I have searched the web with no joy, I want to know what restrictions joomla places on a valid username.
For example , min and max length.
Illegal characters.
Looking at the database field size, I assume the max length is 150, I have also read that {}[]- are illegal, but suspect there are other invalid characters.
Same question for the password, what's the size and character restrictions.
Thank you
Ben
Username has a maximum 150 character length per the database and a minimum 2 character requirement. It doesn't have a restriction on {}[]- however does not let you use any of: <>\"'%;()&
Password doesn't have any limitations as it's hashed to salted MD5. The field itself is limited to 100 characters though the hashing will ensure that it'll not get that long.
Ref: https://github.com/joomla/joomla-cms/blob/master/libraries/joomla/table/user.php#L184
Related
I am writing some code to parse GS1 barcodes. There are a few App Idents (AIs) in the specification that I don't understand. For example, AI 426 (https://www.gs1.org/standards/barcodes/application-identifiers/426?lang=en):
This is saying that the data must be 3 digits (the app ident) followed by another 3 digits for the country code (e.g. 426824). As such it is a fixed length field. The bit I don't understand is that it also says it requires a FNC1 delimiter. Surely if it is a fixed length field it won't require a delimiter after the data? Can anyone shed any light as to why the specification says this, or is it likely to be a mistake?
I observed a very strange behavior with Laravel's Hash Facade using Hash::make() to create a digest (with bcrypt) and save it to the database. For example, the plain text
AAMkAGEzN2EyZTg4LWRiNTUtNGIwYS04ZTA1LWE2Y2U5OTRjYjQ0ZgBGAAAAAACxCzc14g3eSoadAxaGpB3ABwCr5qkyxHH4QY9vHKr6u5IrAAAAAAENAACr5qkyxHH4QY9vHKr6u5IrAARi2BmGAAA=
yields $2y$10$fq6jvoNL/RShVKfNDy64EOGW0gLzd0GvfS.di16Z9LcCK7DpIHONK.
Now, when using Hash::check() with the plain text and digest mentioned above returns true of course. However, changing one character in the plain text (e.g. replacing the last A with a B) and checking it against the same digest returns true as well:
>>> Hash::check('AAMkAGEzN2EyZTg4LWRiNTUtNGIwYS04ZTA1LWE2Y2U5OTRjYjQ0ZgBGAAAAAACxCzc14g3eSoadAxaGpB3ABwCr5qkyxHH4QY9vHKr6u5IrAAAAAAENAACr5qkyxHH4QY9vHKr6u5IrAARi2BmGAAA=', '$2y$10$fq6jvoNL/RShVKfNDy64EOGW0gLzd0GvfS.di16Z9LcCK7DpIHONK')
=> true
>>> Hash::check('AAMkAGEzN2EyZTg4LWRiNTUtNGIwYS04ZTA1LWE2Y2U5OTRjYjQ0ZgBGAAAAAACxCzc14g3eSoadAxaGpB3ABwCr5qkyxHH4QY9vHKr6u5IrAAAAAAENAACr5qkyxHH4QY9vHKr6u5IrAARi2BmGAAB=', '$2y$10$fq6jvoNL/RShVKfNDy64EOGW0gLzd0GvfS.di16Z9LcCK7DpIHONK')
=> true
>>> Hash::check('AAMkAGEzN2EyZTg4LWRiNTUtNGIwYS04ZTA1LWE2Y2U5OTRjYjQ0ZgBGAAAAAACxCzc14g3eSoadAxaGpB3ABwCr5qkyxHH4QY9vHKr6u5IrAAAAAAENAACr5qkyxHH4QY9vHKr6u5IrAARi2BmGAAC=', '$2y$10$fq6jvoNL/RShVKfNDy64EOGW0gLzd0GvfS.di16Z9LcCK7DpIHONK')
=> true
Based on my understanding what hashing does this shouldn't be possible, but it doesn't seem to be a collision as replacing B by C also yields true.
I'm using Laravel 8.0 with PHP 7.4.11.
Any idea what I'm doing wrong here?
UPDATE:
Found this hint in the official PHP documentation for password_hash:
Caution: Using the PASSWORD_BCRYPT as the algorithm, will result in the password parameter being truncated to a maximum length of 72 characters.
