My site is using a modified version of Danbooru 1.16 and there is a security flaw with a certain string of characters and perhaps 4-6 characters long. The on-screen rendering of it changed to a different string of characters when I viewed it with PhpPgAdmin, so I didn't have time to copy the original string down.
This string shows up as a blank character in Danbooru when used in forum posts, user names, etc. It allows someone to, for example, create an account named "Furvy" with this string preceding it and be visually indistinguishable from the real account "Furvy". It is sort of a way to spoof account names.
I just wanted to know from Albert or anyone else if this security flaw has been fixed, or how to prevent people from creating accounts with this string in it.
Hmm, you might have rather PM'ed Albert or filed a ticket on the Trac rather than broadcasting possible active exploits in the forum...
You might try updating from 1.16 and see if that fixes anything though, since you are at least 2 or 3 versions back from what's currently available. I don't know how extensive your modifications are or how easy migration would be for you.
The modifications are not extensive and were done by someone else besides me. They wouldn't have anything to do with why this exploit works, I'm pretty sure. The person that performed the small modifications is the one who is using this exploit against us. I shall PM albert about this.
chainedwind said: Didn't someone do this once with 葉月's name?
That was me. There was also a spammer who exploited this recently to register a blank username.
Furvy said: I just wanted to know from Albert or anyone else if this security flaw has been fixed, or how to prevent people from creating accounts with this string in it.
The problem is that Unicode is permitted in usernames. There are a variety of ways to use Unicode to spoof strings or otherwise be obnoxious. The fix is to edit this line (line 36 of /app/models/user_methods/name_methods.rb) and change the regex to something like /\A[a-zA-Z0-9_]+\Z/. This restricts new usernames to alphanumerics + underscores.
chainedwind said: Didn't someone do this once with 葉月's name?
I had no idea.
evazion said: IMO security is more important than someone's desire to have a neato username.
Bah, I would really, really hate to see Unicode usernames gone, for many reasons. IMHO a better way would be to do what browsers do, and blacklist certain combinations (such as latin + cyrillic) of scripts, as well as non-graphic characters.
I'm not sure what the best solution to this is. I don't think it's trivial to restrict names to one character set, or if that's even desirable. There are probably too many to blacklist every bad character.
I may just restrict to ASCII only until a better workaround is found.
albert said: I'm not sure what the best solution to this is. I don't think it's trivial to restrict names to one character set, or if that's even desirable. There are probably too many to blacklist every bad character.
I may just restrict to ASCII only until a better workaround is found.
You mean in new usernames only? Otherwise it'd be a horribly intrusive change with no hope ever to convert most non-ascii usernames.
As for the algorithm, it's not trivial, but web browsers should have it down by down. No idea if there's any ruby implementation around which could be nicked.
The IDN blacklist is in http://kb.mozillazine.org/Network.IDN.blacklist_chars. It doesn't look complete… there's at least several Greek characters that look just like Latin. Don't know why they aren't included, maybe I misunderstand how it works.
edit: oh, because the others are taken care of by the IDN whitelist. So it's not incredibly useful after all. It's pretty easy to normalize fullwidth/greek back to latin if that could be combined with it.
