1. PyPA
  2. Python Packaging Authority Projects
  3. pypi


Richard Jones  committed ab68309

a few places where user-supplied username should be matched without case-sensitivity

  • Participants
  • Parent commits dffe9d9
  • Branches default

Comments (0)

Files changed (2)

File store.py

View file
         return otk
     _User = FastResultRow('name password email gpg_keyid last_login!')
-    def get_user(self, name):
+    def get_user(self, name, case_sensitive=True):
         ''' Retrieve info about the user from the database.
             Returns a mapping with the user info or None if there is no
             such user.
         cursor = self.get_cursor()
-        safe_execute(cursor, '''select name, password, email, gpg_keyid, last_login
-            from users where name=%s''', (name,))
+        if case_sensitive:
+            sql = '''select name, password, email, gpg_keyid, last_login
+                from users where name=%s'''
+        else:
+            sql = '''select name, password, email, gpg_keyid, last_login
+                from users where lower(name)=lower(%s)'''
+        safe_execute(cursor, , (name,))
         return self._User(None, cursor.fetchone())
     def get_user_by_email(self, email):
         safe_execute(self.get_cursor(), "delete from rego_otk where otk=%s",
-    def get_otk(self, name):
+    def get_otk(self, username):
         ''' Retrieve the One Time Key for the user.
+        Username must be a case-sensitive match.
         cursor = self.get_cursor()
-        safe_execute(cursor, "select otk from rego_otk where name=%s", (name, ))
+        safe_execute(cursor, 'select otk from rego_otk where name=%s',
+            (username, ))
         res = cursor.fetchone()
         if res is None:
             return ''

File webui.py

View file
         # Fetch the user from the database
-        user = self.store.get_user(un)
+        user = self.store.get_user(un, case_sensitive=False)
         # Verify the hash, and see if it needs migrated
         ok, new_hash = self.config.passlib.verify_and_update(pw, user["password"])
                 title="Request password reset", retry=True)
-        user = self.store.get_user(name)
+        user = self.store.get_user(name, case_sensitive=False)
         # typically other systems would not indicate the username is invalid
         # but in PyPI's case the username list is public so this is more
         # user-friendly with no security penalty
         if not user:
-            self.fail('user name unknown to me')
+            self.fail('user "%s" unknown to me' % name)
         # existing registration OTK?