Hlcy

joined 3 years ago
sorted by: new top controversial old
Unusual login bug(s) in c/[email protected]
[–] [email protected] 2 points 3 years ago (1 children)

Sorry to bother you again, it took me some time to find this again on GitHub. This login bug I was experiencing was introduced when fixing this other login bug, you can see in that commit that eq was changed to ilike but now your new pull request reintroduces that old bug with the case-sensitiveness of the usernames during login. I think the solution to both bugs would be converting to uppercase before comparing with eq (and having a computed uppercased column indexed on the database). I don't know enough Rust to propose code changes or send a pull request, I hope my description of the solution is good enough for someone more knowledgeable to write the code.

4
My test community isn't working well (lemmy.ml)
submitted 3 years ago* (last edited 3 years ago) by [email protected] to c/[email protected]
1 comments fedilink
 

Some time ago I made a test community. The community has "no posts":

But it actually has two, this one is gone from the post list but it exists somewhere: https://lemmy.ml/post/44707

And this one: https://lemmy.ml/post/44682 (the latest mod action I see in the modlog was supposed to restore it but it still doesn't appear).

The sidebar looks like this:

"removed by mod" next to the join button, "Create a post" button disabled.

If I try to create a post using the community ID like this (copying the link from the disabled button): https://lemmy.ml/create_post?community_id=17127

I get this duplicate error ("deleted by creator" "deleted by creator"):

The community is this: https://lemmy.ml/c/___

Is this a bug? Something removed by the admins? Maybe removed by me and I forgot?

I forgot I had created that since it doesn't appear in my user page:

But I was recently able to log in using the lemmur app (writing my username like \___) and I saw it there so I remembered and decided to check.

Edit: The comments list can display comments: https://lemmy.ml/c/___/data_type/Comment/sort/Active/page/1 (unlike the posts list).

Unusual login bug(s) in c/[email protected]
[–] [email protected] 2 points 3 years ago* (last edited 3 years ago) (2 children)

You need to know the exact length of the account name (it seems that % is filtered because it is not allowed in usernames and only underscores can be used as placeholders). The risk is minimal, the only possible exploit that comes to mind is trying a list of compromised/common passwords and testing each with underscore usernames of different lengths. That way you will be able to log in as the first person (by database query sort order) using a compromised/common password whose username (or email) has the same amount of characters as underscores you tried. So the usual advice applies: don't use a compromised or common password and you will be safe, use a password manager and let it generate a random password for you if you can. Also this is easy to detect server side and if there is any kind of rate limiting the attack won't work, I wouldn't worry about this bug.

Unusual login bug(s) in c/[email protected]
[–] [email protected] 4 points 3 years ago (7 children)

I think this is a backend error, with my poor Rust reading skills I arrived to this find_by_email_or_name function where I believe the problem is: https://github.com/LemmyNet/lemmy/blob/f24999027e26fc77cc3808674f4f37fb1883c20f/crates/db_views/src/local_user_view.rs#L85

It uses ilike which in SQL should allow things like % and _ to be used as placeholders for matching any character(s): https://www.postgresql.org/docs/14/functions-matching.html#FUNCTIONS-LIKE

10
Unusual login bug(s) (lemmy.ml)
submitted 3 years ago* (last edited 3 years ago) by [email protected] to c/[email protected]
10 comments fedilink
 

Trying to log in using my username ____ doesn't work, it displays this error (this bug has existed since I created the account):

Today I discovered a workaround, I can log in if I prepend a \ to my username:

It also works if I write my username like this \_\_\_\_

Using a single _ for the username (and removing the minlength of 3 of the field with the html inspector) logs me in too, but not into this account, I get logged in into my @Lee account that has the same password:

I haven't read the code (I don't think I can, I never managed to learn Rust) but my theory is that _ is being used as a placeholder or matchall value when comparing usernames and emails. If I escape it with \ it works because it matches my username. If I write a single unescaped _ it logs me into my other account because the email of that account is set to a single character "@" which should match a single matchall underscore.

Edit: the autocomplete field in the block users page seems to confirm my theory as it matches any username as long or longer than the number of underscores I write: