Escape defaults causing mixed case usernames to have problems with the SystemUserSpawner #495
Comments
|
Thank you for opening your first issue in this project! Engagement like this is essential for open source projects! 🤗 |
I don't think so, since mixed-case definitely can cause problems in various places, but we could consider it with sufficient testing. But if you know that usernames are always safe in your particular deployment, you can use |
Bug description
(This is related to an issue posted in the Oauthenticator repo as well).
In our setup, we have a deployed multiuser system, where user accounts are created by ansible from membership within a GitHub team. We don't have any say over our user's GitHub usernames, but being that it is GitHub, they are all valid POSIX usernames. We're running a Jupyterhub instance (through Docker) where we are using Github Oauth for authentication, and the System User Spawner from the Docker Spawner to have the users' home space be mounted within the raised docker container.
For users with usernames only using lowercase characters, everything works as expected. However, if a user has a mixed case username, the spawner fails since the username passed on by the authenticator (where we override the normalization of the username) gets escaped, and no home directory is found for the sanitized username. At the moment, we are using the
c.DockerSpawner.escape = "legacy"option as a workaround, but this isn't optimal from a security standpoint.At least in some cases (such as jupyterhub/oauthenticator#168) the username provided by the authenticator will be mixed case. Can the behaviour of the default escape method be to accept mixed case usernames?
Thanks kindly!
Your personal set up
We are using the JupyterHub docker container (v4.0.1) on a multiuser Ubuntu host VM.
OS:
Ubuntu 20.04
Version(s):
JupyterHub: 4.0.1
Oauthenticator: 16.0.1
Dockerspawner: 12.1.0
The text was updated successfully, but these errors were encountered: