1
1
Fork 0
mirror of https://code.mensbeam.com/MensBeam/Arsse.git synced 2024-12-22 21:22:40 +00:00

Forbid more user names

- Control characters are now forbidden
- Controls and colons are now also forbidden when renaming
This commit is contained in:
J. King 2020-12-27 10:08:00 -05:00
parent 405f3af257
commit 2946d950f2
3 changed files with 36 additions and 13 deletions

View file

@ -1,13 +1,14 @@
Version 0.9.0 (????-??-??)
==========================
New features:
- Support for the Miniflux protocol (see manual for details)
Bug fixes:
- Use icons specified in Atom feeds when available
- Do not return null as subscription unread count
Changes:
- Explicitly forbid U+003A COLON in usernames, for compatibility with HTTP
Basic authentication
- Explicitly forbid U+003A COLON and control characters in usernames, for
compatibility with RFC 7617
Version 0.8.5 (2020-10-27)
==========================

View file

@ -84,10 +84,11 @@ class User {
}
public function add(string $user, ?string $password = null): string {
// ensure the user name does not contain any U+003A COLON characters, as
// ensure the user name does not contain any U+003A COLON or control characters, as
// this is incompatible with HTTP Basic authentication
if (strpos($user, ":") !== false) {
throw new User\ExceptionInput("invalidUsername", "U+003A COLON");
if (preg_match("/[\x{00}-\x{1F}\x{7F}:]/", $user, $m)) {
$c = ord($m[0]);
throw new User\ExceptionInput("invalidUsername", "U+".str_pad((string) $c, 4, "0", \STR_PAD_LEFT)." ".\IntlChar::charName($c, \IntlChar::EXTENDED_CHAR_NAME));
}
try {
$out = $this->u->userAdd($user, $password) ?? $this->u->userAdd($user, $this->generatePassword());
@ -105,6 +106,12 @@ class User {
}
public function rename(string $user, string $newName): bool {
// ensure the new user name does not contain any U+003A COLON or
// control characters, as this is incompatible with HTTP Basic authentication
if (preg_match("/[\x{00}-\x{1F}\x{7F}:]/", $newName, $m)) {
$c = ord($m[0]);
throw new User\ExceptionInput("invalidUsername", "U+".str_pad((string) $c, 4, "0", \STR_PAD_LEFT)." ".\IntlChar::charName($c, \IntlChar::EXTENDED_CHAR_NAME));
}
if ($this->u->userRename($user, $newName)) {
$tr = Arsse::$db->begin();
if (!Arsse::$db->userExists($user)) {

View file

@ -160,13 +160,22 @@ class TestUser extends \JKingWeb\Arsse\Test\AbstractTest {
}
}
public function testAddAnInvalidUser(): void {
$user = "john:doe@example.com";
$pass = "secret";
/** @dataProvider provideInvalidUserNames */
public function testAddAnInvalidUser(string $user): void {
$u = new User($this->drv);
\Phake::when($this->drv)->userAdd->thenThrow(new ExceptionInput("invalidUsername"));
$this->assertException("invalidUsername", "User", "ExceptionInput");
$u->add($user, $pass);
$u->add($user, "secret");
}
public function provideInvalidUserNames(): iterable {
// output names with control characters
foreach (array_merge(range(0x00, 0x1F), [0x7F]) as $ord) {
yield [chr($ord)];
yield ["john".chr($ord)."doe@example.com"];
}
// also handle colons
yield [":"];
yield ["john:doe@example.com"];
}
public function testAddAUserWithARandomPassword(): void {
@ -231,11 +240,17 @@ class TestUser extends \JKingWeb\Arsse\Test\AbstractTest {
\Phake::when($this->drv)->userRename->thenReturn(false);
$u = new User($this->drv);
$old = "john.doe@example.com";
$new = "jane.doe@example.com";
$this->assertFalse($u->rename($old, $old));
\Phake::verify($this->drv)->userRename($old, $old);
}
/** @dataProvider provideInvalidUserNames */
public function testRenameAUserToAnInvalidName(string $new): void {
$u = new User($this->drv);
$this->assertException("invalidUsername", "User", "ExceptionInput");
$u->rename("john.doe@example.com", $new);
}
public function testRemoveAUser(): void {
$user = "john.doe@example.com";
$u = new User($this->drv);