diff options
| author | Steve Clay <steve@mrclay.org> | 2013-09-20 21:21:12 -0400 |
|---|---|---|
| committer | Steve Clay <steve@mrclay.org> | 2013-09-20 21:21:12 -0400 |
| commit | 7a9bdd3f5f0e9f9f26a32f91418a53cd36e7e2fe (patch) | |
| tree | 06952194c6d9589f761319ec9463239928171093 /engine | |
| parent | 5b361f8b2b00d85282bb827f5bd83cf0e44fe4df (diff) | |
| parent | 49ab3a17173aedb8b5e3a2a228cc6cfd0a510e49 (diff) | |
| download | elgg-7a9bdd3f5f0e9f9f26a32f91418a53cd36e7e2fe.tar.gz elgg-7a9bdd3f5f0e9f9f26a32f91418a53cd36e7e2fe.tar.bz2 | |
Merge branch 'sembrestels-patch-2' into 1.8
Diffstat (limited to 'engine')
| -rw-r--r-- | engine/lib/users.php | 5 | ||||
| -rw-r--r-- | engine/tests/objects/users.php | 16 |
2 files changed, 21 insertions, 0 deletions
diff --git a/engine/lib/users.php b/engine/lib/users.php index a3813e6a8..a8fb9121c 100644 --- a/engine/lib/users.php +++ b/engine/lib/users.php @@ -553,6 +553,11 @@ function get_user($guid) { function get_user_by_username($username) { global $CONFIG, $USERNAME_TO_GUID_MAP_CACHE; + // Fixes #6052. Username is frequently sniffed from the path info, which, + // unlike $_GET, is not URL decoded. If the username was not URL encoded, + // this is harmless. + $username = rawurldecode($username); + $username = sanitise_string($username); $access = get_access_sql_suffix('e'); diff --git a/engine/tests/objects/users.php b/engine/tests/objects/users.php index dc9129326..7d2ef6961 100644 --- a/engine/tests/objects/users.php +++ b/engine/tests/objects/users.php @@ -159,6 +159,22 @@ class ElggCoreUserTest extends ElggCoreUnitTest { $this->assertFalse($user); } + public function testGetUserByUsernameAcceptsUrlEncoded() { + $username = (string)time(); + $this->user->username = $username; + $guid = $this->user->save(); + + // percent encode first letter + $first_letter = $username[0]; + $first_letter = str_pad('%' . dechex(ord($first_letter)), 2, '0', STR_PAD_LEFT); + $username = $first_letter . substr($username, 1); + + $user = get_user_by_username($username); + $this->assertTrue((bool) $user); + $this->assertEqual($guid, $user->guid); + + $this->user->delete(); + } public function testElggUserMakeAdmin() { global $CONFIG; |