Groups have userregexps for the defaults to use for new users. This is overkill (bug 162331), but its also a security hole. Given a userregexp of |.*@foo.com|, I can match that with an address of email@example.com. This is because there isn't any ^ or $ wrapping in InsertNewUser. What are bmo's regexps set to? :) landfill's are buggy this way.... This could arguably be called a error on the part of the admin, but since we don't give any examples.... ^ wrapping is probably going to break stuff, but $ shouldn't. Alternately, we can just have checksetup prepent ^.* and append $, and then update the help text so that admins can see what went wrong. I tested this locally by modifying /etc/hosts to make 127.0.0.1 an alias for bluemartini.com.localhost, and it worked.
bmo's group regexps are ok.
This is a documentation issue. since we document that we use Perl regexps, people who know Perl regexps should know that you need a $ to terminate a regexp. Unless we've previously given examples that don't include the $ we probably shouldn't even release an advisory on this but just change the on-screen instructions to point it out. And maybe make a brief mention of it in the release notes.
cc:ing barnboy since this is a docs issue.
Hmm, I should reassign to barnboy rather than cc: him.
Assignee: myk → matthew
Component: User Accounts → Documentation
Sorry, work's had me busy the last week. Will add this to Bugzilla Guide and in-code documentation, will require review on code check-in.
We are starting to acculuate more items that are postential misconfigurations rather than bugs, but could be automatically checked for. This is happening at the same time as we whould be expecting many more newbie admins. Should we add a "configcheck.cgi" that does some configuration audits?
It appears this was documented as part of bug 157756.
It's documented on the editgroups page itself as well, as of when all the groups stuff got changed around. I think this has been sufficiently taken care of.
Status: ASSIGNED → RESOLVED
Last Resolved: 16 years ago
Resolution: --- → FIXED
You need to log in before you can comment on or make changes to this bug.