mirror of
https://github.com/phpbb/phpbb.git
synced 2025-07-30 21:40:43 +02:00
- introducing clean usernames, needs to be tested more, I'm not sure I didn't miss anything
- homograph list should probably be extended git-svn-id: file:///svn/phpbb/trunk@6494 89ea8834-ac86-4346-8a33-228a782c2dd0
This commit is contained in:
Nils Adermann
@@ -714,7 +714,7 @@ class auth
|
||||
|
||||
$sql = 'SELECT user_id, username, user_password, user_passchg, user_email, user_type
|
||||
FROM ' . USERS_TABLE . "
|
||||
WHERE LOWER(username) = '" . $db->sql_escape(utf8_strtolower($username)) . "'";
|
||||
WHERE username_clean = '" . $db->sql_escape(utf8_clean_string($username)) . "'";
|
||||
$result = $db->sql_query($sql);
|
||||
$row = $db->sql_fetchrow($result);
|
||||
$db->sql_freeresult($result);
|
||||
|
||||
@@ -141,7 +141,7 @@ function autologin_apache()
|
||||
|
||||
$sql = 'SELECT *
|
||||
FROM ' . USERS_TABLE . "
|
||||
WHERE username = '" . $db->sql_escape($php_auth_user) . "'";
|
||||
WHERE username_clean = '" . $db->sql_escape(utf8_clean_string($php_auth_user)) . "'";
|
||||
$result = $db->sql_query($sql);
|
||||
$row = $db->sql_fetchrow($result);
|
||||
$db->sql_freeresult($result);
|
||||
@@ -178,7 +178,7 @@ function user_row_apache($username, $password)
|
||||
// generate user account data
|
||||
return array(
|
||||
'username' => $username,
|
||||
'user_password' => $password,
|
||||
'user_password' => md5($password),
|
||||
'user_email' => '',
|
||||
'group_id' => (int) $row['group_id'],
|
||||
'user_type' => USER_NORMAL,
|
||||
|
||||
@@ -22,7 +22,7 @@ function login_db(&$username, &$password)
|
||||
|
||||
$sql = 'SELECT user_id, username, user_password, user_passchg, user_email, user_type, user_login_attempts
|
||||
FROM ' . USERS_TABLE . "
|
||||
WHERE username = '" . $db->sql_escape($username) . "'";
|
||||
WHERE username_clean = '" . $db->sql_escape(utf8_clean_string($username)) . "'";
|
||||
$result = $db->sql_query($sql);
|
||||
$row = $db->sql_fetchrow($result);
|
||||
$db->sql_freeresult($result);
|
||||
|
||||
@@ -114,7 +114,7 @@ function login_ldap(&$username, &$password)
|
||||
|
||||
$sql ='SELECT user_id, username, user_password, user_passchg, user_email, user_type
|
||||
FROM ' . USERS_TABLE . "
|
||||
WHERE username = '" . $db->sql_escape($username) . "'";
|
||||
WHERE username_clean = '" . $db->sql_escape(utf8_clean_string($username)) . "'";
|
||||
$result = $db->sql_query($sql);
|
||||
$row = $db->sql_fetchrow($result);
|
||||
$db->sql_freeresult($result);
|
||||
@@ -159,7 +159,7 @@ function login_ldap(&$username, &$password)
|
||||
// generate user account data
|
||||
$ldap_user_row = array(
|
||||
'username' => $username,
|
||||
'user_password' => $password,
|
||||
'user_password' => md5($password),
|
||||
'user_email' => (!empty($config['ldap_email'])) ? $ldap_result[0][$config['ldap_email']][0] : '',
|
||||
'group_id' => (int) $row['group_id'],
|
||||
'user_type' => USER_NORMAL,
|
||||
|
||||
@@ -1830,14 +1830,14 @@ function login_box($redirect = '', $l_explain = '', $l_success = '', $admin = fa
|
||||
|
||||
if (isset($_POST['login']))
|
||||
{
|
||||
$username = request_var('username', '');
|
||||
$password = request_var('password', '');
|
||||
$username = request_var('username', '', true);
|
||||
$password = request_var('password', '', true);
|
||||
$autologin = (!empty($_POST['autologin'])) ? true : false;
|
||||
$viewonline = (!empty($_POST['viewonline'])) ? 0 : 1;
|
||||
$admin = ($admin) ? 1 : 0;
|
||||
|
||||
// Check if the supplied username is equal to the one stored within the database if re-authenticating
|
||||
if ($admin && utf8_strtolower($username) != utf8_strtolower($user->data['username']))
|
||||
if ($admin && utf8_clean_string($username) != utf8_clean_string($user->data['username']))
|
||||
{
|
||||
// We log the attempt to use a different username...
