diff options
| author | Lukas Fleischer <archlinux@cryptocrack.de> | 2014-08-05 23:52:03 +0200 |
|---|---|---|
| committer | Lukas Fleischer <archlinux@cryptocrack.de> | 2014-08-06 00:00:33 +0200 |
| commit | 237a4570e2a2bbfd39520886f56c5240e6ed4bec (patch) | |
| tree | bdba5a5fd0f92d7e0ea9e57d8066f5b81bafe3d3 | |
| parent | 13693fbdbc9c6625c627d3364cd00949461a61c6 (diff) | |
| download | aurweb-237a4570e2a2bbfd39520886f56c5240e6ed4bec.tar.xz | |
Add PCRE_DOLLAR_ENDONLY to preg_match()
When using preg_match() to check for a match that starts at the
beginning of the string and ends at the last character of the string, we
do not want to allow an additional newline character to sneak in.
Amongst other potential loopholes, adding the PCRE_DOLLAR_ENDONLY
modifier prevents users from registering with user names that end with a
newline character.
Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>
| -rw-r--r-- | web/html/pkgsubmit.php | 4 | ||||
| -rw-r--r-- | web/lib/acctfuncs.inc.php | 2 | ||||
| -rw-r--r-- | web/lib/pkgreqfuncs.inc.php | 2 |
3 files changed, 4 insertions, 4 deletions
diff --git a/web/html/pkgsubmit.php b/web/html/pkgsubmit.php index 7d89425..8a48df2 100644 --- a/web/html/pkgsubmit.php +++ b/web/html/pkgsubmit.php @@ -193,7 +193,7 @@ if ($uid): /* Validate package base name. */ if (!$error) { $pkgbase_name = $pkgbase_info['pkgbase']; - if (!preg_match("/^[a-z0-9][a-z0-9\.+_-]*$/", $pkgbase_name)) { + if (!preg_match("/^[a-z0-9][a-z0-9\.+_-]*$/D", $pkgbase_name)) { $error = __("Invalid name: only lowercase letters are allowed."); } @@ -209,7 +209,7 @@ if ($uid): /* Validate package names. */ $pkg_name = $pi['pkgname']; - if (!preg_match("/^[a-z0-9][a-z0-9\.+_-]*$/", $pkg_name)) { + if (!preg_match("/^[a-z0-9][a-z0-9\.+_-]*$/D", $pkg_name)) { $error = __("Invalid name: only lowercase letters are allowed."); break; } diff --git a/web/lib/acctfuncs.inc.php b/web/lib/acctfuncs.inc.php index 254f0e2..e3ff494 100644 --- a/web/lib/acctfuncs.inc.php +++ b/web/lib/acctfuncs.inc.php @@ -544,7 +544,7 @@ function valid_username($user) { if (strlen($user) < USERNAME_MIN_LEN || strlen($user) > USERNAME_MAX_LEN) { return false; - } else if (!preg_match("/^[a-z0-9]+[.\-_]?[a-z0-9]+$/i", $user)) { + } else if (!preg_match("/^[a-z0-9]+[.\-_]?[a-z0-9]+$/Di", $user)) { return false; } diff --git a/web/lib/pkgreqfuncs.inc.php b/web/lib/pkgreqfuncs.inc.php index 5924959..98fb0cb 100644 --- a/web/lib/pkgreqfuncs.inc.php +++ b/web/lib/pkgreqfuncs.inc.php @@ -91,7 +91,7 @@ function pkgreq_file($ids, $type, $merge_into, $comments) { global $AUR_REQUEST_ML; global $AUTO_ORPHAN_AGE; - if (!empty($merge_into) && !preg_match("/^[a-z0-9][a-z0-9\.+_-]*$/", $merge_into)) { + if (!empty($merge_into) && !preg_match("/^[a-z0-9][a-z0-9\.+_-]*$/D", $merge_into)) { return array(false, __("Invalid name: only lowercase letters are allowed.")); } |