4images Forum & Community

4images Help / Hilfe => Bug Fixes & Patches => Topic started by: trez on January 28, 2007, 04:15:53 PM

Title: [FIX 1.7.X]: Solve the register.php bug ({} bracket problem)
Post by: trez on January 28, 2007, 04:15:53 PM
Hi,

anyone of you has users like {username} ? Or {P}blabla ?
Well, the problem is, that 4images isn't parsing the username right if there is an opening and closing bracket ({ and }). So the user is "invisible" in the who is online, even in his profile,
even in the user administration - everywhere. The user name in the brackets is just not displayed.

Well, this is also a security problem, but i won't write on that topic much further. I was surprised, that even the new version (1.7.4) hasn't resolved that bug. I did find out about this, when "invisible users" start complaining that they can't get PM's and that they cant upload any images or create folders.

So, the bug is in the register.php, and there is a simple solution to resolve this problem.

STEP 1
open your register.php

find:
Code: [Select]
        $msg .= (($msg != "") ? "<br />" : "").$lang['username_exists'];
        $error = 1;
      }

right after the closing } insert:

Code: [Select]
      elseif (preg_match("#[<{}>]#", $user_name))
      {
        $msg .= (($msg != "") ? "<br />" : "").$lang['invalid_symbols'];
        $error = 1;
      }

save and close.

STEP 2

open /lang/english/main.php

find:

Code: [Select]
$lang['username_exists'] = "User name already exists.";
instert right below:

Code: [Select]
$lang['invalid_symbols'] = "Please use only numbers 0-9 and letters A-Z in your username!.";
save and close.


Thats it, now you get rid of the problem. In this example, we have forbidden only the symbols "<>{}", if you want forbid more symbols just add them between the [.....]

For example, if we want to forbid "$%^&*()" the line would look like this:

Code: [Select]
elseif (preg_match("#[<{}>$%^&*()]#", $user_name))

that's it.
Greetings,

George

Developers, this has to be added in the next version!





Title: Re: [FIX 1.7.X]: Solve the register.php bug ({} bracket problem)
Post by: mawenzi on January 28, 2007, 05:09:20 PM
... thanks for your solution George ...  :D
Title: Re: [FIX 1.7.X]: Solve the register.php bug ({} bracket problem)
Post by: woody on January 29, 2007, 07:58:06 PM
It`s important and very nice you share your solution with us.
Thanx for..
woody
Title: Re: [FIX 1.7.X]: Solve the register.php bug ({} bracket problem)
Post by: CeJay on January 30, 2007, 12:33:59 AM
thanks!

Maybe this should be moved to "Bug Fixes & Patches"
Title: Re: [FIX 1.7.X]: Solve the register.php bug ({} bracket problem)
Post by: mawenzi on January 30, 2007, 12:41:06 AM
@ CeJay
... you are right ... and it's done .. ;)
Title: Re: [FIX 1.7.X]: Solve the register.php bug ({} bracket problem)
Post by: mawenzi on January 30, 2007, 10:40:56 AM
... in version 1.7.0 this code already works ...
... it seems as if this part of reg_code is lost since version 1.7.1 ...
Title: Re: [FIX 1.7.X]: Solve the register.php bug ({} bracket problem)
Post by: CeJay on February 01, 2007, 07:02:48 AM
I would like this to work with passwords as well so this may be a dumb question, but does this also apply to passwords?
If not how can I make it so it does? Can I add it by putting in 'password' like so:
Code: [Select]
elseif (preg_match("#[<{}>]#", $user_name, $password))
      {
        $msg .= (($msg != "") ? "<br />" : "").$lang['invalid_symbols'];
        $error = 1;
      }

Thanks for any help  :!:
Title: Re: [FIX 1.7.X]: Solve the register.php bug ({} bracket problem)
Post by: trez on February 03, 2007, 07:12:32 PM
well, just try it :D
Title: Re: [FIX 1.7.X]: Solve the register.php bug ({} bracket problem)
Post by: Lucifix on May 26, 2007, 10:32:05 AM
I don't know but wouldn't be more propriet to enter allowed characters?
Title: Re: [FIX 1.7.X]: Solve the register.php bug ({} bracket problem)
Post by: Lucifix on August 22, 2007, 08:38:13 AM
I just found out that some of my member uses unknown characters (like ł, etc) to register.

That's why I'm wondering if there is a way to set allowed characters reather then dissallowed?
Title: Re: [FIX 1.7.X]: Solve the register.php bug ({} bracket problem)
Post by: thunderstrike on August 22, 2007, 08:44:32 AM
Change:

Quote
elseif (preg_match("#[<{}>]#", $user_name, $password))
      {
        $msg .= (($msg != "") ? "<br />" : "").$lang['invalid_symbols'];
        $error = 1;
      }

for:

Quote
elseif (preg_match("#[<{}>ł]#", $user_name, $password))
      {
        $msg .= (($msg != "") ? "<br />" : "").$lang['invalid_symbols'];
        $error = 1;
      }
Title: Re: [FIX 1.7.X]: Solve the register.php bug ({} bracket problem)
Post by: Lucifix on August 22, 2007, 08:51:05 AM
I know that I can add another dissallowed character there, but I'm saying that it would be easier to add allowed characters instead of dissallowed.
Title: Re: [FIX 1.7.X]: Solve the register.php bug ({} bracket problem)
Post by: Lucifix on August 22, 2007, 11:42:58 AM
I would suggest reather to use this code:

Code: [Select]
!preg_match("/^[A-Za-z0-9\\-\\.]+$/", $user_name)
Please correct me if I'm wrong.
Title: Re: [FIX 1.7.X]: Solve the register.php bug ({} bracket problem)
Post by: thunderstrike on August 22, 2007, 04:17:12 PM
Can use:

Quote
preg_match("/[^A-Za-z0-9\-\_]+$/", $user_name)

I use for my gallery. ;)