GitLab should allow usernames which match file extensions
Summary
GitLab prevents usernames being created which have certain file extensions. This inludes new user creation and existing username changes. Trying to do so results in the error Username ending with a reserved file extension is not allowed
.
This means that many users cannot use the common firstname
.lastname
pattern if their last name matches a prohibited word, a common example being .patch
. This is especially problematic for customers who use automatic methods of account creation such as LDAP or social integrations.
The reason for this behaviour seems to be related to the way that GitLab structures URLs which potentially expose user-entered data as inputs, rather than simply just strings and may be to do with how nginx parses these inputs.
In the past, we've worked around this issue by banning the use of those interpreted file extensions in usernames, but this solution is not effective for customers, nor generally sustainable.
Related ticket (internal only): https://gitlab.zendesk.com/agent/tickets/261550
Related issues/MR:
Steps to reproduce
- Browse to https://gitlab.com/users/sign_up
- fill out the form with a username
shem.patch
- Click
Register
- Observe the error message:
Username ending with a reserved file extension is not allowed.
What is the current bug behavior?
Username ending with a reserved file extension is not allowed.
is displayed when trying to create a new user or update an existing user with a username that contains an interpreted filetype.
What is the expected correct behavior?
We should not restrict usernames that match filetypes
Output of checks
This bug happens on GitLab.com