From a87a31631b8991bd9842b31b057d0fc086608612 Mon Sep 17 00:00:00 2001
From: marcus <marcus@36083f99-b078-4883-b0ff-0f9b5a30f544>
Date: Fri, 12 Jun 2009 12:48:07 +0000
Subject: Refs #1041: * Speculative fix, extended blacklist of invalid
 characters for user signup * Mapping some filestore matrix characters
 (notable '.') to a safe char

git-svn-id: https://code.elgg.org/elgg/trunk@3329 36083f99-b078-4883-b0ff-0f9b5a30f544
---
 engine/lib/filestore.php | 10 +++++++++-
 engine/lib/users.php     | 23 ++++++++---------------
 2 files changed, 17 insertions(+), 16 deletions(-)

(limited to 'engine/lib')

diff --git a/engine/lib/filestore.php b/engine/lib/filestore.php
index 2f65ccc2f..89aee0d8d 100644
--- a/engine/lib/filestore.php
+++ b/engine/lib/filestore.php
@@ -319,6 +319,8 @@
 		 */
 		protected function make_file_matrix($filename)
 		{
+			$invalid_fs_chars = '*\'\\/"!$%^&*.%(){}[]#~?<>;|¬`@-+=';
+			
 			$matrix = "";
 			
 			$name = $filename;
@@ -330,7 +332,13 @@
 				$len = $this->matrix_depth;
 			
 			for ($n = 0; $n < $len; $n++) {
-				$matrix .= $filename[$n] . "/";
+				
+				// Prevent a matrix being formed with unsafe characters
+				$char = $filename[$n];
+				if (strpos($invalid_fs_chars, $char)!==false)
+					$char = '_';
+				
+				$matrix .= $char . "/";
 			}	
 	
 			return $matrix.$name."/";
diff --git a/engine/lib/users.php b/engine/lib/users.php
index 85056269b..b271d4b4f 100644
--- a/engine/lib/users.php
+++ b/engine/lib/users.php
@@ -1139,22 +1139,15 @@
 			']/u';
 		
 		if (
-			preg_match($blacklist, $username) ||	
-		
-			// Belts and braces TODO: Tidy into main unicode
-			//(strpos($username, '.')!==false) ||
-			(strpos($username, '/')!==false) ||
-			(strpos($username, '\\')!==false) ||
-			(strpos($username, '"')!==false) ||
-			(strpos($username, '\'')!==false) ||
-			(strpos($username, '*')!==false) ||
-			(strpos($username, '&')!==false) ||
-			(strpos($username, ' ')!==false) ||
-			(strpos($username, '?')!==false) ||
-			(strpos($username, '#')!==false) ||
-			(strpos($username, '%')!==false)
+			preg_match($blacklist, $username) 
 		)
-			throw new RegistrationException(elgg_echo('registration:invalidchars'));
+			throw new RegistrationException(elgg_echo('registration:invalidchars'));
+			
+		// Belts and braces TODO: Tidy into main unicode
+		$blacklist2 = '/\\"\'*& ?#%^(){}[]~?<>;|¬`@-+=';
+		for ($n=0; $n < strlen($blacklist2); $n++)
+			if (strpos($username, $blacklist2[$n])!==false)
+				throw new RegistrationException(elgg_echo('registration:invalidchars'));
 		 
 		$result = true;
 		return trigger_plugin_hook('registeruser:validate:username', 'all', array('username' => $username), $result);
-- 
cgit v1.2.3