From 283106afa1fb6ff9984341b8911f90c5d4e4c4a2 Mon Sep 17 00:00:00 2001
From: Sem <sembrestels@riseup.net>
Date: Thu, 12 Sep 2013 00:15:52 +0200
Subject: Fixes #6052. Urldecoding usernames to allow non-alphanumeric
 characters.

---
 engine/lib/users.php | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

(limited to 'engine')

diff --git a/engine/lib/users.php b/engine/lib/users.php
index 9a5194896..0b4608034 100644
--- a/engine/lib/users.php
+++ b/engine/lib/users.php
@@ -553,7 +553,7 @@ function get_user($guid) {
 function get_user_by_username($username) {
 	global $CONFIG, $USERNAME_TO_GUID_MAP_CACHE;
 
-	$username = sanitise_string($username);
+	$username = sanitise_string(rawurldecode($username));
 	$access = get_access_sql_suffix('e');
 
 	// Caching
-- 
cgit v1.2.3


From ee2b6351f5a759b6e713d3992c3b0c348850fecf Mon Sep 17 00:00:00 2001
From: Steve Clay <steve@mrclay.org>
Date: Fri, 20 Sep 2013 21:02:30 -0400
Subject: Adds comment to explain URL decoding in get_user_by_username

---
 engine/lib/users.php | 7 ++++++-
 1 file changed, 6 insertions(+), 1 deletion(-)

(limited to 'engine')

diff --git a/engine/lib/users.php b/engine/lib/users.php
index 0b4608034..bccfb8b03 100644
--- a/engine/lib/users.php
+++ b/engine/lib/users.php
@@ -553,7 +553,12 @@ function get_user($guid) {
 function get_user_by_username($username) {
 	global $CONFIG, $USERNAME_TO_GUID_MAP_CACHE;
 
-	$username = sanitise_string(rawurldecode($username));
+	// Fixes #6052. Username is frequently sniffed from the path info, which,
+	// unlike $_GET, is not URL decoded. If the username was not URL encoded,
+	// this is harmless.
+	$username = rawurldecode($username);
+
+	$username = sanitise_string($username);
 	$access = get_access_sql_suffix('e');
 
 	// Caching
-- 
cgit v1.2.3


From 49ab3a17173aedb8b5e3a2a228cc6cfd0a510e49 Mon Sep 17 00:00:00 2001
From: Steve Clay <steve@mrclay.org>
Date: Fri, 20 Sep 2013 21:19:06 -0400
Subject: Test that get_user_by_username accepts URL encoded input

---
 engine/tests/objects/users.php | 16 ++++++++++++++++
 1 file changed, 16 insertions(+)

(limited to 'engine')

diff --git a/engine/tests/objects/users.php b/engine/tests/objects/users.php
index dc9129326..7d2ef6961 100644
--- a/engine/tests/objects/users.php
+++ b/engine/tests/objects/users.php
@@ -159,6 +159,22 @@ class ElggCoreUserTest extends ElggCoreUnitTest {
 		$this->assertFalse($user);
 	}
 
+	public function testGetUserByUsernameAcceptsUrlEncoded() {
+		$username = (string)time();
+		$this->user->username = $username;
+		$guid = $this->user->save();
+
+		// percent encode first letter
+		$first_letter = $username[0];
+		$first_letter = str_pad('%' . dechex(ord($first_letter)), 2, '0', STR_PAD_LEFT);
+		$username =   $first_letter . substr($username, 1);
+
+		$user = get_user_by_username($username);
+		$this->assertTrue((bool) $user);
+		$this->assertEqual($guid, $user->guid);
+
+		$this->user->delete();
+	}
 
 	public function testElggUserMakeAdmin() {
 		global $CONFIG;
-- 
cgit v1.2.3