#141 ✓resolved
Norbert

Potential problem with uppercase letters in login

Reported by Norbert | July 22nd, 2009 @ 05:57 PM

Hi, I'm the new user to authlogic (and rails) but I'd like to point out one potentially dangerous thing I noticed recently. I'm using authlogic 2.1.1 with rails 2.3.2 and jruby 1.3.1 with default configuration (just calling acts_as_authenticate with no additional configuration options).

When I use registration form (from sample application) with 'Norbert'
(notice the first letter is capital) provided as login I see this sql executed

INSERT INTO accounts (login, email, crypted_password, password_salt, persistence_token, single_access_token, perishable_token, login_count, failed_login_count, last_request_at, current_login_at, last_login_at, current_login_ip, last_login_ip, created_at, updated_at) VALUES('Norbert', 'aaa@aaa.com', '...', '...', '...', '...', '...', 1, 0, '2009-07-22 21:44:43', '2009-07-22 21:44:43', NULL, '127.0.0.1', NULL, '2009-07-22 21:44:43', '2009-07-22 21:44:43')

But when trying to login (again with 'Norbert') I noticed this query:

SELECT * FROM accounts WHERE (LOWER(accounts.login) = 'norbert') LIMIT 1

That means that authlogic uses LOWER function on login field during login process but not during registration process. This leads to potential problem. It is possible to create two accounts 'Norbert' and 'norbert' (even if there's unique constraint in database and validate_uniqueness_of :login enabled) but then when you try to log in into application authlogic will choose randomly (the first provided by database) beetween them (both are seen as lowercase 'norbert') and may check for wrong password (ex. 'Norbert' instead of 'norbert'). I think that authlogic should use LOWER function in a consistent way (enabled everywhere or nowhere).

Best regards,
Norbert

Comments and changes to this ticket

Please Sign in or create a free account to add a new ticket.

With your very own profile, you can contribute to projects, track your activity, watch tickets, receive and update tickets through your email and much more.

New-ticket Create new ticket

Create your profile

Help contribute to this project by taking a few moments to create your personal profile. Create your profile ยป

Object based authentication solution that handles all of the non sense for you. It's as easy as ActiveRecord is with a database.

People watching this ticket

Pages