diff options
| author |  Alexandre Alapetite <alexandre@alapetite.fr>
| 2017-02-25 13:08:45 +0100 |
|---|---|---|
| committer |  GitHub <noreply@github.com>
| 2017-02-25 13:08:45 +0100 |
| commit | fb6bb8e826a29c1f94a705ea39ecc052ff59b99f (patch) | |
| tree | 08643f3a2901fc38aaa0841cebd35fc714842f49 | |
| parent | b8ac2b1d8ab47642018bd3f0fe6863b69a2743d6 (diff) | |
| parent | 0bd4b2c74204a2f9360816ab22aac0da4c459824 (diff) | |
Merge pull request #1423 from plopoyop/feature/username-in-cli
[WIP] Feature/username in cli
| -rw-r--r-- | CHANGELOG.md | 2 | ||||
| -rwxr-xr-x | app/Controllers/javascriptController.php | 2 | ||||
| -rw-r--r-- | app/Controllers/userController.php | 14 | ||||
| -rw-r--r-- | app/Models/Auth.php | 4 | ||||
| -rw-r--r-- | app/Models/Feed.php | 2 | ||||
| -rw-r--r-- | app/Models/UserDAO.php | 2 | ||||
| -rw-r--r-- | app/install.php | 2 | ||||
| -rw-r--r-- | app/views/auth/formLogin.phtml | 2 | ||||
| -rw-r--r-- | app/views/auth/register.phtml | 2 | ||||
| -rw-r--r-- | app/views/user/manage.phtml | 2 | ||||
| -rw-r--r-- | cli/_cli.php | 2 | ||||
| -rwxr-xr-x | cli/create-user.php | 2 | ||||
| -rwxr-xr-x | cli/delete-user.php | 2 | ||||
| -rwxr-xr-x | cli/do-install.php | 2 | ||||
| -rwxr-xr-x | cli/reconfigure.php | 2 | ||||
| -rw-r--r-- | lib/lib_rss.php | 2 | ||||
| -rw-r--r-- | p/api/greader.php | 2 |
17 files changed, 30 insertions, 18 deletions
diff --git a/CHANGELOG.md b/CHANGELOG.md index 4738b7360..885b625f2 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -15,6 +15,8 @@ * Allow empty strings in CLI do-install [#1435](https://github.com/FreshRSS/FreshRSS/pull/1435) * Security * No version number for anonymous users [#1404](https://github.com/FreshRSS/FreshRSS/issues/1404) +* Misc. + * Relaxed requirements for username to `/^[0-9a-zA-Z]|[0-9a-zA-Z_]{2,38}/$` [#1423](https://github.com/FreshRSS/FreshRSS/pull/1423) ## 2016-12-26 FreshRSS 1.6.2 diff --git a/app/Controllers/javascriptController.php b/app/Controllers/javascriptController.php index 00a7b5c38..6336106a9 100755 --- a/app/Controllers/javascriptController.php +++ b/app/Controllers/javascriptController.php @@ -26,7 +26,7 @@ class FreshRSS_javascript_Controller extends Minz_ActionController { header('Pragma: no-cache'); $user = isset($_GET['user']) ? $_GET['user'] : ''; - if (ctype_alnum($user)) { + if (FreshRSS_user_Controller::checkUsername($user)) { try { $salt = FreshRSS_Context::$system_conf->salt; $conf = get_user_configuration($user); diff --git a/app/Controllers/userController.php b/app/Controllers/userController.php index 9d6ae18e6..593e24cf2 100644 --- a/app/Controllers/userController.php +++ b/app/Controllers/userController.php @@ -35,6 +35,16 @@ class FreshRSS_user_Controller extends Minz_ActionController { } /** + * The username is also used as folder name, file name, and part of SQL table name. + * '_' is a reserved internal username. + */ + const USERNAME_PATTERN = '[0-9a-zA-Z]|[0-9a-zA-Z_]{2,38}'; + + public static function checkUsername($username) { + return preg_match('/^' . self::USERNAME_PATTERN . '$/', $username) === 1; + } + + /** * This action displays the user profile page. */ public function profileAction() { @@ -104,7 +114,7 @@ class FreshRSS_user_Controller extends Minz_ActionController { $userConfig = array(); } - $ok = ($new_user_name != '') && ctype_alnum($new_user_name); + $ok = self::checkUsername($new_user_name); if ($ok) { $languages = Minz_Translate::availableLanguages(); @@ -187,7 +197,7 @@ class FreshRSS_user_Controller extends Minz_ActionController { $db = FreshRSS_Context::$system_conf->db; require_once(APP_PATH . '/SQL/install.sql.' . $db['type'] . '.php'); - $ok = ctype_alnum($username); + $ok = self::checkUsername($username); if ($ok) { $default_user = FreshRSS_Context::$system_conf->default_user; $ok &= (strcasecmp($username, $default_user) !