|
||||
add_log('admin', 'LOG_ADMIN_AUTH_FAIL');
|
||||
|
||||
@@ -34,13 +34,13 @@ function user_get_id_name(&$user_id_ary, &$username_ary)
|
||||
$$which_ary = array($$which_ary);
|
||||
}
|
||||
|
||||
$sql_in = ($which_ary == 'user_id_ary') ? array_map('intval', $$which_ary) : $$which_ary;
|
||||
$sql_in = ($which_ary == 'user_id_ary') ? array_map('intval', $$which_ary) : array_map('utf8_clean_string', $$which_ary);
|
||||
unset($$which_ary);
|
||||
|
||||
$user_id_ary = $username_ary = array();
|
||||
|
||||
// Grab the user id/username records
|
||||
$sql_where = ($which_ary == 'user_id_ary') ? 'user_id' : 'username';
|
||||
$sql_where = ($which_ary == 'user_id_ary') ? 'user_id' : 'username_clean';
|
||||
$sql = 'SELECT user_id, username
|
||||
FROM ' . USERS_TABLE . '
|
||||
WHERE ' . $db->sql_in_set($sql_where, $sql_in);
|
||||
@@ -134,6 +134,7 @@ function user_add($user_row, $cp_data = false)
|
||||
|
||||
$sql_ary = array(
|
||||
'username' => $user_row['username'],
|
||||
'username_clean' => utf8_clean_string($user_row['username']),
|
||||
'user_password' => (isset($user_row['user_password'])) ? $user_row['user_password'] : '',
|
||||
'user_email' => $user_row['user_email'],
|
||||
'user_email_hash' => (int) crc32(strtolower($user_row['user_email'])) . strlen($user_row['user_email']),
|
||||
@@ -594,7 +595,7 @@ function user_ban($mode, $ban, $ban_len, $ban_len_other, $ban_exclude, $ban_reas
|
||||
$username = trim($username);
|
||||
if ($username != '')
|
||||
{
|
||||
$sql_usernames[] = utf8_strtolower($username);
|
||||
$sql_usernames[] = utf8_clean_string($username);
|
||||
}
|
||||
}
|
||||
|
||||
@@ -606,7 +607,7 @@ function user_ban($mode, $ban, $ban_len, $ban_len_other, $ban_exclude, $ban_reas
|
||||
|
||||
$sql = 'SELECT user_id
|
||||
FROM ' . USERS_TABLE . '
|
||||
WHERE ' . $db->sql_in_set('LOWER(username)', $sql_usernames);
|
||||
WHERE ' . $db->sql_in_set('username_clean', $sql_usernames);
|
||||
|
||||
// Do not allow banning yourself
|
||||
if (sizeof($founder))
|
||||
@@ -1112,7 +1113,7 @@ function validate_username($username)
|
||||
{
|
||||
global $config, $db, $user;
|
||||
|
||||
if (utf8_strtolower($user->data['username']) == utf8_strtolower($username))
|
||||
if (utf8_clean_string($user->data['username']) == utf8_clean_string($username))
|
||||
{
|
||||
return false;
|
||||
}
|
||||
@@ -1124,7 +1125,7 @@ function validate_username($username)
|
||||
|
||||
$sql = 'SELECT username
|
||||
FROM ' . USERS_TABLE . "
|
||||
WHERE LOWER(username) = '" . utf8_strtolower($db->sql_escape($username)) . "'";
|
||||
WHERE username_clean = '" . $db->sql_escape(utf8_clean_string($username)) . "'";
|
||||
$result = $db->sql_query($sql);
|
||||
$row = $db->sql_fetchrow($result);
