Problem/Motivation

In drupal user can submit login in non Latin characters (and this is grate for me and over non-English community I think). But for example in Unicode char table we have Latin small character "a" and Cyrillic small character "a". So we have ability to create user login "admin" with first Cyrillic later "a", and for login "webchik" we can create 3 duplicates.

On some websites, this could allow tricking admins into triggering some actions on the wrong account.

Steps to reproduce

If your website contains a user called "admin" and allows users to register, you can register a new user called "аdmin" (with a Cyrillic а).

Proposed resolution

We could use the NoSuspiciousCharacters constraint provided by Symfony: https://symfony.com/doc/current/reference/constraints/NoSuspiciousCharac...

NoSuspiciousCharacters will throw an exception if the intl extension is not available so we would need to require it (or make this constraint optional).

Remaining tasks

User interface changes

Introduced terminology

API changes

Data model changes

Release notes snippet

CommentFileSizeAuthor
#45 85826-nr-bot_t56l9dfr.txt91 bytesneeds-review-queue-bot
#40 85826-nr-bot_frfplbfk.txt91 bytesneeds-review-queue-bot
#38 85826-nr-bot_ajny2fy5.txt91 bytesneeds-review-queue-bot
#36 85826-nr-bot.txt91 bytesneeds-review-queue-bot
#34 85826-nr-bot.txt91 bytesneeds-review-queue-bot

Issue fork drupal-85826

Command icon Show commands

Start within a Git clone of the project using the version control instructions.

Or, if you do not have SSH keys set up on git.drupalcode.org:

About issue forks

Comments

killes@www.drop.org’s picture

killes@www.drop.org commented
Version: 4.7.3 » x.y.z

new features go into devel version.

greggles’s picture

greggles
he/him
Primary language English
Location Denver, Colorado, USA
commented
Title: Fake user login » prevent homographic logins
Version: x.y.z » 6.x-dev

Changing version and title to be more descriptive.

It might be nice to have an admin setting for "prevent homographic usernames" which would then trim and transliterate a name and see if a similar user exists before allowing accounts to be created. I've seen this before as "admin " (note the space on the end).

michelle’s picture

michelle
she/her
Primary language English
Location Wisconsin, USA
commented
Version: 6.x-dev » 7.x-dev

Bumping version. No idea if this is still an issue.

Michelle

BartVB’s picture

BartVB commented

This is still an issue in HEAD.

This can use the username field introduced in this issue:

http://drupal.org/node/279851

and should be inserted into user_validate_name() in user.module

Here's a nice paper describing this security problem:

http://www.cs.technion.ac.il/~gabr/papers/homograph_full.pdf

phpBB has solved this problem by using 'username_clean' which is a sanitized version of the login/display name that's stored in 'username'. It uses the 'utf8_clean_string()' function defined in: http://code.phpbb.com/repositories/entry/5/trunk/phpBB/includes/utf/utf_...

Not sure if this should be set as 'bug report' instead of 'feature request'. IMHO this is a security problem, not just something that's "nice to have" :)

grendzy’s picture

grendzy commented
Version: 7.x-dev » 8.x-dev
Issue tags: +Security improvements
grendzy’s picture

grendzy commented
Assigned: Unassigned » grendzy

This has been accepted as a task for Google Code-In:
http://www.google-melange.com/gci/task/show/google/gci2010/drupal/t12904...

What this means is I'll be mentoring a student working on this task. While the initial work will be a D7 contrib module, webchick has asked for a canonical issue here to facilitate discussion with the community. Once the D7 module is working, we can then discuss how it might be incorporated into core for Drupal 8.

grendzy’s picture

grendzy commented
Issue tags: +gci-hard, +gci-code, +gci-task
dmitrig01’s picture

dmitrig01 commented

from the other issue:
Hm, homographic logins would be usernames spelled with letters that look very similar. However, the transliteration module attempts to transliterate letters into the Roman alphabet, meaning that (1) letters that bear no resemblance to other letters get transliterated, and (2) letters that do bear a resemblance, but sound differently, get transliterated into a different letter than their homographic equivalent in the Roman alphabet.

