From 8d2b76334cd60356c85810bf4902124105d54ad4 Mon Sep 17 00:00:00 2001 From: Clément Date: Thu, 16 Feb 2017 14:27:45 +0100 Subject: Possibility to register user having a '-', a '_' or a '.' in username --- app/Models/Auth.php | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) (limited to 'app/Models/Auth.php') diff --git a/app/Models/Auth.php b/app/Models/Auth.php index b3255cfbd..e63a24b27 100644 --- a/app/Models/Auth.php +++ b/app/Models/Auth.php @@ -182,7 +182,8 @@ class FreshRSS_Auth { class FreshRSS_FormAuth { public static function checkCredentials($username, $hash, $nonce, $challenge) { - if (!ctype_alnum($username) || + $aValid = array('-', '_', '.'); + if (!ctype_alnum(str_replace($aValid, '', $username)) || !ctype_graph($challenge) || !ctype_alnum($nonce)) { Minz_Log::debug('Invalid credential parameters:' . @@ -211,7 +212,7 @@ class FreshRSS_FormAuth { // Token has expired (> 1 month) or does not exist. // TODO: 1 month -> use a configuration instead @unlink($token_file); - return array(); + return array(); } $credentials = @file_get_contents($token_file); -- cgit v1.2.3 From 4eeae5171b885b6dda392f5dd68d6dd78a0c7858 Mon Sep 17 00:00:00 2001 From: Clément Date: Thu, 16 Feb 2017 18:54:59 +0100 Subject: use function with preg_match to check username --- app/Controllers/userController.php | 11 +++++++---- app/Models/Auth.php | 3 +-- cli/_cli.php | 4 +--- cli/create-user.php | 3 +-- cli/delete-user.php | 3 +-- cli/do-install.php | 3 +-- 6 files changed, 12 insertions(+), 15 deletions(-) (limited to 'app/Models/Auth.php') diff --git a/app/Controllers/userController.php b/app/Controllers/userController.php index 6199ff218..246be1bfe 100644 --- a/app/Controllers/userController.php +++ b/app/Controllers/userController.php @@ -34,6 +34,11 @@ class FreshRSS_user_Controller extends Minz_ActionController { return $passwordHash == '' ? '' : $passwordHash; } + public static function checkUsername($username) { + $match = '/^[a-zA-Z_]{1,38}$/'; + return preg_match($match, $username) === 1; + } + /** * This action displays the user profile page. */ @@ -103,9 +108,8 @@ class FreshRSS_user_Controller extends Minz_ActionController { if (!is_array($userConfig)) { $userConfig = array(); } - $aValid = array('-', '_', '.'); - $ok = ($new_user_name != '') && ctype_alnum(str_replace($aValid, '', $new_user_name)); + $ok = self::checkUsername($new_user_name); if ($ok) { $languages = Minz_Translate::availableLanguages(); @@ -188,8 +192,7 @@ class FreshRSS_user_Controller extends Minz_ActionController { $db = FreshRSS_Context::$system_conf->db; require_once(APP_PATH . '/SQL/install.sql.' . $db['type'] . '.php'); - $aValid = array('-', '_', '.'); - $ok = ctype_alnum(str_replace($aValid, '', $username)); + $ok = self::checkUsername($username); if ($ok) { $default_user = FreshRSS_Context::$system_conf->default_user; $ok &= (strcasecmp($username, $default_user) !== 0); //It is forbidden to delete the default user diff --git a/app/Models/Auth.php b/app/Models/Auth.php index e63a24b27..476627e10 100644 --- a/app/Models/Auth.php +++ b/app/Models/Auth.php @@ -182,8 +182,7 @@ class FreshRSS_Auth { class FreshRSS_FormAuth { public static function checkCredentials($username, $hash, $nonce, $challenge) { - $aValid = array('-', '_', '.'); - if (!ctype_alnum(str_replace($aValid, '', $username)) || + if (!FreshRSS_user_Controller::checkUsername($username) || !ctype_graph($challenge) || !ctype_alnum($nonce)) { Minz_Log::debug('Invalid credential parameters:' . diff --git a/cli/_cli.php b/cli/_cli.php index 885199659..f5e36eabc 100644 --- a/cli/_cli.php +++ b/cli/_cli.php @@ -20,9 +20,7 @@ function fail($message) { } function cliInitUser($username) { - $aValid = array('-', '_', '.'); - - if (!ctype_alnum(str_replace($aValid, '', $username))) { + if (!FreshRSS_user_Controller::checkUsername($username)) { fail('FreshRSS error: invalid username: ' . $username . "\n"); } diff --git a/cli/create-user.php b/cli/create-user.php index e5b4493e3..c9e350c14 100755 --- a/cli/create-user.php +++ b/cli/create-user.php @@ -16,9 +16,8 @@ if (empty($options['user'])) { fail('Usage: ' . basename(__FILE__) . " --user username ( --password 'password' --api-password 'api_password'" . " --language en --email user@example.net --token 'longRandomString --no-default-feeds' )"); } -$aValid = array('-', '_', '.'); $username = $options['user']; -if (!ctype_alnum(str_replace($aValid, '', $username))) { +if (!FreshRSS_user_Controller::checkUsername($username)) { fail('FreshRSS error: invalid username “' . $username . '”'); } diff --git a/cli/delete-user.php b/cli/delete-user.php index 82605fb27..baa81b893 100755 --- a/cli/delete-user.php +++ b/cli/delete-user.php @@ -9,9 +9,8 @@ $options = getopt('', array( if (empty($options['user'])) { fail('Usage: ' . basename(__FILE__) . " --user username"); } -$aValid = array('-', '_', '.'); $username = $options['user']; -if (!ctype_alnum(str_replace($aValid, '', $username))) { +if (!FreshRSS_user_Controller::checkUsername($username)) { fail('FreshRSS error: invalid username “' . $username . '”'); } diff --git a/cli/do-install.php b/cli/do-install.php index eb46c7e93..064a64ab2 100755 --- a/cli/do-install.php +++ b/cli/do-install.php @@ -47,8 +47,7 @@ if ($requirements['all'] !== 'ok') { fail($message); } -$aValid = array('-', '_', '.'); -if (!ctype_alnum(str_replace($aValid, '', $options['default_user']))) { +if (!FreshRSS_user_Controller::checkUsername($options['default_user'])) { fail('FreshRSS invalid default username (must be ASCII alphanumeric): ' . $options['default_user']); } -- cgit v1.2.3