Got into case during the fix of JENKINS-33600. I do not see any exploits in the code, but seems SECURITY-166 by campbellr was not enough aggressive in String checking.

This code allows non-trimmed restricted usernames, hence I was able to create the " anonymous " account with "Anonymous " full name. The same can be done for SYSTEM as well. UIs do not present such trailing spaces, hence UI looks to be "fine"

I have not obvious exploits in the code, but this logic gap may be a security issue if a plugin does not work with user IDs with spaces.

Is it a security issue or should we handle it as a common bug?