Thus, I don't think the transliteration is the right solution to this. I'm not sure of any other datasets that deal with this specific problem though.

An example where this would be a problem is the screenshot of the transliteration module: http://drupal.org/files/images/translit_0.thumbnail.png - looking at the first word, all letters but the "o" look completely different, and it would be pretty easy to distinguish (visually) usernames. If phpBB has a list of letters that look similar, we could use that.

The problem, basically, is what we're looking for is not transliteration, but a list of homographic letters. Transliteration is taking the sounds from one alphabet and putting them in another. We're not looking for the sounds at all -- this issue concerns the appearance.

dmitrig01’s picture

dmitrig01 commented

we can steal PHPBB's list, which in any PHPBB3 is in includes/utf/data/confusables.php

jhedstrom’s picture

jhedstrom
Primary language English
Location Portland, OR
commented
Version: 8.0.x-dev » 8.1.x-dev
Issue summary: View changes

Version: 8.1.x-dev » 8.2.x-dev

Drupal 8.1.0-beta1 was released on March 2, 2016, which means new developments and disruptive changes should now be targeted against the 8.2.x-dev branch. For more information see the Drupal 8 minor version schedule and the Allowed changes during the Drupal 8 release cycle.

Version: 8.2.x-dev » 8.3.x-dev

Drupal 8.2.0-beta1 was released on August 3, 2016, which means new developments and disruptive changes should now be targeted against the 8.3.x-dev branch. For more information see the Drupal 8 minor version schedule and the Allowed changes during the Drupal 8 release cycle.

Version: 8.3.x-dev » 8.4.x-dev

Drupal 8.3.0-alpha1 will be released the week of January 30, 2017, which means new developments and disruptive changes should now be targeted against the 8.4.x-dev branch. For more information see the Drupal 8 minor version schedule and the Allowed changes during the Drupal 8 release cycle.

Version: 8.4.x-dev » 8.5.x-dev

Drupal 8.4.0-alpha1 will be released the week of July 31, 2017, which means new developments and disruptive changes should now be targeted against the 8.5.x-dev branch. For more information see the Drupal 8 minor version schedule and the Allowed changes during the Drupal 8 release cycle.

Version: 8.5.x-dev » 8.6.x-dev

Drupal 8.5.0-alpha1 will be released the week of January 17, 2018, which means new developments and disruptive changes should now be targeted against the 8.6.x-dev branch. For more information see the Drupal 8 minor version schedule and the Allowed changes during the Drupal 8 release cycle.

Version: 8.6.x-dev » 8.7.x-dev

Drupal 8.6.0-alpha1 will be released the week of July 16, 2018, which means new developments and disruptive changes should now be targeted against the 8.7.x-dev branch. For more information see the Drupal 8 minor version schedule and the Allowed changes during the Drupal 8 release cycle.

Version: 8.7.x-dev » 8.8.x-dev

Drupal 8.7.0-alpha1 will be released the week of March 11, 2019, which means new developments and disruptive changes should now be targeted against the 8.8.x-dev branch. For more information see the Drupal 8 minor version schedule and the Allowed changes during the Drupal 8 release cycle.

Version: 8.8.x-dev » 8.9.x-dev

Drupal 8.8.0-alpha1 will be released the week of October 14th, 2019, which means new developments and disruptive changes should now be targeted against the 8.9.x-dev branch. (Any changes to 8.9.x will also be committed to 9.0.x in preparation for Drupal 9’s release, but some changes like significant feature additions will be deferred to 9.1.x.). For more information see the Drupal 8 and 9 minor version schedule and the Allowed changes during the Drupal 8 and 9 release cycles.

