Prevent homographic usernames

Open on Drupal.org →

Created on 24 September 2006, almost 19 years ago

Updated 10 June 2025, about 2 months ago

Problem/Motivation

In drupal user can submit login in non Latin characters (and this is grate for me and over non-English community I think). But for example in Unicode char table we have Latin small character "a" and Cyrillic small character "a". So we have ability to create user login "admin" with first Cyrillic later "a", and for login "webchik" we can create 3 duplicates.

On some websites, this could allow tricking admins into triggering some actions on the wrong account.

Steps to reproduce

If your website contains a user called "admin" and allows users to register, you can register a new user called "аdmin" (with a Cyrillic а).

Proposed resolution

We could use the NoSuspiciousCharacters constraint provided by Symfony: https://symfony.com/doc/current/reference/constraints/NoSuspiciousCharac...

Remaining tasks

User interface changes

Introduced terminology

API changes

Data model changes

Release notes snippet

✨ Feature request

Status

Needs work

Version

11.0 🔥

Component

user system

Created by

🇷🇺Russia dyp

Live updates comments and jobs are added and updated live.

Security improvements
It makes Drupal less vulnerable to abuse or misuse. Note, this is the preferred tag, though the Security tag has a large body of issues tagged to it. Do NOT publicly disclose security vulnerabilities; contact the security team instead. Anyone (whether security team or not) can apply this tag to security improvements that do not directly present a vulnerability e.g. hardening an API to add filtering to reduce a common mistake in contributed modules.

Needs product manager review
It is used to alert the product manager core committer(s) that an issue represents a significant new feature, UI change, or change to the "user experience" of Drupal, and their signoff is needed. If an issue significantly affects the usability of Drupal, use Needs usability review instead (see the governance policy draft for more information).

Incomplete comments

Sign in to follow issues

Merge Requests

!11577Prevent homographic usernames
Open
🇫🇷France prudloff
updated 20 days ago

Comments & Activities

Not all content is available!

It's likely this issue predates Contrib.social: some issue and comment data are missing.

First commit to issue fork.
Comment 4 months ago →
🇫🇷France prudloff Lille
The PHP intl extension provides a Spoofchecker::areConfusable() method that could be used for this but comparing the news username to every existing user would probably be expensive.

Symfony also provides a NoSuspiciousCharacters characters constraint (which uses Spoofchecker::isSuspicious() internally): https://symfony.com/doc/current/reference/constraints/NoSuspiciousCharac...
This is probably a good solution but it requires setting the expected locales (having Cyrillic letters in usernames on a Russian websites would not be suspicious for example). I supposed we could configure it using the enabled locale on the website.
Comment 4 months ago →
🇫🇷France prudloff Lille
Merge request !11577Prevent suspicious characters in usernames → (Open) created by prudloff
Pipeline finished with Failed
4 months ago
Total: 188s
#455331
Pipeline finished with Failed
4 months ago
Total: 852s
#455333
Comment 4 months ago →
🇫🇷France prudloff Lille
Added a basic implementation.
The main caveat is that it heavily depends on the languages activated on the website (because that's the way NoSuspiciousCharacters and Spoofchecker work).
If we find this too restrictive, we could also use NoSuspiciousCharacters without restricting the allowed locales, it would still be useful to detect mixed character sets and invisible characters.

I'm not sure the failing AssetAggregationAcrossPagesTest is related?
Comment 4 months ago →
🇧🇪Belgium borisson_ Mechelen, 🇧🇪
Removing tags that are no longer relevant.
The new solution is well documented, but I'm not sure about the tradeoffs here, tagged for product manager review because of that.
Comment 4 months ago →
🇫🇷France prudloff Lille
I just noticed Drupal does not require the intl extension.
NoSuspiciousCharacters will throw an exception if this extension is not available.

We could either:

Require the intl extension

Skip this constraint if the extension is not available
Pipeline finished with Canceled
2 months ago
Total: 202s
#500244
Pipeline finished with Failed
2 months ago
#500246
Pipeline finished with Success
2 months ago
Total: 855s
#500250
Comment 2 months ago →
🇫🇷France prudloff Lille
I added the intl extension to dependencies.
Status changed to Needs work about 2 months ago3:02pm 10 June 2025
Comment about 2 months ago →
needs-review-queue-bot
The Needs Review Queue Bot → tested this issue. It no longer applies to Drupal core. Therefore, this issue status is now "Needs work".

This does not mean that the patch necessarily needs to be re-rolled or the MR rebased. Read the Issue Summary, the issue tags and the latest discussion here to determine what needs to be done.

Consult the Drupal Contributor Guide → to find step-by-step guides for working with issues.
Pipeline finished with Success
about 2 months ago
Total: 593s
#518982
Comment about 2 months ago →
🇫🇷France prudloff Lille
I rebased the MR.
Comment 21 days ago →
needs-review-queue-bot
The Needs Review Queue Bot → tested this issue. It no longer applies to Drupal core. Therefore, this issue status is now "Needs work".

This does not mean that the patch necessarily needs to be re-rolled or the MR rebased. Read the Issue Summary, the issue tags and the latest discussion here to determine what needs to be done.

Consult the Drupal Contributor Guide → to find step-by-step guides for working with issues.
Pipeline finished with Success
20 days ago
Total: 618s
#539811
Comment 20 days ago →
🇫🇷France prudloff Lille
I rebased the MR.

contrib.social Blog FAQ Discussions

Production build 0.71.5 2024