Type | Original: Bug [ 1 ] | New: Improvement [ 4 ] |
Summary | Original: Jenkins allows creating users like " system " or "anonymous " | New: Hardening: Jenkins should not allow creating users like " system " or "anonymous " |