9 ani în urmă · 8d2b76334c
--- a/app/Controllers/userController.php
+++ b/app/Controllers/userController.php
@@ -103,8 +103,9 @@ class FreshRSS_user_Controller extends Minz_ActionController {
 
				 		if (!is_array($userConfig)) {
			
 
				 			$userConfig = array();
			
 
				 		}
			
 
				+        $aValid = array('-', '_', '.');
			
 
				 
			
 
				-		$ok = ($new_user_name != '') && ctype_alnum($new_user_name);
			
 
				+		$ok = ($new_user_name != '') && ctype_alnum(str_replace($aValid, '', $new_user_name));
			
 
				 
			
 
				 		if ($ok) {
			
 
				 			$languages = Minz_Translate::availableLanguages();
			
@@ -187,7 +188,8 @@ class FreshRSS_user_Controller extends Minz_ActionController {
 
				 		$db = FreshRSS_Context::$system_conf->db;
			
 
				 		require_once(APP_PATH . '/SQL/install.sql.' . $db['type'] . '.php');
			
 
				 
			
 
				-		$ok = ctype_alnum($username);
			
 
				+        $aValid = array('-', '_', '.');
			
 
				+		$ok = ctype_alnum(str_replace($aValid, '', $username));
			
 
				 		if ($ok) {
			
 
				 			$default_user = FreshRSS_Context::$system_conf->default_user;
			
 
				 			$ok &= (strcasecmp($username, $default_user) !== 0);	//It is forbidden to delete the default user
			
--- a/app/Models/Auth.php
+++ b/app/Models/Auth.php
@@ -182,7 +182,8 @@ class FreshRSS_Auth {
 
				 
			
 
				 class FreshRSS_FormAuth {
			
 
				 	public static function checkCredentials($username, $hash, $nonce, $challenge) {
			
 
				-		if (!ctype_alnum($username) ||
			
 
				+		$aValid = array('-', '_', '.');
			
 
				+		if (!ctype_alnum(str_replace($aValid, '', $username)) ||
			
 
				 				!ctype_graph($challenge) ||
			
 
				 				!ctype_alnum($nonce)) {
			
 
				 			Minz_Log::debug('Invalid credential parameters:' .
			
@@ -211,7 +212,7 @@ class FreshRSS_FormAuth {
 
				 			// Token has expired (> 1 month) or does not exist.
			
 
				 			// TODO: 1 month -> use a configuration instead
			
 
				 			@unlink($token_file);
			
 
				-			return array(); 	
			
 
				+			return array();
			
 
				 		}
			
 
				 
			
 
				 		$credentials = @file_get_contents($token_file);
			
--- a/app/install.php
+++ b/app/install.php
@@ -553,7 +553,7 @@ function printStep2() {
 
				 		<div class="form-group">
			
 
				 			<label class="group-name" for="default_user"><?php echo _t('install.default_user'); ?></label>
			
 
				 			<div class="group-controls">
			
 
				-				<input type="text" id="default_user" name="default_user" required="required" size="16" maxlength="16" pattern="[0-9a-zA-Z]{1,16}" value="<?php echo isset($_SESSION['default_user']) ? $_SESSION['default_user'] : ''; ?>" placeholder="<?php echo httpAuthUser() == '' ? 'alice' : httpAuthUser(); ?>" tabindex="3" />
			
 
				+				<input type="text" id="default_user" name="default_user" required="required" size="16" maxlength="16" pattern="[0-9a-zA-Z.\-_]{1,16}" value="<?php echo isset($_SESSION['default_user']) ? $_SESSION['default_user'] : ''; ?>" placeholder="<?php echo httpAuthUser() == '' ? 'alice' : httpAuthUser(); ?>" tabindex="3" />
			
 
				 			</div>
			
 
				 		</div>
			
 
				 
			
--- a/app/views/auth/formLogin.phtml
+++ b/app/views/auth/formLogin.phtml
@@ -9,7 +9,7 @@
 
				 		<input type="hidden" name="_csrf" value="<?php echo FreshRSS_Auth::csrfToken(); ?>" />
			
 
				 		<div>
			
 
				 			<label for="username"><?php echo _t('gen.auth.username'); ?></label>
			
 
				-			<input type="text" id="username" name="username" size="16" required="required" maxlength="16" pattern="[0-9a-zA-Z]{1,16}" autofocus="autofocus" />
			
 
				+			<input type="text" id="username" name="username" size="16" required="required" maxlength="16" pattern="[0-9a-zA-Z.\-_]{1,16}" autofocus="autofocus" />
			
 
				 		</div>
			
 
				 		<div>
			
 
				 			<label for="passwordPlain"><?php echo _t('gen.auth.password'); ?></label>
			
--- a/app/views/user/manage.phtml
+++ b/app/views/user/manage.phtml
@@ -22,7 +22,7 @@
 
				 		<div class="form-group">
			
 
				 			<label class="group-name" for="new_user_name"><?php echo _t('admin.user.username'); ?></label>
			
 
				 			<div class="group-controls">
			
 
				-				<input id="new_user_name" name="new_user_name" type="text" size="16" required="required" maxlength="16" autocomplete="off" pattern="[0-9a-zA-Z]{1,16}" placeholder="demo" />
			
 
				+				<input id="new_user_name" name="new_user_name" type="text" size="16" required="required" maxlength="16" autocomplete="off" pattern="[0-9a-zA-Z.\-_]{1,16}" placeholder="demo" />
			
 
				 			</div>
			
 
				 		</div>
			
 
				 
			
--- a/cli/_cli.php
+++ b/cli/_cli.php
@@ -20,7 +20,9 @@ function fail($message) {
 
				 }
			
 
				 
			
 
				 function cliInitUser($username) {
			
 
				-	if (!ctype_alnum($username)) {
			
 
				+    $aValid = array('-', '_', '.');
			
 
				+    
			
 
				+	if (!ctype_alnum(str_replace($aValid, '', $username))) {
			
 
				 		fail('FreshRSS error: invalid username: ' . $username . "\n");
			
 
				 	}
			
 
				 
			
--- a/cli/delete-user.php
+++ b/cli/delete-user.php
@@ -9,8 +9,9 @@ $options = getopt('', array(
 
				 if (empty($options['user'])) {
			
 
				 	fail('Usage: ' . basename(__FILE__) . " --user username");
			
 
				 }
			
 
				+$aValid = array('-', '_', '.');
			
 
				 $username = $options['user'];
			
 
				-if (!ctype_alnum($username)) {
			
 
				+if (!ctype_alnum(str_replace($aValid, '', $username))) {
			
 
				 	fail('FreshRSS error: invalid username “' . $username . '”');
			
 
				 }
			
 
				 
			
--- a/cli/do-install.php
+++ b/cli/do-install.php
@@ -47,7 +47,8 @@ if ($requirements['all'] !== 'ok') {
 
				 	fail($message);
			
 
				 }
			
 
				 
			
 
				-if (!ctype_alnum($options['default_user'])) {
			
 
				+$aValid = array('-', '_', '.');
			
 
				+if (!ctype_alnum(str_replace($aValid, '', $options['default_user']))) {
			
 
				 	fail('FreshRSS invalid default username (must be ASCII alphanumeric): ' . $options['default_user']);
			
 
				 }