Version: 8.9.x-dev » 9.1.x-dev

Drupal 8.9.0-beta1 was released on March 20, 2020. 8.9.x is the final, long-term support (LTS) minor release of Drupal 8, which means new developments and disruptive changes should now be targeted against the 9.1.x-dev branch. For more information see the Drupal 8 and 9 minor version schedule and the Allowed changes during the Drupal 8 and 9 release cycles.

Version: 9.1.x-dev » 9.2.x-dev

Drupal 9.1.0-alpha1 will be released the week of October 19, 2020, which means new developments and disruptive changes should now be targeted for the 9.2.x-dev branch. For more information see the Drupal 9 minor version schedule and the Allowed changes during the Drupal 9 release cycle.

Version: 9.2.x-dev » 9.3.x-dev

Drupal 9.2.0-alpha1 will be released the week of May 3, 2021, which means new developments and disruptive changes should now be targeted for the 9.3.x-dev branch. For more information see the Drupal core minor version schedule and the Allowed changes during the Drupal core release cycle.

Version: 9.3.x-dev » 9.4.x-dev

Drupal 9.3.0-rc1 was released on November 26, 2021, which means new developments and disruptive changes should now be targeted for the 9.4.x-dev branch. For more information see the Drupal core minor version schedule and the Allowed changes during the Drupal core release cycle.

Version: 9.4.x-dev » 9.5.x-dev

Drupal 9.4.0-alpha1 was released on May 6, 2022, which means new developments and disruptive changes should now be targeted for the 9.5.x-dev branch. For more information see the Drupal core minor version schedule and the Allowed changes during the Drupal core release cycle.

Version: 9.5.x-dev » 10.1.x-dev

Drupal 9.5.0-beta2 and Drupal 10.0.0-beta2 were released on September 29, 2022, which means new developments and disruptive changes should now be targeted for the 10.1.x-dev branch. For more information see the Drupal core minor version schedule and the Allowed changes during the Drupal core release cycle.

Version: 10.1.x-dev » 11.x-dev

Drupal core is moving towards using a “main” branch. As an interim step, a new 11.x branch has been opened, as Drupal.org infrastructure cannot currently fully support a branch named main. New developments and disruptive changes should now be targeted for the 11.x branch, which currently accepts only minor-version allowed changes. For more information, see the Drupal core minor version schedule and the Allowed changes during the Drupal core release cycle.

prudloff made their first commit to this issue’s fork.

prudloff’s picture

prudloff commented

The PHP intl extension provides a Spoofchecker::areConfusable() method that could be used for this but comparing the news username to every existing user would probably be expensive.

Symfony also provides a NoSuspiciousCharacters characters constraint (which uses Spoofchecker::isSuspicious() internally): https://symfony.com/doc/current/reference/constraints/NoSuspiciousCharac...
This is probably a good solution but it requires setting the expected locales (having Cyrillic letters in usernames on a Russian websites would not be suspicious for example). I supposed we could configure it using the enabled locale on the website.

prudloff’s picture

prudloff commented
Title: prevent homographic logins » Prevent homographic usernames
Issue summary: View changes

prudloff opened merge request !11577

prudloff’s picture

prudloff commented
Status: Active » Needs review

Added a basic implementation.
The main caveat is that it heavily depends on the languages activated on the website (because that's the way NoSuspiciousCharacters and Spoofchecker work).
If we find this too restrictive, we could also use NoSuspiciousCharacters without restricting the allowed locales, it would still be useful to detect mixed character sets and invisible characters.

I'm not sure the failing AssetAggregationAcrossPagesTest is related?

borisson_’s picture

borisson_
Primary language Dutch
Location Mechelen, 🇧🇪
commented
Issue tags: -gci-hard, -gci-code, -gci-task +Needs product manager review

Removing tags that are no longer relevant.
The new solution is well documented, but I'm not sure about the tradeoffs here, tagged for product manager review because of that.

prudloff’s picture

prudloff commented
Status: Needs review » Needs work

I just noticed Drupal does not require the intl extension.
NoSuspiciousCharacters will throw an exception if this extension is not available.

