legal usernames and openid fix
1 view
Skip to first unread message
Ian Maclennan
Mar 11, 2008, 9:17:28 PM3/11/08
to Joomla! Devel Documentation
Hey...
I've attached a patch that I am proposing. I wanted to bring it here
because it is a potentially very high impact patch.
The patch does two things:
1. In two files (administrator/components/com_users/views/user/tmpl/
form.php and libraries/joomla/database/table/user/php) it makes a
minor modification to the regular expression so that it allows the
minus and plus characters in user names. This is necessary to allow
for domain names that have hypens, and the potential that some openid
hosts will allow plus signs. Since the username is just a string, I
can't foresee problems with allowing + and - signs in the username.
2. The third file that is touched is the validate.js file. I modified
this file so that it would use the same regex that is used in the
other two places (var r = new RegExp("[\<|\>|\"|\'|\%|\;|\(|\)|\&]",
"i");) It previously used a positive checking regex, and so the
change will mean that it will look for nasty characters in the
username instead of verifying only good characters. This will bring
the javascript library in line with what is used in the PHP and will
give us consistency between the frontend and backend.
So please review the attached patch and offer any comments,
suggestions or thoughts.
Ian
Index: administrator/components/com_users/views/user/tmpl/form.php
===================================================================
--- administrator/components/com_users/views/user/tmpl/form.php
(revision 10127)
+++ administrator/components/com_users/views/user/tmpl/form.php
(working copy)
@@ -36,7 +36,7 @@
submitform( pressbutton );
return;
}
- var r = new RegExp("[\<|\>|\"|\'|\%|\;|\(|\)|\&|\+|\-]", "i");
+ var r = new RegExp("[\<|\>|\"|\'|\%|\;|\(|\)|\&]", "i");
// do field validation
if (trim(form.name.value) == "") {
@@ -298,4 +298,4 @@
<input type="hidden" name="sendEmail" value="0" />
<?php } ?>
<?php echo JHTML::_( 'form.token' ); ?>
-</form>
\ No newline at end of file
+</form>
Index: libraries/joomla/database/table/user.php
===================================================================
--- libraries/joomla/database/table/user.php (revision 10127)
+++ libraries/joomla/database/table/user.php (working copy)
@@ -149,7 +149,7 @@
}
- if (eregi( "[\<|\>|\"|\'|\%|\;|\(|\)|\&|\+|\-]", $this->username)
|| strlen(utf8_decode($this->username )) < 2) {
+ if (eregi( "[\<|\>|\"|\'|\%|\;|\(|\)|\&]", $this->username) ||
strlen(utf8_decode($this->username )) < 2) {
$this->setError( JText::sprintf( 'VALID_AZ09',
JText::_( 'Username' ), 2 ) );
return false;
}
Index: media/system/js/validate.js
===================================================================
--- media/system/js/validate.js (revision 10127)
+++ media/system/js/validate.js (working copy)
@@ -30,8 +30,9 @@
// Default handlers
this.setHandler('username',
function (value) {
- regex=/^[a-zA-Z](([\.\-a-zA-Z0-9@])?[a-zA-Z0-9]*)*$/;
- return regex.test(value);
+ //regex=/^[a-zA-Z](([\.\-a-zA-Z0-9@])?[a-zA-Z0-9]*)*$/;
+ regex = new RegExp("[\<|\>|\"|\'|\%|\;|\(|\)|\&]", "i");
+ return !regex.test(value);
}
);
@@ -164,4 +165,4 @@
document.formvalidator = null;
Window.onDomReady(function(){
document.formvalidator = new JFormValidator();
-});
\ No newline at end of file
+});
I've attached a patch that I am proposing. I wanted to bring it here
because it is a potentially very high impact patch.
The patch does two things:
1. In two files (administrator/components/com_users/views/user/tmpl/
form.php and libraries/joomla/database/table/user/php) it makes a
minor modification to the regular expression so that it allows the
minus and plus characters in user names. This is necessary to allow
for domain names that have hypens, and the potential that some openid
hosts will allow plus signs. Since the username is just a string, I
can't foresee problems with allowing + and - signs in the username.
