Fossil SCM
For self-registered accounts, increase the minimum userID length to 6 and check both the EVENT and USER tables for conflicting userIDs.
Commit
b13b651da2bbcf94528fba9e7f1e6e89f3547567977de790ba85204e53a9b16c
Parent
0ba1528fa3a5a4e…
1 file changed
+18
-3
+18
-3
| --- src/login.c | ||
| +++ src/login.c | ||
| @@ -1444,10 +1444,25 @@ | ||
| 1444 | 1444 | g.okCsrf = 1; |
| 1445 | 1445 | return; |
| 1446 | 1446 | } |
| 1447 | 1447 | fossil_fatal("Cross-site request forgery attempt"); |
| 1448 | 1448 | } |
| 1449 | + | |
| 1450 | +/* | |
| 1451 | +** Check to see if the candidate username zUserID is already used. | |
| 1452 | +** Return 1 if it is already in use. Return 0 if the name is | |
| 1453 | +** available for a self-registeration. | |
| 1454 | +*/ | |
| 1455 | +static int login_self_choosen_userid_already_exists(const char *zUserID){ | |
| 1456 | + int rc = db_exists( | |
| 1457 | + "SELECT 1 FROM user WHERE login=%Q " | |
| 1458 | + "UNION ALL " | |
| 1459 | + "SELECT 1 FROM event WHERE user=%Q OR euser=%Q", | |
| 1460 | + zUserID, zUserID, zUserID | |
| 1461 | + ); | |
| 1462 | + return rc; | |
| 1463 | +} | |
| 1449 | 1464 | |
| 1450 | 1465 | /* |
| 1451 | 1466 | ** WEBPAGE: register |
| 1452 | 1467 | ** |
| 1453 | 1468 | ** Page to allow users to self-register. The "self-register" setting |
| @@ -1491,13 +1506,13 @@ | ||
| 1491 | 1506 | /* This is not a valid form submission. Fall through into |
| 1492 | 1507 | ** the form display */ |
| 1493 | 1508 | }else if( !captcha_is_correct(1) ){ |
| 1494 | 1509 | iErrLine = 6; |
| 1495 | 1510 | zErr = "Incorrect CAPTCHA"; |
| 1496 | - }else if( strlen(zUserID)<3 ){ | |
| 1511 | + }else if( strlen(zUserID)<6 ){ | |
| 1497 | 1512 | iErrLine = 1; |
| 1498 | - zErr = "User ID too short. Must be at least 3 characters."; | |
| 1513 | + zErr = "User ID too short. Must be at least 6 characters."; | |
| 1499 | 1514 | }else if( sqlite3_strglob("*[^-a-zA-Z0-9_.]*",zUserID)==0 ){ |
| 1500 | 1515 | iErrLine = 1; |
| 1501 | 1516 | zErr = "User ID may not contain spaces or special characters."; |
| 1502 | 1517 | }else if( zDName[0]==0 ){ |
| 1503 | 1518 | iErrLine = 2; |
| @@ -1512,11 +1527,11 @@ | ||
| 1512 | 1527 | iErrLine = 4; |
| 1513 | 1528 | zErr = "Password must be at least 6 characters long"; |
| 1514 | 1529 | }else if( fossil_strcmp(zPasswd,zConfirm)!=0 ){ |
| 1515 | 1530 | iErrLine = 5; |
| 1516 | 1531 | zErr = "Passwords do not match"; |
| 1517 | - }else if( db_exists("SELECT 1 FROM user WHERE login=%Q", zUserID) ){ | |
| 1532 | + }else if( login_self_choosen_userid_already_exists(zUserID) ){ | |
| 1518 | 1533 | iErrLine = 1; |
| 1519 | 1534 | zErr = "This User ID is already taken. Choose something different."; |
| 1520 | 1535 | }else if( |
| 1521 | 1536 | /* If the email is found anywhere in USER.INFO... */ |
| 1522 | 1537 | db_exists("SELECT 1 FROM user WHERE info LIKE '%%%q%%'", zEAddr) |
| 1523 | 1538 |
| --- src/login.c | |
| +++ src/login.c | |
| @@ -1444,10 +1444,25 @@ | |
| 1444 | g.okCsrf = 1; |
| 1445 | return; |
| 1446 | } |
| 1447 | fossil_fatal("Cross-site request forgery attempt"); |
| 1448 | } |
| 1449 | |
| 1450 | /* |
| 1451 | ** WEBPAGE: register |
| 1452 | ** |
| 1453 | ** Page to allow users to self-register. The "self-register" setting |
| @@ -1491,13 +1506,13 @@ | |