I then checked this and indeed, modifying any of the characters behind AAMkAGEzN2EyZTg4LWRiNTUtNGIwYS04ZTA1LWE2Y2U5OTRjYjQ0ZgBGAAAAAACxCzc14g3e doesn't change the result whereas exchanging e.g. the last e with f returns false for Hash::check(). The length of the string is 72 characters so it may be an effect of the truncation. But why? This isn't mentioned in the Laravel Hash documentation. I have several passwords that are longer than 72 characters so it actually doesn't matter how they end?
As a result, I need to use another function of Laravel to hash longer messages? Which one?
I did some research and came to this conclusion:
In the official laravel docs they refer to php's official docs. Here they have a caution section at password saying:
Using the PASSWORD_BCRYPT as the algorithm, will result in the password parameter being truncated to a maximum length of 72 characters.
I checked your string, and it has a length of 152. So in your case, you should use a different algorithm(you can set this in config/hashing.php at driver) or make sure the input string is max 72 characters.
I am new to Parse and i was thinking about what might be the max length of characters permitted for a Parse Account's password?
On https://www.parse.com/signup, when making an account, there doesn't seem to be a limit. I just made a test account with a 90,000 character long password, and no errors were given.
[Edit: I tried a password of length 1,000,000 and the account was created successfully]
Try and Error: I created an Account with a passwort-length of more then 100.
It looks like it is unlimited.
Why does this matter to you?
#TZHX: I could use more then 30 characters
I'm looking for the maximum character length allowed for an internet Message-ID field for validation purposes within an application. I've reviewed sources such as RFC-2822 and Wikipedia "Message-ID" as well as this SO question, among other various places. The closest answer I can find is "998 characters" because that is the maximum length that the specification allows for each line in an internet message (from RFC-2822), and the Message-ID field cannot be multiple lines.
Is 998 characters the definitive answer? Is there no such limit?
If there's one thing I've learned about email, it must be that it's a massively distributed system for fuzzing email software. That is, no matter what the RFCs say, you will find emails violating them, some email software coping and some failing. I think most will limp along with the robustness principle in mind.
With that out of the way, I think the maximum RFC compliant Message-ID length is 995 characters.
The maximum line length per the RFC you cite is 998 characters. That would include the "Message-ID:" field name, but you can do line folding between the field name and the field body. The line containing the actual Message-ID would then contain a space (the folding whitespace), "<", Message-ID, and ">". Semantically, the angle brackets are not part of the Message-ID. Therefore you end up with a maximum of 998 - 3 = 995 characters.
Actually there's no limit
RFC2822 defines these productions:
message-id = "Message-ID:" msg-id CRLF
msg-id = [CFWS] "<" id-left "#" id-right ">" [CFWS]
id-left = dot-atom-text / no-fold-quote / obs-id-left
obs-id-left = local-part
local-part = dot-atom / quoted-string / obs-local-part
quoted-string = [CFWS]
DQUOTE *([FWS] qcontent) [FWS] DQUOTE
[CFWS]
CFWS = *([FWS] comment) (([FWS] comment) / FWS)
FWS = ([*WSP CRLF] 1*WSP) / ; Folding white space
So id-left can be local-part which can be quoted-string (and thus have multiple FWS)
so you can fold it as many times as needed to fit any arbitrary
length of payload and still comply with the restrictions given
by the RFC.
It's quite wilde guess, but i would say 2000 chars is more than enough and here is why:
The only related length requirement I found is message line can't be longer than 998 chars. My wild assumption would be this: Message id should be able to be within one line of message and this limit is 998 chars. From message ids i saw during my time it's not that long. So from all the uncertainty i would say 1000 chars is very "safe" minimum range and like 2000 should cover any scenario if there is any kind of "structural overhead" of some data shape.
https://www.rfc-editor.org/rfc/rfc2822
The documentation of elastic search states:
The index operation can be executed without specifying the id. In such
a case, an id will be generated automatically.
But it does not provide any information about the properties of the ids.
What is the length (minimun/maximum)?
my guess is 22.
Which characters are used in the id?
My guess is [-_A-Za-z0-9]
Can the properties of the generated ids change at any time (is that part of the API)?
Auto-generated ids are random base64-encoded UUIDs. The base64 algorithm is used in URL-safe mode hence - and _ characters might be present in ids.
Auto-generated ids by elasticsearch are exactly 20 characters length (not 22 characters) and encoded by url-safe base64 algorithm [-_A-Za-z0-9].
Read more in documentation: https://www.elastic.co/guide/en/elasticsearch/guide/master/index-doc.html#_autogenerating_ids