From d758c117843dec04b061263095baeea7697b05a4 Mon Sep 17 00:00:00 2001 From: Evan Prodromou Date: Sun, 22 Jun 2008 14:04:37 -0400 Subject: disallow nicknames on a blacklist darcs-hash:20080622180437-34904-4b6313f6fd8845232031663c5c2df00dff725183.gz --- actions/finishopenidlogin.php | 8 ++++++++ actions/profilesettings.php | 2 ++ actions/register.php | 2 ++ classes/User.php | 8 ++++++++ config.php.sample | 3 +++ lib/common.php | 4 +++- 6 files changed, 26 insertions(+), 1 deletion(-) diff --git a/actions/finishopenidlogin.php b/actions/finishopenidlogin.php index 27e5057ec..fe9894e52 100644 --- a/actions/finishopenidlogin.php +++ b/actions/finishopenidlogin.php @@ -167,6 +167,11 @@ class FinishopenidloginAction extends Action { $this->show_form(_t('Nickname must have only letters and numbers and no spaces.')); return; } + + if (!User::allowed_nickname($nickname)) { + $this->show_form(_t('Nickname not allowed.')); + return; + } if (User::staticGet('nickname', $nickname)) { $this->show_form(_t('Nickname already in use. Try another one.')); @@ -338,6 +343,9 @@ class FinishopenidloginAction extends Action { 'format' => VALIDATE_NUM . VALIDATE_ALPHA_LOWER))) { return false; } + if (!User::allowed_nickname($str)) { + return false; + } if (User::staticGet('nickname', $str)) { return false; } diff --git a/actions/profilesettings.php b/actions/profilesettings.php index 6764ad288..b6e24c729 100644 --- a/actions/profilesettings.php +++ b/actions/profilesettings.php @@ -88,6 +88,8 @@ class ProfilesettingsAction extends SettingsAction { 'format' => VALIDATE_NUM . VALIDATE_ALPHA_LOWER))) { $this->show_form(_t('Nickname must have only letters and numbers and no spaces.')); return; + } else if (!User::allowed_nickname($nickname)) { + $this->show_form(_t('Not a valid nickname.')); } else if (!is_null($homepage) && (strlen($homepage) > 0) && !Validate::uri($homepage, array('allowed_schemes' => array('http', 'https')))) { $this->show_form(_t('Homepage is not a valid URL.')); diff --git a/actions/register.php b/actions/register.php index 31c8fea70..16e80ef17 100644 --- a/actions/register.php +++ b/actions/register.php @@ -57,6 +57,8 @@ class RegisterAction extends Action { $this->show_form(_t('Nickname must have only lowercase letters and numbers and no spaces.')); } else if ($this->nickname_exists($nickname)) { $this->show_form(_t('Nickname already exists.')); + } else if (!User::allowed_nickname($nickname)) { + $this->show_form(_t('Not a valid nickname.')); } else if ($this->email_exists($email)) { $this->show_form(_t('Email address already exists.')); } else if ($password != $confirm) { diff --git a/classes/User.php b/classes/User.php index 0e7fd5447..e735457f9 100644 --- a/classes/User.php +++ b/classes/User.php @@ -83,4 +83,12 @@ class User extends DB_DataObject ' WHERE id = ' . $this->id; return $this->query($qry); } + + function allowed_nickname($nickname) { + # XXX: should already be validated for size, content, etc. + static $blacklist = array('rss', 'xrds', 'doc', 'main', + 'settings', 'notice', 'user'); + $merged = array_merge($blacklist, common_config('nickname', 'blacklist')); + return !in_array($nickname, $merged); + } } diff --git a/config.php.sample b/config.php.sample index bfd1da8ce..8253bdeed 100644 --- a/config.php.sample +++ b/config.php.sample @@ -33,3 +33,6 @@ $config['db']['database'] = 'mysql://laconica:microblog@localhost/laconica'; #session_set_cookie_params(0, '/'. $config['site']['path'] .'/'); +#Standard fancy-url clashes prevented by not allowing nicknames on a blacklist +#Add your own here. Note: empty array by default +#$config['nickname']['blacklist'][] = 'scobleizer'; diff --git a/lib/common.php b/lib/common.php index 83b56dcee..2853c56e3 100644 --- a/lib/common.php +++ b/lib/common.php @@ -54,7 +54,9 @@ $config = 'image' => 'http://i.creativecommons.org/l/by/3.0/88x31.png'), 'mail' => array('backend' => 'mail', - 'params' => NULL) + 'params' => NULL), + 'nickname' => + array('blacklist' => array()) ); $config['db'] = &PEAR::getStaticProperty('DB_DataObject','options'); -- cgit v1.2.3-54-g00ecf