| 1491 | /* This is not a valid form submission. Fall through into |
| 1492 | ** the form display */ |
| 1493 | }else if( !captcha_is_correct(1) ){ |
| 1494 | iErrLine = 6; |
| 1495 | zErr = "Incorrect CAPTCHA"; |
| 1496 | }else if( strlen(zUserID)<3 ){ |
| 1497 | iErrLine = 1; |
| 1498 | zErr = "User ID too short. Must be at least 3 characters."; |
| 1499 | }else if( sqlite3_strglob("*[^-a-zA-Z0-9_.]*",zUserID)==0 ){ |
| 1500 | iErrLine = 1; |
| 1501 | zErr = "User ID may not contain spaces or special characters."; |
| 1502 | }else if( zDName[0]==0 ){ |
| 1503 | iErrLine = 2; |
| @@ -1512,11 +1527,11 @@ | |
| 1512 | iErrLine = 4; |
| 1513 | zErr = "Password must be at least 6 characters long"; |
| 1514 | }else if( fossil_strcmp(zPasswd,zConfirm)!=0 ){ |
| 1515 | iErrLine = 5; |
| 1516 | zErr = "Passwords do not match"; |
| 1517 | }else if( db_exists("SELECT 1 FROM user WHERE login=%Q", zUserID) ){ |
| 1518 | iErrLine = 1; |
| 1519 | zErr = "This User ID is already taken. Choose something different."; |
| 1520 | }else if( |
| 1521 | /* If the email is found anywhere in USER.INFO... */ |
| 1522 | db_exists("SELECT 1 FROM user WHERE info LIKE '%%%q%%'", zEAddr) |
| 1523 |
| --- src/login.c | |
| +++ src/login.c | |
| @@ -1444,10 +1444,25 @@ | |
| 1444 | g.okCsrf = 1; |
| 1445 | return; |
| 1446 | } |
| 1447 | fossil_fatal("Cross-site request forgery attempt"); |
| 1448 | } |
| 1449 | |
| 1450 | /* |
| 1451 | ** Check to see if the candidate username zUserID is already used. |
| 1452 | ** Return 1 if it is already in use. Return 0 if the name is |
| 1453 | ** available for a self-registeration. |
| 1454 | */ |
| 1455 | static int login_self_choosen_userid_already_exists(const char *zUserID){ |
| 1456 | int rc = db_exists( |
| 1457 | "SELECT 1 FROM user WHERE login=%Q " |
| 1458 | "UNION ALL " |
| 1459 | "SELECT 1 FROM event WHERE user=%Q OR euser=%Q", |
| 1460 | zUserID, zUserID, zUserID |
| 1461 | ); |
| 1462 | return rc; |
| 1463 | } |
| 1464 | |
| 1465 | /* |
| 1466 | ** WEBPAGE: register |
| 1467 | ** |
| 1468 | ** Page to allow users to self-register. The "self-register" setting |
| @@ -1491,13 +1506,13 @@ | |
| 1506 | /* This is not a valid form submission. Fall through into |
| 1507 | ** the form display */ |
| 1508 | }else if( !captcha_is_correct(1) ){ |
| 1509 | iErrLine = 6; |
| 1510 | zErr = "Incorrect CAPTCHA"; |
| 1511 | }else if( strlen(zUserID)<6 ){ |
| 1512 | iErrLine = 1; |
| 1513 | zErr = "User ID too short. Must be at least 6 characters."; |
| 1514 | }else if( sqlite3_strglob("*[^-a-zA-Z0-9_.]*",zUserID)==0 ){ |
| 1515 | iErrLine = 1; |
| 1516 | zErr = "User ID may not contain spaces or special characters."; |
| 1517 | }else if( zDName[0]==0 ){ |
| 1518 | iErrLine = 2; |
| @@ -1512,11 +1527,11 @@ | |
| 1527 | iErrLine = 4; |
| 1528 | zErr = "Password must be at least 6 characters long"; |
| 1529 | }else if( fossil_strcmp(zPasswd,zConfirm)!=0 ){ |
| 1530 | iErrLine = 5; |
| 1531 | zErr = "Passwords do not match"; |
| 1532 | }else if( login_self_choosen_userid_already_exists(zUserID) ){ |
| 1533 | iErrLine = 1; |
| 1534 | zErr = "This User ID is already taken. Choose something different."; |
| 1535 | }else if( |
| 1536 | /* If the email is found anywhere in USER.INFO... */ |
| 1537 | db_exists("SELECT 1 FROM user WHERE info LIKE '%%%q%%'", zEAddr) |
| 1538 |