diff options
| -rwxr-xr-x | app/Controllers/javascriptController.php | 2 | ||||
| -rw-r--r-- | app/Controllers/userController.php | 9 | ||||
| -rw-r--r-- | app/Models/Feed.php | 2 | ||||
| -rw-r--r-- | app/Models/UserDAO.php | 2 | ||||
| -rw-r--r-- | app/install.php | 2 | ||||
| -rw-r--r-- | app/views/auth/formLogin.phtml | 2 | ||||
| -rw-r--r-- | app/views/auth/register.phtml | 2 | ||||
| -rw-r--r-- | app/views/user/manage.phtml | 2 | ||||
| -rwxr-xr-x | cli/reconfigure.php | 2 | ||||
| -rw-r--r-- | lib/lib_rss.php | 2 | ||||
| -rw-r--r-- | p/api/greader.php | 2 |
11 files changed, 17 insertions, 12 deletions
diff --git a/app/Controllers/javascriptController.php b/app/Controllers/javascriptController.php index 00a7b5c38..6336106a9 100755 --- a/app/Controllers/javascriptController.php +++ b/app/Controllers/javascriptController.php @@ -26,7 +26,7 @@ class FreshRSS_javascript_Controller extends Minz_ActionController { header('Pragma: no-cache'); $user = isset($_GET['user']) ? $_GET['user'] : ''; - if (ctype_alnum($user)) { + if (FreshRSS_user_Controller::checkUsername($user)) { try { $salt = FreshRSS_Context::$system_conf->salt; $conf = get_user_configuration($user); diff --git a/app/Controllers/userController.php b/app/Controllers/userController.php index 718207734..13a6fce67 100644 --- a/app/Controllers/userController.php +++ b/app/Controllers/userController.php @@ -34,9 +34,14 @@ class FreshRSS_user_Controller extends Minz_ActionController { return $passwordHash == '' ? '' : $passwordHash; } + /** + * The username is also used as folder name, and part of SQL table name. + * '_' is a reserved internal username. + */ + const USERNAME_PATTERN = '[0-9a-zA-Z]|[0-9a-zA-Z_]{2,38}'; + public static function checkUsername($username) { - $match = '/^[0-9a-zA-Z_]{1,38}$/'; - return preg_match($match, $username) === 1; + return preg_match('/^' . self::USERNAME_PATTERN . '$/', $username) === 1; } /** diff --git a/app/Models/Feed.php b/app/Models/Feed.php index 97cb1c47e..7a9cf8612 100644 --- a/app/Models/Feed.php +++ b/app/Models/Feed.php @@ -442,7 +442,7 @@ class FreshRSS_Feed extends Minz_Model { file_put_contents(USERS_PATH . '/_/log_pshb.txt', date('c') . "\t" . $text . "\n", FILE_APPEND); } $currentUser = Minz_Session::param('currentUser'); - if (ctype_alnum($currentUser) && !file_exists($path . '/' . $currentUser . '.txt')) { + if (FreshRSS_user_Controller::checkUsername($currentUser) && !file_exists($path . '/' . $currentUser . '.txt')) { touch($path . '/' . $currentUser . '.txt'); } } diff --git a/app/Models/UserDAO.php b/app/Models/UserDAO.php index 32bc6de2f..a60caf395 100644 --- a/app/Models/UserDAO.php +++ b/app/Models/UserDAO.php @@ -85,7 +85,7 @@ class FreshRSS_UserDAO extends Minz_ModelPdo { } public static function touch($username = '') { - if (($username == '') || (!ctype_alnum($username))) { + if (!FreshRSS_user_Controller::checkUsername($username)) { $username = Minz_Session::param('currentUser', '_'); } return touch(join_path(DATA_PATH , 'users', $username, 'config.php')); diff --git a/app/install.php b/app/install.php index 8c65a0977..58674e3a7 100644 --- a/app/install.php +++ b/app/install.php @@ -553,7 +553,7 @@ function printStep2() { <div class="form-group"> <label class="group-name" for="default_user"><?php echo _t('install.default_user'); ?></label> <div class="group-controls"> - <input type="text" id="default_user" name="default_user" required="required" size="16" maxlength="16" pattern="[0-9a-zA-Z_]{1,16}" value="<?php echo isset($_SESSION['default_user']) ? $_SESSION['default_user'] : ''; ?>" placeholder="<?php echo httpAuthUser() == '' ? 'alice' : httpAuthUser(); ?>" tabindex="3" /> + <input type="text" id="default_user" name="default_user" required="required" size="16" maxlength="16" pattern="<?php echo FreshRSS_user_Controller::USERNAME_PATTERN; ?>" value="<?php echo isset($_SESSION['default_user']) ? $_SESSION['default_user'] : ''; ?