diff options
| author | marcus <marcus@36083f99-b078-4883-b0ff-0f9b5a30f544> | 2009-06-12 12:48:07 +0000 |
|---|---|---|
| committer | marcus <marcus@36083f99-b078-4883-b0ff-0f9b5a30f544> | 2009-06-12 12:48:07 +0000 |
| commit | a87a31631b8991bd9842b31b057d0fc086608612 (patch) | |
| tree | acaa5b57e4f3748eaf3d1a961a5df8fcaf1c2041 | |
| parent | a9419d04ee348cc66bea69d45bde6d99d8998cd2 (diff) | |
| download | elgg-a87a31631b8991bd9842b31b057d0fc086608612.tar.gz elgg-a87a31631b8991bd9842b31b057d0fc086608612.tar.bz2 | |
Refs #1041:
* Speculative fix, extended blacklist of invalid characters for user signup
* Mapping some filestore matrix characters (notable '.') to a safe char
git-svn-id: https://code.elgg.org/elgg/trunk@3329 36083f99-b078-4883-b0ff-0f9b5a30f544
| -rw-r--r-- | engine/lib/filestore.php | 10 | ||||
| -rw-r--r-- | engine/lib/users.php | 23 |
2 files changed, 17 insertions, 16 deletions
diff --git a/engine/lib/filestore.php b/engine/lib/filestore.php index 2f65ccc2f..89aee0d8d 100644 --- a/engine/lib/filestore.php +++ b/engine/lib/filestore.php @@ -319,6 +319,8 @@ */ protected function make_file_matrix($filename) { + $invalid_fs_chars = '*\'\\/"!$%^&*.%(){}[]#~?<>;|¬`@-+='; + $matrix = ""; $name = $filename; @@ -330,7 +332,13 @@ $len = $this->matrix_depth; for ($n = 0; $n < $len; $n++) { - $matrix .= $filename[$n] . "/"; + + // Prevent a matrix being formed with unsafe characters + $char = $filename[$n]; + if (strpos($invalid_fs_chars, $char)!==false) + $char = '_'; + + $matrix .= $char . "/"; } return $matrix.$name."/"; diff --git a/engine/lib/users.php b/engine/lib/users.php index 85056269b..b271d4b4f 100644 --- a/engine/lib/users.php +++ b/engine/lib/users.php @@ -1139,22 +1139,15 @@ ']/u';
if (
- preg_match($blacklist, $username) ||
-
- // Belts and braces TODO: Tidy into main unicode
- //(strpos($username, '.')!==false) ||
- (strpos($username, '/')!==false) ||
- (strpos($username, '\\')!==false) ||
- (strpos($username, '"')!==false) ||
- (strpos($username, '\'')!==false) ||
- (strpos($username, '*')!==false) ||
- (strpos($username, '&')!==false) ||
- (strpos($username, ' ')!==false) || - (strpos($username, '?')!==false) || - (strpos($username, '#')!==false) || - (strpos($username, '%')!==false)
+ preg_match($blacklist, $username)
)
- throw new RegistrationException(elgg_echo('registration:invalidchars'));
+ throw new RegistrationException(elgg_echo('registration:invalidchars')); + + // Belts and braces TODO: Tidy into main unicode + $blacklist2 = '/\\"\'*& ?#%^(){}[]~?<>;|¬`@-+='; + for ($n=0; $n < strlen($blacklist2); $n++) + if (strpos($username, $blacklist2[$n])!==false) + throw new RegistrationException(elgg_echo('registration:invalidchars'));
$result = true;
return trigger_plugin_hook('registeruser:validate:username', 'all', array('username' => $username), $result);
|