diff options
author | Lukas Fleischer <archlinux@cryptocrack.de> | 2014-08-05 23:52:03 +0200 |
---|---|---|
committer | Lukas Fleischer <archlinux@cryptocrack.de> | 2014-08-06 00:00:33 +0200 |
commit | 237a4570e2a2bbfd39520886f56c5240e6ed4bec (patch) | |
tree | bdba5a5fd0f92d7e0ea9e57d8066f5b81bafe3d3 /web/lib | |
parent | 13693fbdbc9c6625c627d3364cd00949461a61c6 (diff) |
Add PCRE_DOLLAR_ENDONLY to preg_match()
When using preg_match() to check for a match that starts at the
beginning of the string and ends at the last character of the string, we
do not want to allow an additional newline character to sneak in.
Amongst other potential loopholes, adding the PCRE_DOLLAR_ENDONLY
modifier prevents users from registering with user names that end with a
newline character.
Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>
Diffstat (limited to 'web/lib')
-rw-r--r-- | web/lib/acctfuncs.inc.php | 2 | ||||
-rw-r--r-- | web/lib/pkgreqfuncs.inc.php | 2 |
2 files changed, 2 insertions, 2 deletions
diff --git a/web/lib/acctfuncs.inc.php b/web/lib/acctfuncs.inc.php index 254f0e2..e3ff494 100644 --- a/web/lib/acctfuncs.inc.php +++ b/web/lib/acctfuncs.inc.php @@ -544,7 +544,7 @@ function valid_username($user) { if (strlen($user) < USERNAME_MIN_LEN || strlen($user) > USERNAME_MAX_LEN) { return false; - } else if (!preg_match("/^[a-z0-9]+[.\-_]?[a-z0-9]+$/i", $user)) { + } else if (!preg_match("/^[a-z0-9]+[.\-_]?[a-z0-9]+$/Di", $user)) { return false; } diff --git a/web/lib/pkgreqfuncs.inc.php b/web/lib/pkgreqfuncs.inc.php index 5924959..98fb0cb 100644 --- a/web/lib/pkgreqfuncs.inc.php +++ b/web/lib/pkgreqfuncs.inc.php @@ -91,7 +91,7 @@ function pkgreq_file($ids, $type, $merge_into, $comments) { global $AUR_REQUEST_ML; global $AUTO_ORPHAN_AGE; - if (!empty($merge_into) && !preg_match("/^[a-z0-9][a-z0-9\.+_-]*$/", $merge_into)) { + if (!empty($merge_into) && !preg_match("/^[a-z0-9][a-z0-9\.+_-]*$/D", $merge_into)) { return array(false, __("Invalid name: only lowercase letters are allowed.")); } |