>" placeholder="<?php echo httpAuthUser() == '' ? 'alice' : httpAuthUser(); ?>" tabindex="3" /> </div> </div> diff --git a/app/views/auth/formLogin.phtml b/app/views/auth/formLogin.phtml index 24cb14c6e..2f881dde7 100644 --- a/app/views/auth/formLogin.phtml +++ b/app/views/auth/formLogin.phtml @@ -9,7 +9,7 @@ <input type="hidden" name="_csrf" value="<?php echo FreshRSS_Auth::csrfToken(); ?>" /> <div> <label for="username"><?php echo _t('gen.auth.username'); ?></label> - <input type="text" id="username" name="username" size="16" required="required" maxlength="16" pattern="[0-9a-zA-Z_]{1,16}" autofocus="autofocus" /> + <input type="text" id="username" name="username" size="16" required="required" maxlength="16" pattern="<?php echo FreshRSS_user_Controller::USERNAME_PATTERN; ?>" autofocus="autofocus" /> </div> <div> <label for="passwordPlain"><?php echo _t('gen.auth.password'); ?></label> diff --git a/app/views/auth/register.phtml b/app/views/auth/register.phtml index d7997f5f5..fce7e1388 100644 --- a/app/views/auth/register.phtml +++ b/app/views/auth/register.phtml @@ -5,7 +5,7 @@ <input type="hidden" name="_csrf" value="<?php echo FreshRSS_Auth::csrfToken(); ?>" /> <div> <label class="group-name" for="new_user_name"><?php echo _t('gen.auth.username'), '<br />', _i('help'), ' ', _t('gen.auth.username.format'); ?></label> - <input id="new_user_name" name="new_user_name" type="text" size="16" required="required" maxlength="16" autocomplete="off" pattern="[0-9a-zA-Z_]{1,16}" /> + <input id="new_user_name" name="new_user_name" type="text" size="16" required="required" maxlength="16" autocomplete="off" pattern="<?php echo FreshRSS_user_Controller::USERNAME_PATTERN; ?>" /> </div> <div> diff --git a/app/views/user/manage.phtml b/app/views/user/manage.phtml index 10bee5507..9238a01b9 100644 --- a/app/views/user/manage.phtml +++ b/app/views/user/manage.phtml @@ -22,7 +22,7 @@ <div class="form-group"> <label class="group-name" for="new_user_name"><?php echo _t('admin.user.username'); ?></label> <div class="group-controls"> - <input id="new_user_name" name="new_user_name" type="text" size="16" required="required" maxlength="16" autocomplete="off" pattern="[0-9a-zA-Z_]{1,16}" placeholder="demo" /> + <input id="new_user_name" name="new_user_name" type="text" size="16" required="required" maxlength="16" autocomplete="off" pattern="<?php echo FreshRSS_user_Controller::USERNAME_PATTERN; ?>" placeholder="demo" /> </div> </div> diff --git a/cli/reconfigure.php b/cli/reconfigure.php index 5294dd2df..da451b3ef 100755 --- a/cli/reconfigure.php +++ b/cli/reconfigure.php @@ -45,7 +45,7 @@ foreach ($dBparams as $dBparam) { } $config->db = $db; -if (!ctype_alnum($config->default_user)) { +if (!FreshRSS_user_Controller::checkUsername($config->default_user)) { fail('FreshRSS invalid default username (must be ASCII alphanumeric): ' . $config->default_user); } diff --git a/lib/lib_rss.php b/lib/lib_rss.php index 560e5b256..cdd08719d 100644 --- a/lib/lib_rss.php +++ b/lib/lib_rss.php @@ -285,7 +285,7 @@ function uSecString() { } function invalidateHttpCache($username = '') { - if (($username == '') || (!ctype_alnum($username))) { + if (!FreshRSS_user_Controller::checkUsername($username)) { Minz_Session::_param('touch', uTimeString()); $username = Minz_Session::param('currentUser', '_'); } diff --git a/p/api/greader.php b/p/api/greader.php index 4965ffd3b..01eca6d4f 100644 --- a/p/api/greader.php +++ b/p/api/greader.php @@ -152,7 +152,7 @@ function authorizationToUser() { $headerAuthX = explode('/', $headerAuth, 2); if (count($headerAuthX) === 2) { $user = $headerAuthX[0]; - if (ctype_alnum($user)) { + if (FreshRSS_user_Controller::checkUsername($user)) { FreshRSS_Context::$user_conf = get_user_configuration($user); if (FreshRSS_Context::$user_conf == null) { Minz_Log::warning('Invalid API user ' . $user . ': configuration cannot be found.'); |