2. The third file that is touched is the validate.js file. I modified
this file so that it would use the same regex that is used in the
other two places (var r = new RegExp("[\<|\>|\"|\'|\%|\;|\(|\)|\&]",
"i");) It previously used a positive checking regex, and so the
change will mean that it will look for nasty characters in the
username instead of verifying only good characters. This will bring
the javascript library in line with what is used in the PHP and will
give us consistency between the frontend and backend.
So please review the attached patch and offer any comments,
suggestions or thoughts.
Ian
Index: administrator/components/com_users/views/user/tmpl/form.php
===================================================================
--- administrator/components/com_users/views/user/tmpl/form.php
(revision 10127)
+++ administrator/components/com_users/views/user/tmpl/form.php
(working copy)
@@ -36,7 +36,7 @@
submitform( pressbutton );
return;
}
- var r = new RegExp("[\<|\>|\"|\'|\%|\;|\(|\)|\&|\+|\-]", "i");
+ var r = new RegExp("[\<|\>|\"|\'|\%|\;|\(|\)|\&]", "i");
// do field validation
if (trim(form.name.value) == "") {
@@ -298,4 +298,4 @@
<input type="hidden" name="sendEmail" value="0" />
<?php } ?>
<?php echo JHTML::_( 'form.token' ); ?>
-</form>
\ No newline at end of file
+</form>
Index: libraries/joomla/database/table/user.php
===================================================================
--- libraries/joomla/database/table/user.php (revision 10127)
+++ libraries/joomla/database/table/user.php (working copy)
@@ -149,7 +149,7 @@
}
- if (eregi( "[\<|\>|\"|\'|\%|\;|\(|\)|\&|\+|\-]", $this->username)
|| strlen(utf8_decode($this->username )) < 2) {
+ if (eregi( "[\<|\>|\"|\'|\%|\;|\(|\)|\&]", $this->username) ||
strlen(utf8_decode($this->username )) < 2) {
$this->setError( JText::sprintf( 'VALID_AZ09',
JText::_( 'Username' ), 2 ) );
return false;
}
Index: media/system/js/validate.js
===================================================================
--- media/system/js/validate.js (revision 10127)
+++ media/system/js/validate.js (working copy)
@@ -30,8 +30,9 @@
// Default handlers
this.setHandler('username',
function (value) {
- regex=/^[a-zA-Z](([\.\-a-zA-Z0-9@])?[a-zA-Z0-9]*)*$/;
- return regex.test(value);
+ //regex=/^[a-zA-Z](([\.\-a-zA-Z0-9@])?[a-zA-Z0-9]*)*$/;
+ regex = new RegExp("[\<|\>|\"|\'|\%|\;|\(|\)|\&]", "i");
+ return !regex.test(value);
}
);
@@ -164,4 +165,4 @@
document.formvalidator = null;
Window.onDomReady(function(){
document.formvalidator = new JFormValidator();
-});
\ No newline at end of file
+});
Ian MacLennan
Mar 14, 2008, 9:45:53 AM3/14/08
to Joomla! Devel Documentation
Hey!
If anybody can provide comment on this, it would be really helpful, as we would like to get all the openid issues solved for the next release.
Ian
If anybody can provide comment on this, it would be really helpful, as we would like to get all the openid issues solved for the next release.
Ian
Chris Davenport
Mar 14, 2008, 10:58:27 AM3/14/08
to joomla-d...@googlegroups.com
Ian, I think you may have sent this to the wrong mailing list. This is the doc list, not the dev list. ;-)
Chris.
Chris.
Ian MacLennan
Mar 14, 2008, 8:36:49 PM3/14/08
to joomla-d...@googlegroups.com
Yeah, I posted to dev discussion list.
Ian
Ian
Reply all
Reply to author
Forward
0 new messages