[Bug]: Login module allows control characters #5834
Description
Is there an existing issue for this?
- I have searched the existing issues
What happened?
In Discord a user reported that they received the following error:
EXCEPTION: System.ArgumentException: '.', hexadecimal value 0x00, is an invalid character.
at System.Xml.XmlEncodedRawTextWriter.WriteAttributeTextBlock(Char* pSrc, Char* pSrcEnd)
at System.Xml.XmlEncodedRawTextWriter.WriteString(String text)
at System.Xml.XmlWellFormedWriter.WriteString(String text)
at System.Xml.XmlWriter.WriteAttributeString(String localName, String value)
at DotNetNuke.Services.Log.EventLog.LogInfo.WriteXml(XmlWriter writer)
at DotNetNuke.Services.Log.EventLog.LogInfo.Serialize()
at DotNetNuke.Services.Log.EventLog.DBLoggingProvider.SendLogNotifications()
at DotNetNuke.Services.Log.EventLog.SendLogNotifications.DoWork()
This happend because there was an attempt to log in with a username that contains an invalid character (\0). DNN tried to log this attempt, but the XML serializer doesn't allow null-characters causing an exception to be thrown. I don't think this is a security issue, since everything was handled fine, but maybe we should block control characters (like the null-character).
Steps to reproduce?
I did not find a real way to reproduce this. You can however send invalid characters to the textbox with the username query.
- Go to the login page (e.g. http://localhost/Login)
- Add
?username=User%00nameto the query (e.g. http://localhost/Login?username=User%00name)
Current Behavior
The null character will be set in the input field:
Causing the username field to show an null character:
Expected Behavior
The null character won't be shown.
Relevant log output
No response
Anything else?
No response
Affected Versions
9.13.0 (latest release)
What browsers are you seeing the problem on?
No response
Code of Conduct
- I agree to follow this project's Code of Conduct