From 283106afa1fb6ff9984341b8911f90c5d4e4c4a2 Mon Sep 17 00:00:00 2001
From: Sem <sembrestels@riseup.net>
Date: Thu, 12 Sep 2013 00:15:52 +0200
Subject: Fixes #6052. Urldecoding usernames to allow non-alphanumeric
 characters.

---
 engine/lib/users.php | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

(limited to 'engine/lib')

diff --git a/engine/lib/users.php b/engine/lib/users.php
index 9a5194896..0b4608034 100644
--- a/engine/lib/users.php
+++ b/engine/lib/users.php
@@ -553,7 +553,7 @@ function get_user($guid) {
 function get_user_by_username($username) {
 	global $CONFIG, $USERNAME_TO_GUID_MAP_CACHE;
 
-	$username = sanitise_string($username);
+	$username = sanitise_string(rawurldecode($username));
 	$access = get_access_sql_suffix('e');
 
 	// Caching
-- 
cgit v1.2.3


From ee2b6351f5a759b6e713d3992c3b0c348850fecf Mon Sep 17 00:00:00 2001
From: Steve Clay <steve@mrclay.org>
Date: Fri, 20 Sep 2013 21:02:30 -0400
Subject: Adds comment to explain URL decoding in get_user_by_username

---
 engine/lib/users.php | 7 ++++++-
 1 file changed, 6 insertions(+), 1 deletion(-)

(limited to 'engine/lib')

diff --git a/engine/lib/users.php b/engine/lib/users.php
index 0b4608034..bccfb8b03 100644
--- a/engine/lib/users.php
+++ b/engine/lib/users.php
@@ -553,7 +553,12 @@ function get_user($guid) {
 function get_user_by_username($username) {
 	global $CONFIG, $USERNAME_TO_GUID_MAP_CACHE;
 
-	$username = sanitise_string(rawurldecode($username));
+	// Fixes #6052. Username is frequently sniffed from the path info, which,
+	// unlike $_GET, is not URL decoded. If the username was not URL encoded,
+	// this is harmless.
+	$username = rawurldecode($username);
+
+	$username = sanitise_string($username);
 	$access = get_access_sql_suffix('e');
 
 	// Caching
-- 
cgit v1.2.3