aboutsummaryrefslogtreecommitdiff
path: root/engine/lib
diff options
context:
space:
mode:
authormarcus <marcus@36083f99-b078-4883-b0ff-0f9b5a30f544>2009-06-12 12:48:07 +0000
committermarcus <marcus@36083f99-b078-4883-b0ff-0f9b5a30f544>2009-06-12 12:48:07 +0000
commita87a31631b8991bd9842b31b057d0fc086608612 (patch)
treeacaa5b57e4f3748eaf3d1a961a5df8fcaf1c2041 /engine/lib
parenta9419d04ee348cc66bea69d45bde6d99d8998cd2 (diff)
downloadelgg-a87a31631b8991bd9842b31b057d0fc086608612.tar.gz
elgg-a87a31631b8991bd9842b31b057d0fc086608612.tar.bz2
Refs #1041:
* Speculative fix, extended blacklist of invalid characters for user signup * Mapping some filestore matrix characters (notable '.') to a safe char git-svn-id: https://code.elgg.org/elgg/trunk@3329 36083f99-b078-4883-b0ff-0f9b5a30f544
Diffstat (limited to 'engine/lib')
-rw-r--r--engine/lib/filestore.php10
-rw-r--r--engine/lib/users.php23
2 files changed, 17 insertions, 16 deletions
diff --git a/engine/lib/filestore.php b/engine/lib/filestore.php
index 2f65ccc2f..89aee0d8d 100644
--- a/engine/lib/filestore.php
+++ b/engine/lib/filestore.php
@@ -319,6 +319,8 @@
*/
protected function make_file_matrix($filename)
{
+ $invalid_fs_chars = '*\'\\/"!$%^&*.%(){}[]#~?<>;|¬`@-+=';
+
$matrix = "";
$name = $filename;
@@ -330,7 +332,13 @@
$len = $this->matrix_depth;
for ($n = 0; $n < $len; $n++) {
- $matrix .= $filename[$n] . "/";
+
+ // Prevent a matrix being formed with unsafe characters
+ $char = $filename[$n];
+ if (strpos($invalid_fs_chars, $char)!==false)
+ $char = '_';
+
+ $matrix .= $char . "/";
}
return $matrix.$name."/";
diff --git a/engine/lib/users.php b/engine/lib/users.php
index 85056269b..b271d4b4f 100644
--- a/engine/lib/users.php
+++ b/engine/lib/users.php
@@ -1139,22 +1139,15 @@
']/u';
if (
- preg_match($blacklist, $username) ||
-
- // Belts and braces TODO: Tidy into main unicode
- //(strpos($username, '.')!==false) ||
- (strpos($username, '/')!==false) ||
- (strpos($username, '\\')!==false) ||
- (strpos($username, '"')!==false) ||
- (strpos($username, '\'')!==false) ||
- (strpos($username, '*')!==false) ||
- (strpos($username, '&')!==false) ||
- (strpos($username, ' ')!==false) ||
- (strpos($username, '?')!==false) ||
- (strpos($username, '#')!==false) ||
- (strpos($username, '%')!==false)
+ preg_match($blacklist, $username)
)
- throw new RegistrationException(elgg_echo('registration:invalidchars'));
+ throw new RegistrationException(elgg_echo('registration:invalidchars'));
+
+ // Belts and braces TODO: Tidy into main unicode
+ $blacklist2 = '/\\"\'*& ?#%^(){}[]~?<>;|¬`@-+=';
+ for ($n=0; $n < strlen($blacklist2); $n++)
+ if (strpos($username, $blacklist2[$n])!==false)
+ throw new RegistrationException(elgg_echo('registration:invalidchars'));
$result = true;
return trigger_plugin_hook('registeruser:validate:username', 'all', array('username' => $username), $result);