From f3024402978b79b0e6e2b8cc2549e0ec6df5021d Mon Sep 17 00:00:00 2001 From: Marc Alexander Date: Mon, 24 May 2021 17:08:28 +0200 Subject: [PATCH 1/2] [ticket/security/254] Disallow whitespace characters that might be invisible SECURITY-254 --- phpBB/includes/functions_user.php | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/phpBB/includes/functions_user.php b/phpBB/includes/functions_user.php index a820600eb5..8cfad36773 100644 --- a/phpBB/includes/functions_user.php +++ b/phpBB/includes/functions_user.php @@ -1752,7 +1752,8 @@ function validate_username($username, $allowed_username = false, $allow_all_name } // ... fast checks first. - if (strpos($username, '"') !== false || strpos($username, '"') !== false || empty($clean_username)) + if (strpos($username, '"') !== false || strpos($username, '"') !== false || empty($clean_username) + || preg_match('/[\x{180E}\x{2005}-\x{200D}\x{202F}\x{205F}\x{2060}\x{FEFF}]/u', $username)) { return 'INVALID_CHARS'; } From b82d90eb39f0b787a0e8a05237547702740bd7c8 Mon Sep 17 00:00:00 2001 From: Marc Alexander Date: Mon, 24 May 2021 20:42:25 +0200 Subject: [PATCH 2/2] [ticket/security/254] Add tests for validation SECURITY-254 --- tests/functions/validate_username_test.php | 11 +++++++++++ 1 file changed, 11 insertions(+) diff --git a/tests/functions/validate_username_test.php b/tests/functions/validate_username_test.php index 2ff8bb4e46..fc52f91347 100644 --- a/tests/functions/validate_username_test.php +++ b/tests/functions/validate_username_test.php @@ -51,6 +51,7 @@ class phpbb_functions_validate_data_test extends phpbb_database_test_case 'barfoo_disallow' => array('USERNAME_DISALLOWED'), 'admin_taken' => array('USERNAME_TAKEN'), 'group_taken' => array('USERNAME_TAKEN'), + 'a d m i n i ᠎strator' => array('INVALID_CHARS'), )), array('USERNAME_ALPHA_ONLY', array( 'foobar_allow' => array(), @@ -65,6 +66,7 @@ class phpbb_functions_validate_data_test extends phpbb_database_test_case 'barfoo_disallow' => array('USERNAME_DISALLOWED'), 'admin_taken' => array('USERNAME_TAKEN'), 'group_taken' => array('INVALID_CHARS'), + 'a d m i n i ᠎strator' => array('INVALID_CHARS'), )), array('USERNAME_ALPHA_SPACERS', array( 'foobar_allow' => array(), @@ -79,6 +81,7 @@ class phpbb_functions_validate_data_test extends phpbb_database_test_case 'barfoo_disallow' => array('USERNAME_DISALLOWED'), 'admin_taken' => array('USERNAME_TAKEN'), 'group_taken' => array('USERNAME_TAKEN'), + 'a d m i n i ᠎strator' => array('INVALID_CHARS'), )), array('USERNAME_LETTER_NUM', array( 'foobar_allow' => array(), @@ -93,6 +96,7 @@ class phpbb_functions_validate_data_test extends phpbb_database_test_case 'barfoo_disallow' => array('USERNAME_DISALLOWED'), 'admin_taken' => array('USERNAME_TAKEN'), 'group_taken' => array('INVALID_CHARS'), + 'a d m i n i ᠎strator' => array('INVALID_CHARS'), )), array('USERNAME_LETTER_NUM_SPACERS', array( 'foobar_allow' => array(), @@ -107,6 +111,7 @@ class phpbb_functions_validate_data_test extends phpbb_database_test_case 'barfoo_disallow' => array('USERNAME_DISALLOWED'), 'admin_taken' => array('USERNAME_TAKEN'), 'group_taken' => array('USERNAME_TAKEN'), + 'a d m i n i ᠎strator' => array('INVALID_CHARS'), )), array('USERNAME_ASCII', array( 'foobar_allow' => array(), @@ -121,6 +126,7 @@ class phpbb_functions_validate_data_test extends phpbb_database_test_case 'barfoo_disallow' => array('USERNAME_DISALLOWED'), 'admin_taken' => array('USERNAME_TAKEN'), 'group_taken' => array('USERNAME_TAKEN'), + 'a d m i n i ᠎strator' => array('INVALID_CHARS'), )), ); } @@ -201,6 +207,11 @@ class phpbb_functions_validate_data_test extends phpbb_database_test_case 'foobar_group', array('username'), ), + 'a d m i n i ᠎strator' => array( + $expected['a d m i n i ᠎strator'], + 'a d m i n i ᠎strator', + array('username'), + ), )); } }