diff options
| author | Steve Clay <steve@mrclay.org> | 2013-09-20 21:02:30 -0400 |
|---|---|---|
| committer | Steve Clay <steve@mrclay.org> | 2013-09-20 21:02:30 -0400 |
| commit | ee2b6351f5a759b6e713d3992c3b0c348850fecf (patch) | |
| tree | 2dbc0ead72df0b8d3614613d956b750723966d22 /engine | |
| parent | 283106afa1fb6ff9984341b8911f90c5d4e4c4a2 (diff) | |
| download | elgg-ee2b6351f5a759b6e713d3992c3b0c348850fecf.tar.gz elgg-ee2b6351f5a759b6e713d3992c3b0c348850fecf.tar.bz2 | |
Adds comment to explain URL decoding in get_user_by_username
Diffstat (limited to 'engine')
| -rw-r--r-- | engine/lib/users.php | 7 |
1 files changed, 6 insertions, 1 deletions
diff --git a/engine/lib/users.php b/engine/lib/users.php index 0b4608034..bccfb8b03 100644 --- a/engine/lib/users.php +++ b/engine/lib/users.php @@ -553,7 +553,12 @@ function get_user($guid) { function get_user_by_username($username) { global $CONFIG, $USERNAME_TO_GUID_MAP_CACHE; - $username = sanitise_string(rawurldecode($username)); + // Fixes #6052. Username is frequently sniffed from the path info, which, + // unlike $_GET, is not URL decoded. If the username was not URL encoded, + // this is harmless. + $username = rawurldecode($username); + + $username = sanitise_string($username); $access = get_access_sql_suffix('e'); // Caching |