== 0); //It is forbidden to delete the default user diff --git a/app/Models/Auth.php b/app/Models/Auth.php index b3255cfbd..476627e10 100644 --- a/app/Models/Auth.php +++ b/app/Models/Auth.php @@ -182,7 +182,7 @@ class FreshRSS_Auth { class FreshRSS_FormAuth { public static function checkCredentials($username, $hash, $nonce, $challenge) { - if (!ctype_alnum($username) || + if (!FreshRSS_user_Controller::checkUsername($username) || !ctype_graph($challenge) || !ctype_alnum($nonce)) { Minz_Log::debug('Invalid credential parameters:' . @@ -211,7 +211,7 @@ class FreshRSS_FormAuth { // Token has expired (> 1 month) or does not exist. // TODO: 1 month -> use a configuration instead @unlink($token_file); - return array(); + return array(); } $credentials = @file_get_contents($token_file); diff --git a/app/Models/Feed.php b/app/Models/Feed.php index 97cb1c47e..7a9cf8612 100644 --- a/app/Models/Feed.php +++ b/app/Models/Feed.php @@ -442,7 +442,7 @@ class FreshRSS_Feed extends Minz_Model { file_put_contents(USERS_PATH . '/_/log_pshb.txt', date('c') . "\t" . $text . "\n", FILE_APPEND); } $currentUser = Minz_Session::param('currentUser'); - if (ctype_alnum($currentUser) && !file_exists($path . '/' . $currentUser . '.txt')) { + if (FreshRSS_user_Controller::checkUsername($currentUser) && !file_exists($path . '/' . $currentUser . '.txt')) { touch($path . '/' . $currentUser . '.txt'); } } diff --git a/app/Models/UserDAO.php b/app/Models/UserDAO.php index 32bc6de2f..a60caf395 100644 --- a/app/Models/UserDAO.php +++ b/app/Models/UserDAO.php @@ -85,7 +85,7 @@ class FreshRSS_UserDAO extends Minz_ModelPdo { } public static function touch($username = '') { - if (($username == '') || (!ctype_alnum($username))) { + if (!FreshRSS_user_Controller::checkUsername($username)) { $username = Minz_Session::param('currentUser', '_'); } return touch(join_path(DATA_PATH , 'users', $username, 'config.php')); diff --git a/app/install.php b/app/install.php index 986a7dc60..9a88e0f37 100644 --- a/app/install.php +++ b/app/install.php @@ -553,7 +553,7 @@ function printStep2() { <div class="form-group"> <label class="group-name" for="default_user"><?php echo _t('install.default_user'); ?></label> <div class="group-controls"> - <input type="text" id="default_user" name="default_user" required="required" size="16" maxlength="16" pattern="[0-9a-zA-Z]{1,16}" value="<?php echo isset($_SESSION['default_user']) ? $_SESSION['default_user'] : ''; ?>" placeholder="<?php echo httpAuthUser() == '' ? 'alice' : httpAuthUser(); ?>" tabindex="3" /> + <input type="text" id="default_user" name="default_user" required="required" size="16" pattern="<?php echo FreshRSS_user_Controller::USERNAME_PATTERN; ?>" value="<?php echo isset($_SESSION['default_user']) ? $_SESSION['default_user'] : ''; ?>" placeholder="<?php echo httpAuthUser() == '' ? 'alice' : httpAuthUser(); ?>" tabindex="3" /> </div> </div> diff --git a/app/views/auth/formLogin.phtml b/app/views/auth/formLogin.phtml index a8213b7ae..99be6059c 100644 --- a/app/views/auth/formLogin.phtml +++ b/app/views/auth/formLogin.phtml @@ -9,7 +9,7 @@ <input type="hidden" name="_csrf" value="<?php echo FreshRSS_Auth::csrfToken(); ?>" /> <div> <label for="username"><?php echo _t('gen.auth.username'); ?></label> - <input type="text" id="username" name="username" size="16" required="required" maxlength="16" pattern="[0-9a-zA-Z]{1,16}" autofocus="autofocus" /> + <input type="text" id="username" name="username" size="16" required="required" pattern="<?php echo FreshRSS_user_Controller::USERNAME_PATTERN; ?>" autofocus="autofocus" /> </div> <div> <label for="passwordPlain"><?php echo _t('gen.auth.password'); ?></label> diff --git a/app/views/auth/register.phtml b/app/views/auth/register.phtml index 1f9976391..23bda25ce 100644 --- a/app/views/auth/register.phtml +++ b/app/views/auth/register.phtml @@ -5,7 +5,7 @@ <input type="hidden" name="_csrf" value="<?php echo FreshRSS_Auth::csrfToken(); ?>" /> <div> <label class="group-name" for="new_user_name"><?php echo _t('gen.auth.username'), '<br />', _i('help'), ' ', _t('gen.auth.username.format'); ?