Bug 1813629: Prevent Auth plugins from authenticating usernames with unicode variants

Co-authored-by: David Lawrence <dkl@mozilla.com>

diff --git a/Bugzilla/User.pm b/Bugzilla/User.pm
index ead64cc7d211c19b0de436eacc08db9ff5f244a9..ddde183871749fbd7044abedbca15f552f85f41e 100644 (file)
--- a/Bugzilla/User.pm
+++ b/Bugzilla/User.pm
@@ -136,7 +136,19 @@ sub new {
       $_[0] = $param;
     }
   }
-  return $class->SUPER::new(@_);
+
+  $user = $class->SUPER::new(@_);
+
+  # MySQL considers some non-ascii characters such as umlauts to equal
+  # ascii characters returning a user when it should not.
+  if ($user && ref $param eq 'HASH' && exists $param->{name}) {
+    my $login = $param->{name};
+    if (lc $login ne lc $user->login) {
+      $user = undef;
+    }
+  }
+
+  return $user;
 }
 
 sub super_user {