We could either:

  • Require the intl extension
  • Skip this constraint if the extension is not available
prudloff’s picture

prudloff commented
Status: Needs work » Needs review

I added the intl extension to dependencies.

needs-review-queue-bot’s picture

needs-review-queue-bot commented
Status: Needs review » Needs work
StatusFileSize
new 85826-nr-bot.txt91 bytes

The Needs Review Queue Bot tested this issue. It no longer applies to Drupal core. Therefore, this issue status is now "Needs work".

This does not mean that the patch necessarily needs to be re-rolled or the MR rebased. Read the Issue Summary, the issue tags and the latest discussion here to determine what needs to be done.

Consult the Drupal Contributor Guide to find step-by-step guides for working with issues.

prudloff’s picture

prudloff commented
Status: Needs work » Needs review

I rebased the MR.

needs-review-queue-bot’s picture

needs-review-queue-bot commented
Status: Needs review » Needs work
StatusFileSize
new 85826-nr-bot.txt91 bytes

The Needs Review Queue Bot tested this issue. It no longer applies to Drupal core. Therefore, this issue status is now "Needs work".

This does not mean that the patch necessarily needs to be re-rolled or the MR rebased. Read the Issue Summary, the issue tags and the latest discussion here to determine what needs to be done.

Consult the Drupal Contributor Guide to find step-by-step guides for working with issues.

prudloff’s picture

prudloff commented
Status: Needs work » Needs review

I rebased the MR.

needs-review-queue-bot’s picture

needs-review-queue-bot commented
Status: Needs review » Needs work
StatusFileSize
new 85826-nr-bot_ajny2fy5.txt91 bytes

The Needs Review Queue Bot tested this issue. It no longer applies to Drupal core. Therefore, this issue status is now "Needs work".

This does not mean that the patch necessarily needs to be re-rolled or the MR rebased. Read the Issue Summary, the issue tags and the latest discussion here to determine what needs to be done.

Consult the Drupal Contributor Guide to find step-by-step guides for working with issues.

prudloff’s picture

prudloff commented
Assigned: grendzy » Unassigned
Status: Needs work » Needs review

I rebased the MR.

needs-review-queue-bot’s picture

needs-review-queue-bot commented
Status: Needs review » Needs work
StatusFileSize
new 85826-nr-bot_frfplbfk.txt91 bytes

The Needs Review Queue Bot tested this issue. It no longer applies to Drupal core. Therefore, this issue status is now "Needs work".

This does not mean that the patch necessarily needs to be re-rolled or the MR rebased. Read the Issue Summary, the issue tags and the latest discussion here to determine what needs to be done.

Consult the Drupal Contributor Guide to find step-by-step guides for working with issues.

shalini_jha made their first commit to this issue’s fork.

shalini_jha’s picture

shalini_jha commented

Rebased and fixed conflicts, but there are some pipeline failures.

prudloff’s picture

prudloff commented
Status: Needs work » Needs review

I fixed the tests.

Version: 11.x-dev » main

Drupal core is now using the main branch as the primary development branch. New developments and disruptive changes should now be targeted to the main branch.

Read more in the announcement.

needs-review-queue-bot’s picture

needs-review-queue-bot commented
Status: Needs review » Needs work
StatusFileSize
new 85826-nr-bot_t56l9dfr.txt91 bytes

The Needs Review Queue Bot tested this issue. It no longer applies to Drupal core. Therefore, this issue status is now "Needs work".

This does not mean that the patch necessarily needs to be re-rolled or the MR rebased. Read the Issue Summary, the issue tags and the latest discussion here to determine what needs to be done.

Consult the Drupal Contributor Guide to find step-by-step guides for working with issues.

prudloff’s picture

prudloff commented
Status: Needs work » Needs review

I merged the latest main.

smustgrave’s picture

smustgrave commented
Status: Needs review » Needs work
prudloff’s picture

prudloff commented
Issue summary: View changes
Status: Needs work » Needs review