></label> - <input id="new_user_name" name="new_user_name" type="text" size="16" required="required" maxlength="16" autocomplete="off" pattern="[0-9a-zA-Z]{1,16}" /> + <input id="new_user_name" name="new_user_name" type="text" size="16" required="required" autocomplete="off" pattern="<?php echo FreshRSS_user_Controller::USERNAME_PATTERN; ?>" /> </div> <div> diff --git a/app/views/user/manage.phtml b/app/views/user/manage.phtml index a32247d14..793a3a0bd 100644 --- a/app/views/user/manage.phtml +++ b/app/views/user/manage.phtml @@ -22,7 +22,7 @@ <div class="form-group"> <label class="group-name" for="new_user_name"><?php echo _t('admin.user.username'); ?></label> <div class="group-controls"> - <input id="new_user_name" name="new_user_name" type="text" size="16" required="required" maxlength="16" autocomplete="off" pattern="[0-9a-zA-Z]{1,16}" placeholder="demo" /> + <input id="new_user_name" name="new_user_name" type="text" size="16" required="required" autocomplete="off" pattern="<?php echo FreshRSS_user_Controller::USERNAME_PATTERN; ?>" placeholder="demo" /> </div> </div> diff --git a/cli/_cli.php b/cli/_cli.php index 7d1a7c6b2..f5e36eabc 100644 --- a/cli/_cli.php +++ b/cli/_cli.php @@ -20,7 +20,7 @@ function fail($message) { } function cliInitUser($username) { - if (!ctype_alnum($username)) { + if (!FreshRSS_user_Controller::checkUsername($username)) { fail('FreshRSS error: invalid username: ' . $username . "\n"); } diff --git a/cli/create-user.php b/cli/create-user.php index 444264cc7..c9e350c14 100755 --- a/cli/create-user.php +++ b/cli/create-user.php @@ -17,7 +17,7 @@ if (empty($options['user'])) { " --language en --email user@example.net --token 'longRandomString --no-default-feeds' )"); } $username = $options['user']; -if (!ctype_alnum($username)) { +if (!FreshRSS_user_Controller::checkUsername($username)) { fail('FreshRSS error: invalid username “' . $username . '”'); } diff --git a/cli/delete-user.php b/cli/delete-user.php index 6f0e86e17..baa81b893 100755 --- a/cli/delete-user.php +++ b/cli/delete-user.php @@ -10,7 +10,7 @@ if (empty($options['user'])) { fail('Usage: ' . basename(__FILE__) . " --user username"); } $username = $options['user']; -if (!ctype_alnum($username)) { +if (!FreshRSS_user_Controller::checkUsername($username)) { fail('FreshRSS error: invalid username “' . $username . '”'); } diff --git a/cli/do-install.php b/cli/do-install.php index c9fa3f5ab..c2f5b286d 100755 --- a/cli/do-install.php +++ b/cli/do-install.php @@ -48,7 +48,7 @@ if ($requirements['all'] !== 'ok') { fail($message); } -if (!ctype_alnum($options['default_user'])) { +if (!FreshRSS_user_Controller::checkUsername($options['default_user'])) { fail('FreshRSS invalid default username (must be ASCII alphanumeric): ' . $options['default_user']); } diff --git a/cli/reconfigure.php b/cli/reconfigure.php index 5294dd2df..da451b3ef 100755 --- a/cli/reconfigure.php +++ b/cli/reconfigure.php @@ -45,7 +45,7 @@ foreach ($dBparams as $dBparam) { } $config->db = $db; -if (!ctype_alnum($config->default_user)) { +if (!FreshRSS_user_Controller::checkUsername($config->default_user)) { fail('FreshRSS invalid default username (must be ASCII alphanumeric): ' . $config->default_user); } diff --git a/lib/lib_rss.php b/lib/lib_rss.php index 560e5b256..cdd08719d 100644 --- a/lib/lib_rss.php +++ b/lib/lib_rss.php @@ -285,7 +285,7 @@ function uSecString() { } function invalidateHttpCache($username = '') { - if (($username == '') || (!ctype_alnum($username))) { + if (!FreshRSS_user_Controller::checkUsername($username)) { Minz_Session::_param('touch', uTimeString()); $username = Minz_Session::param('currentUser', '_'); } diff --git a/p/api/greader.php b/p/api/greader.php index 4965ffd3b..01eca6d4f 100644 --- a/p/api/greader.php +++ b/p/api/greader.php @@ -152,7 +152,7 @@ function authorizationToUser() { $headerAuthX = explode('/', $headerAuth, 2); if (count($headerAuthX) === 2) { $user = $headerAuthX[0]; - if (ctype_alnum($user)) { + if (FreshRSS_user_Controller::checkUsername($user)) { FreshRSS_Context::$user_conf = get_user_configuration($user); if (FreshRSS_Context::$user_conf == null) { Minz_Log::warning('Invalid API user ' . $user . ': configuration cannot be found.'); |