Closed paulocmguerreiro closed 10 years ago
If by userID u mean username, its a valid check, and its a good idea to have a regex do all that work. -A
Notice: This message is digitally signed, its source and integrity are verifiable. If you mail client does not support S/MIME verification, it will display a file (smime.p7s), which includes the X.509 certificate and the signature body. Read more at Certified E-Mail with Comodo and Thunderbird in AbiusX.com
On Oct 22, 2013, at 6:29 PM, Paulo Guerreiro notifications@github.com wrote:
Added control over userID definition to prevent the userID: … -cannot be null -cannot be empty -Length should be between User::$minUserIDNChars and User::$maxUserIDNChars -Only Letters and numbers allowed
Throws an UserIDInvalid exception otherwise
You can merge this Pull Request by running
git pull https://github.com/paulocmguerreiro/phpsec master Or view, comment on, or merge it at:
https://github.com/OWASP/phpsec/pull/73
Commit Summary
Added control over userID definition to prevent the userID: File Changes
M libs/auth/user.php (33) M libs/auth/usermanagement.php (1) M test/libs/auth/UserTest.php (35) Patch Links:
https://github.com/OWASP/phpsec/pull/73.patch https://github.com/OWASP/phpsec/pull/73.diff
thx, this issue credit goes to Rahul, he had it reported in his project.
Hey Paulo, as Minhaz pointed out, these things are also allowable in userID: (underscore) (dot) (@) basically an emailID can be a userID. So, anything that is allowed in emails, can be present in userID. So you need to modift your code and make a pull request both in phpsec as well as rnj
Added control over userID definition to prevent the userID: … -cannot be null -cannot be empty -Length should be between User::$minUserIDNChars and User::$maxUserIDNChars -Only Letters and numbers allowed
Throws an UserIDInvalid exception otherwise