RestAuth/Username considerations: Unterschied zwischen den Versionen

Aus Free Software
Zur Navigation springen Zur Suche springen
K (Reverted edits by Ijicusyd (talk) to last revision by Astra)
Zeile 33: Zeile 33:
 
=== Drupal ===
 
=== Drupal ===
 
(fsinf.at)
 
(fsinf.at)
 +
 +
http://api.drupal.org/api/drupal/modules--user--user.module/function/user_validate_name/6
  
 
=== vBulletin ===
 
=== vBulletin ===

Version vom 22. April 2011, 02:26 Uhr

Survey on different systems

URL encoding

Since usernames are submitted as URL paramaters, they must be URL-encodable.

HTTP Basic authentication

Usernames must not contain a single colon (":") or ASCII control characters (0-31, 127). Additionally, the sequence "CR LF" followed by either a Space or a Horizontal Space is also a valid sequence.

For more information, please refer to Section 2, Basic Authentication Scheme of RFC2617[1] for detailed information.

MediaWiki

In order for a username to be legal, the username must be a valid page title (For the user page). Illegal characters for page titles are[2]

#<>[]|{}

Certain character sequences ("/..", etc.) are also illegal[3] but are already filtered by the general check.

Certain special usernames are also filtered: Characters that look like IPv6 or IPv6 characters and interesting Unicode characters, see User::isValidUserName() in includes/User.php:

$unicodeBlacklist = '/[' .
    '\x{0080}-\x{009f}' . # iso-8859-1 control chars
    '\x{00a0}' .          # non-breaking space
    '\x{2000}-\x{200f}' . # various whitespace
    '\x{2028}-\x{202f}' . # breaks and control chars
    '\x{3000}' .          # ideographic space
    '\x{e000}-\x{f8ff}' . # private use
    ']/u';

Additionally, MediaWiki filters new usernames that contain an "@" sign[4].

The maximum username length is 255 bytes (which is less then 255 characters, if you use multibyte characters). This is checked both by $wgMaxNameChars and by page name restrictions.

Drupal

(fsinf.at)

http://api.drupal.org/api/drupal/modules--user--user.module/function/user_validate_name/6

vBulletin

(informatik-forum.at)

phpBB

&quot; and " are always invalid.

By default, usernames are restricted to 'USERNAME_CHARS_ANY', which expands to the regex "^.+$"

Wordpress

XMPP

XMPP allows usernames in unicode, but some characters are forbidden:

"&'/:<>@

... as well as:

  • ASCII Space characters
  • Non-ASCII Space characters
  • ASCII Control characters
  • Non-ASCII Control characters

Linux system accounts

On Debian, usernames must neither start with a dash ("-") nor contain a colon (":") or any type of whitespace (" ", newline, etc.) and usernames may be up to 32 characters long[5]. Apparently, a slash ("/") is even a valid username, but you don't want this.

Windows system accounts

Windows has several reserved names that cannot be a valid username[6]. Additionally, some characters are invalid:

"/\[]:;|=,+*?<>

Otherwise, usernames can contain all other special characters, including spaces, periods, dashes, and underscores[7].

Email

Wikipedia provides good reference[8]:

The local-part of the e-mail address may use any of these ASCII characters:

  • Uppercase and lowercase English letters (a–z, A–Z)
  • Digits 0 to 9
  • Characters ! # $ % & ' * + - / = ? ^ _ ` { | } ~
  • Character . (dot, period, full stop) provided that it is not the first or last character, and provided also that it does not appear two or more times consecutively (e.g. John..Doe@example.com).

Summary

ASCII table

char URLs HTTP basic auth MediaWiki Drupal vBulletin phpBB WordPress XMPP Linux Windows Email RestAuth
  Y Y Y N N N
! Y Y Y Y[n1] Y
" Y Y N N Y[n1] N
# Y Y N Y Y[n1] Y
$ Y Y Y Y[n1] Y
% Y Y Y Y[n1] Y
& Y Y N Y[n1] Y
' Y Y N Y[n1] Y
( Y Y Y Y[n1] N
) Y Y Y Y[n1] N
* Y Y Y Y[n1] Y
+ Y Y Y Y[n1] Y[n2]
, Y Y Y Y[n1] N
- Y Y Y Y[n3] Y
. Y Y Y Y[n1] Y[n4]
/ Y[n5] Y N N Y N
[0-9] Y Y Y Y[n6] Y
: Y N Y[n3][n7] N N N
; Y Y Y Y[n1] N
< Y Y N N Y[n1] N
= Y Y Y Y[n1] Y
> Y Y N N Y[n1] N
? Y Y Y Y[n1] Y
@ Y Y Y[n8] N Y[n1] N
[A-Z] Y Y Y Y[n1] Y[n9]
[ Y Y N Y Y[n1] N
\ Y Y Y Y[n1] N
] Y Y N Y Y[n1] N
^ Y Y Y Y[n1] Y
_ Y Y Y Y Y
` Y Y Y Y[n1] Y
[a-z] Y Y Y Y Y
{ Y Y N Y Y[n1] Y
| Y Y N Y Y[n1] Y
} Y Y N Y Y[n1] Y
~ Y Y Y Y[n1] Y
  1. often used as tag delimiter
  2. 3,0 3,1 must not start with this character
  3. not the first or last character, must not appear twice in a row
  4. Only theoretically supported, using it works very different depending on Django setup.
  5. Not recommended at start of username
  6. If the part before the ':' collides with a namespace or interwiki prefix, it is illegal to
  7. Blocked during account creation, see #MediaWiki.
  8. In practice, many systems are case insensitive

Minimum/Maximum username length

URLs HTTP basic auth MediaWiki Drupal vBulletin phpBB WordPress XMPP Linux Windows Email RestAuth
min 1 1 1
max -[m 1] - 255 bytes[m 2] 32

Conclusions

  • Names containing slashes ('/'), colons (':') and backslashes ("\") are illegal, no matter what. This makes our whole life easier.
  • Names containing ASCII control characters (<= 31, NOT space!) and DEL (#127) are also illegal. Note that this actually makes some usernames that could be used in an URL illegal: URLs can contain CRLF SP|HP according to the RFC!

Further reading

References