aboutsummaryrefslogtreecommitdiff
path: root/app/Controllers
diff options
context:
space:
mode:
Diffstat (limited to 'app/Controllers')
-rwxr-xr-xapp/Controllers/javascriptController.php2
-rw-r--r--app/Controllers/userController.php9
2 files changed, 8 insertions, 3 deletions
diff --git a/app/Controllers/javascriptController.php b/app/Controllers/javascriptController.php
index 00a7b5c38..6336106a9 100755
--- a/app/Controllers/javascriptController.php
+++ b/app/Controllers/javascriptController.php
@@ -26,7 +26,7 @@ class FreshRSS_javascript_Controller extends Minz_ActionController {
header('Pragma: no-cache');
$user = isset($_GET['user']) ? $_GET['user'] : '';
- if (ctype_alnum($user)) {
+ if (FreshRSS_user_Controller::checkUsername($user)) {
try {
$salt = FreshRSS_Context::$system_conf->salt;
$conf = get_user_configuration($user);
diff --git a/app/Controllers/userController.php b/app/Controllers/userController.php
index 718207734..13a6fce67 100644
--- a/app/Controllers/userController.php
+++ b/app/Controllers/userController.php
@@ -34,9 +34,14 @@ class FreshRSS_user_Controller extends Minz_ActionController {
return $passwordHash == '' ? '' : $passwordHash;
}
+ /**
+ * The username is also used as folder name, and part of SQL table name.
+ * '_' is a reserved internal username.
+ */
+ const USERNAME_PATTERN = '[0-9a-zA-Z]|[0-9a-zA-Z_]{2,38}';
+
public static function checkUsername($username) {
- $match = '/^[0-9a-zA-Z_]{1,38}$/';
- return preg_match($match, $username) === 1;
+ return preg_match('/^' . self::USERNAME_PATTERN . '$/', $username) === 1;
}
/**
generated by cgit v1.2.3 (git 2.39.1) at 2026-02-11 01:37:23 +0000