Usernames

Posted Dec 7, 2024 1:52 UTC (Sat) by geofft (subscriber, #59789)
In reply to: Usernames by quotemstr
Parent article: Abusing Git branch names to compromise a PyPI package

Unfortunately, that wouldn't have helped in this case: all the characters in this string were printable ASCII with no whitespace (hence ${IFS} to get a space).

I would agree it doesn't make sense to allow things like dollar signs in usernames. I do think there's merit in considering permitting alphanumeric characters from other alphabets (accented Latin letters, Arabic, Devanagari, Hiragana, etc.)—but not their punctuation or whitespace, either. (Of course even this proposal deserves some careful consideration.)

Usernames

Posted Dec 7, 2024 14:54 UTC (Sat) by quotemstr (subscriber, #45331) [Link] (1 responses)

Sure. I'd actually want to apply David Wheeler's entire sanitization program; https://dwheeler.com/essays/fixing-unix-linux-filenames.html

Banning literal terminal control codes in usernames would merely be a good start

Usernames

Posted Dec 8, 2024 3:51 UTC (Sun) by geofft (subscriber, #59789) [Link]

Oh, yeah, the rules proposed on that web page, at the very bottom, sound along the lines of what I was thinking - they do permit accented or non-Latin letters (which aren't currently allowed for usernames) and mandate UTF-8 encoding for those, but they forbid punctuation that is meaningful to the shell.