|
||||
$db->sql_freeresult($result);
|
||||
@@ -1136,7 +1137,7 @@ function validate_username($username)
|
||||
|
||||
$sql = 'SELECT group_name
|
||||
FROM ' . GROUPS_TABLE . "
|
||||
WHERE LOWER(group_name) = '" . utf8_strtolower($db->sql_escape($username)) . "'";
|
||||
WHERE LOWER(group_name) = '" . $db->sql_escape(utf8_strtolower($username)) . "'";
|
||||
$result = $db->sql_query($sql);
|
||||
$row = $db->sql_fetchrow($result);
|
||||
$db->sql_freeresult($result);
|
||||
|
||||
@@ -246,7 +246,7 @@ function mcp_post_details($id, $mode, $action)
|
||||
while ($row = $db->sql_fetchrow($result))
|
||||
{
|
||||
$users_ary[$row['user_id']]['username'] = $row['username'];
|
||||
$usernames_ary[utf8_strtolower($row['username'])] = $users_ary[$row['user_id']];
|
||||
$usernames_ary[utf8_sclean_string($row['username'])] = $users_ary[$row['user_id']];
|
||||
}
|
||||
$db->sql_freeresult($result);
|
||||
|
||||
|
||||
@@ -91,7 +91,7 @@ class fulltext_native extends search_backend
|
||||
}
|
||||
|
||||
$open_bracket = $space = false;
|
||||
for ($i = 0, $n = utf8_strlen($keywords); $i < $n; $i++)
|
||||
for ($i = 0, $n = $keywords; $i < $n; $i++)
|
||||
{
|
||||
if ($open_bracket !== false)
|
||||
{
|
||||
|
||||
@@ -653,7 +653,7 @@ function define_cond_option($hardcoded, $cond_option, $rule_option, $global_rule
|
||||
{
|
||||
$sql = 'SELECT user_id
|
||||
FROM ' . USERS_TABLE . "
|
||||
WHERE LOWER(username) = '" . $db->sql_escape(utf8_strtolower($rule_string)) . "'";
|
||||
WHERE username_clean = '" . $db->sql_escape(utf8_clean_string($rule_string)) . "'";
|
||||
$result = $db->sql_query($sql);
|
||||
$rule_user_id = (int) $db->sql_fetchfield('user_id');
|
||||
$db->sql_freeresult($result);
|
||||
|
||||
@@ -31,7 +31,7 @@ class ucp_remind
|
||||
$sql = 'SELECT user_id, username, user_email, user_jabber, user_notify_type, user_type, user_lang
|
||||
FROM ' . USERS_TABLE . "
|
||||
WHERE user_email = '" . $db->sql_escape($email) . "'
|
||||
AND LOWER(username) = '" . $db->sql_escape(utf8_strtolower($username)) . "'";
|
||||
AND username_clean = '" . $db->sql_escape(utf8_clean_string($username)) . "'";
|
||||
$result = $db->sql_query($sql);
|
||||
$user_row = $db->sql_fetchrow($result);
|
||||
$db->sql_freeresult($result);
|
||||
|
||||
@@ -31,7 +31,7 @@ class ucp_resend
|
||||
$sql = 'SELECT user_id, group_id, username, user_email, user_type, user_lang, user_actkey
|
||||
FROM ' . USERS_TABLE . "
|
||||
WHERE user_email = '" . $db->sql_escape($email) . "'
|
||||
AND LOWER(username) = '" . $db->sql_escape(utf8_strtolower($username)) . "'";
|
||||
AND username_clean = '" . $db->sql_escape(utf8_clean_string($username)) . "'";
|
||||
$result = $db->sql_query($sql);
|
