_ACCEPTABLE_USER_RE is overly strict #11
Description
By my reading of ssh.py and sshd(8), section "AUTHORIZED_KEYS FILE FORMAT", the risks being blocked by this username validation are:
- Double-quote: would close the command= option
- Backslash and comma: potentially risky because the parsing isn't clearly specified
- Whitespace: would prematurely terminate the username argument to gitosis-serve
- Shell special characters: unspecified whether sshd runs the command through a shell so best to assume it does; also the user is passed to hooks through the GITOSIS_USER environment variable
- Non-printable-ASCII characters: uncertain
The last two suggest that the exact set of safe characters is system- and perhaps even locale-dependent. Nonetheless, we can say for certain that what constitutes a valid username, hostname, or email address on any particular system does not enter into it.
I got bit by this, and I'm not the only one, so might I suggest the more permissive yet still conservative regexp:
^[a-zA-Z0-9@_.-]+$
Incidentally, this is closer to what one might have expected from reading the commit message on cbea178.
A risk would be if people have built hooks using GITOSIS_USER that rely on the current validation. Given that it's not documented as any sort of stable thing, I would suggest that such users should either be doing their own validation or else looking closely for any changes that might affect their assumptions before upgrading.