Trying to log in using my username ____ doesn’t work, it displays this error (this bug has existed since I created the account):
Today I discovered a workaround, I can log in if I prepend a \ to my username:
It also works if I write my username like this \_\_\_\_
Using a single _ for the username (and removing the minlength of 3 of the field with the html inspector) logs me in too, but not into this account, I get logged in into my @Lee account that has the same password:
I haven’t read the code (I don’t think I can, I never managed to learn Rust) but my theory is that _ is being used as a placeholder or matchall value when comparing usernames and emails. If I escape it with \ it works because it matches my username. If I write a single unescaped _ it logs me into my other account because the email of that account is set to a single character “@” which should match a single matchall underscore.
Edit: the autocomplete field in the block users page seems to confirm my theory as it matches any username as long or longer than the number of underscores I write:
I think this is a backend error, with my poor Rust reading skills I arrived to this find_by_email_or_name function where I believe the problem is: https://github.com/LemmyNet/lemmy/blob/f24999027e26fc77cc3808674f4f37fb1883c20f/crates/db_views/src/local_user_view.rs#L85
It uses ilike which in SQL should allow things like % and _ to be used as placeholders for matching any character(s): https://www.postgresql.org/docs/14/functions-matching.html#FUNCTIONS-LIKE
So does this mean it’s possible to access any account that you know the password of if the wildcards are used for the username?
You need to know the exact length of the account name (it seems that % is filtered because it is not allowed in usernames and only underscores can be used as placeholders). The risk is minimal, the only possible exploit that comes to mind is trying a list of compromised/common passwords and testing each with underscore usernames of different lengths. That way you will be able to log in as the first person (by database query sort order) using a compromised/common password whose username (or email) has the same amount of characters as underscores you tried. So the usual advice applies: don’t use a compromised or common password and you will be safe, use a password manager and let it generate a random password for you if you can. Also this is easy to detect server side and if there is any kind of rate limiting the attack won’t work, I wouldn’t worry about this bug.
Great find!
Thanks!
Nice find, I’ll create a PR to fix this.
Sorry to bother you again, it took me some time to find this again on GitHub. This login bug I was experiencing was introduced when fixing this other login bug, you can see in that commit that
eq
was changed toilike
but now your new pull request reintroduces that old bug with the case-sensitiveness of the usernames during login. I think the solution to both bugs would be converting to uppercase before comparing witheq
(and having a computed uppercased column indexed on the database). I don’t know enough Rust to propose code changes or send a pull request, I hope my description of the solution is good enough for someone more knowledgeable to write the code.We did originally want to force usernames to be lowercase (to prevent confusing name conflicts, but haven’t forced any DB constraints on that yet, only for the actor_id column it looks like). For now due to the security implications, it makes sense to use
eq
instead ofilike
.