From a87a31631b8991bd9842b31b057d0fc086608612 Mon Sep 17 00:00:00 2001 From: marcus Date: Fri, 12 Jun 2009 12:48:07 +0000 Subject: Refs #1041: * Speculative fix, extended blacklist of invalid characters for user signup * Mapping some filestore matrix characters (notable '.') to a safe char git-svn-id: https://code.elgg.org/elgg/trunk@3329 36083f99-b078-4883-b0ff-0f9b5a30f544 --- engine/lib/filestore.php | 10 +++++++++- engine/lib/users.php | 23 ++++++++--------------- 2 files changed, 17 insertions(+), 16 deletions(-) diff --git a/engine/lib/filestore.php b/engine/lib/filestore.php index 2f65ccc2f..89aee0d8d 100644 --- a/engine/lib/filestore.php +++ b/engine/lib/filestore.php @@ -319,6 +319,8 @@ */ protected function make_file_matrix($filename) { + $invalid_fs_chars = '*\'\\/"!$%^&*.%(){}[]#~?<>;|¬`@-+='; + $matrix = ""; $name = $filename; @@ -330,7 +332,13 @@ $len = $this->matrix_depth; for ($n = 0; $n < $len; $n++) { - $matrix .= $filename[$n] . "/"; + + // Prevent a matrix being formed with unsafe characters + $char = $filename[$n]; + if (strpos($invalid_fs_chars, $char)!==false) + $char = '_'; + + $matrix .= $char . "/"; } return $matrix.$name."/"; diff --git a/engine/lib/users.php b/engine/lib/users.php index 85056269b..b271d4b4f 100644 --- a/engine/lib/users.php +++ b/engine/lib/users.php @@ -1139,22 +1139,15 @@ ']/u'; if ( - preg_match($blacklist, $username) || - - // Belts and braces TODO: Tidy into main unicode - //(strpos($username, '.')!==false) || - (strpos($username, '/')!==false) || - (strpos($username, '\\')!==false) || - (strpos($username, '"')!==false) || - (strpos($username, '\'')!==false) || - (strpos($username, '*')!==false) || - (strpos($username, '&')!==false) || - (strpos($username, ' ')!==false) || - (strpos($username, '?')!==false) || - (strpos($username, '#')!==false) || - (strpos($username, '%')!==false) + preg_match($blacklist, $username) ) - throw new RegistrationException(elgg_echo('registration:invalidchars')); + throw new RegistrationException(elgg_echo('registration:invalidchars')); + + // Belts and braces TODO: Tidy into main unicode + $blacklist2 = '/\\"\'*& ?#%^(){}[]~?<>;|¬`@-+='; + for ($n=0; $n < strlen($blacklist2); $n++) + if (strpos($username, $blacklist2[$n])!==false) + throw new RegistrationException(elgg_echo('registration:invalidchars')); $result = true; return trigger_plugin_hook('registeruser:validate:username', 'all', array('username' => $username), $result); -- cgit v1.2.3