Description

Semicolon ;

It is currently possible, via Fauxton, to create admin usernames starting with a semicolon ;. We can log in with them, however upon restart of the CouchDB service, these accounts are not active anymore. Evidently, the usernames being added as they are to the .ini file they become comment lines.

Slashes /

For slashes, it is possible to submit the form on Fauxton to create a username (such as withslash/), but the slash itself is stripped when the account is actually created.

Equal sign =

For the equal sign, it is possible to create the account and to log in with it. However, upon restart of CouchDB, the remaining user name is the part before the equal sign with the password rehashed with the second part of the username (since CouchDB hashes the plaintext password in .ini file.)

Colon :

For the colon, it is possible to create the account and it persists in the .ini file. However the login does not work properly. Upon submitting the login form on Fauxton we get a valid JSON response from the server with the user info payload, but any subsequent requests fail.

It is also a problem with Basic HTTP Authentication, as usernames can't have colons.

Steps to Reproduce

Fauxton : Your Account : Create Server Admin
Username: ;semicolon
Username: withslash/
Username: my = user
Username: with:colon

Expected Behaviour

Don't allow such usernames to be created.

Your Environment

• CouchDB Version used: 2.3.1
• Browser name and version: Chrome 77
• Operating System and version: Windows 10

@jausions Thanks for the very complete description. This probably should be filed in https://github.com/apache/couchdb-fauxton , unless they are also problems if you directly edit local.ini and place these values in there. Can you test? We should add those issues into apache/couchdb#2188 .