||||
$user_row = $db->sql_fetchrow($result);
|
||||
$db->sql_freeresult($result);
|
||||
|
||||
@@ -42,7 +42,7 @@ class ucp_zebra
|
||||
|
||||
if ($data['add'])
|
||||
{
|
||||
$data['add'] = array_map('trim', array_map('utf8_strtolower', explode("\n", $data['add'])));
|
||||
$data['add'] = array_map('trim', array_map('utf8_clean_string', explode("\n", $data['add'])));
|
||||
|
||||
// Do these name/s exist on a list already? If so, ignore ... we could be
|
||||
// 'nice' and automatically handle names added to one list present on
|
||||
@@ -59,11 +59,11 @@ class ucp_zebra
|
||||
{
|
||||
if ($row['friend'])
|
||||
{
|
||||
$friends[] = utf8_strtolower($row['username']);
|
||||
$friends[] = utf8_clean_string($row['username']);
|
||||
}
|
||||
else
|
||||
{
|
||||
$foes[] = utf8_strtolower($row['username']);
|
||||
$foes[] = utf8_clean_string($row['username']);
|
||||
}
|
||||
}
|
||||
$db->sql_freeresult($result);
|
||||
@@ -88,7 +88,7 @@ class ucp_zebra
|
||||
|
||||
// remove the user himself from the username array
|
||||
$n = sizeof($data['add']);
|
||||
$data['add'] = array_diff($data['add'], array(utf8_strtolower($user->data['username'])));
|
||||
$data['add'] = array_diff($data['add'], array(utf8_clean_string($user->data['username'])));
|
||||
|
||||
if (sizeof($data['add']) < $n)
|
||||
{
|
||||
@@ -101,7 +101,7 @@ class ucp_zebra
|
||||
{
|
||||
$sql = 'SELECT user_id, user_type
|
||||
FROM ' . USERS_TABLE . '
|
||||
WHERE ' . $db->sql_in_set('LOWER(username)', $data['add']) . '
|
||||
WHERE ' . $db->sql_in_set('username_clean', $data['add']) . '
|
||||
AND user_type <> ' . USER_INACTIVE;
|
||||
$result = $db->sql_query($sql);
|
||||
|
||||
|
||||
@@ -928,4 +928,39 @@ function utf8_case_fold($text, $option = 'full')
|
||||
return $text;
|
||||
}
|
||||
|
||||
function utf8_clean_string($text)
|
||||
{
|
||||
$text = utf8_case_fold($text);
|
||||
|
||||
if (!class_exists('utf_normalizer'))
|
||||
{
|
||||
global $phpbb_root_path, $phpEx;
|
||||
include($phpbb_root_path . 'includes/utf/utf_normalizer.' . $phpEx);
|
||||
}
|
||||
|
||||
$text = utf_normalizer::nfc($text);
|
||||
|
||||
static $homographs = array(
|
||||
// cyrllic
|
||||
"\xD0\xB0" => "\x61",
|
||||
"\xD0\xB5" => "\x65",
|
||||
"\xD0\xBE" => "\x6F",
|
||||
"\xD1\x80" => "\x70",
|
||||
"\xD1\x81" => "\x63",
|
||||
"\xD1\x83" => "\x79",
|
||||
"\xD1\x85" => "\x78",
|
||||
"\xD1\x95" => "\x73",
|
||||
"\xD1\x96" => "\x69",
|
||||
"\xD1\x98" => "\x6A",
|
||||
"\xD2\xBB" => "\x68",
|
||||
// greek
|
||||
"\xCE\xB1" => "\x61",
|
||||
"\xCE\xBF" => "\x6F",
|
||||
);
|
||||
|
||||
$text = strtr($text, $homographs);
|
||||
|
||||
return $text;
|
||||
}
|
||||
|
||||
?>
|
||||
Reference in New Issue
Block a user