Trying to log in using my username ____ doesn’t work, it displays this error (this bug has existed since I created the account):

Today I discovered a workaround, I can log in if I prepend a \ to my username:

It also works if I write my username like this \_\_\_\_

Using a single _ for the username (and removing the minlength of 3 of the field with the html inspector) logs me in too, but not into this account, I get logged in into my @Lee account that has the same password:

I haven’t read the code (I don’t think I can, I never managed to learn Rust) but my theory is that _ is being used as a placeholder or matchall value when comparing usernames and emails. If I escape it with \ it works because it matches my username. If I write a single unescaped _ it logs me into my other account because the email of that account is set to a single character “@” which should match a single matchall underscore.

Edit: the autocomplete field in the block users page seems to confirm my theory as it matches any username as long or longer than the number of underscores I write:

  • DessalinesA
    link
    fedilink
    arrow-up
    2
    ·
    3 years ago

    We did originally want to force usernames to be lowercase (to prevent confusing name conflicts, but haven’t forced any DB constraints on that yet, only for the actor_id column it looks like). For now due to the security implications, it makes sense to use eq instead of ilike.