diff --git a/GameEngine/Account.php b/GameEngine/Account.php index 3a6960d2..c2b33f1e 100755 --- a/GameEngine/Account.php +++ b/GameEngine/Account.php @@ -77,9 +77,17 @@ class Account { } else { if (strlen($_POST['name']) < USRNM_MIN_LENGTH) { $form->addError("name", USRNM_SHORT); + } elseif (strlen($_POST['name']) > (defined('USRNM_MAX_LENGTH') ? USRNM_MAX_LENGTH : 15)) { + // Hard upper bound on the username length (issue #184). + $form->addError("name", USRNM_CHAR); } elseif (!USRNM_SPECIAL && preg_match('/[^0-9A-Za-z]/', $_POST['name'])) { $form->addError("name", USRNM_CHAR); - } elseif (USRNM_SPECIAL && preg_match("/[:,\\. \\n\\r\\t\\s\\<\\>]+/", $_POST['name'])) { + } elseif (USRNM_SPECIAL && !preg_match('/^[A-Za-z0-9._-]+(?: [A-Za-z0-9._-]+)*$/D', $_POST['name'])) { + // SECURITY (issue #184): positive ASCII allowlist instead of the old + // negative filter. Allows letters, digits, . _ - and single internal + // spaces only (no leading/trailing/double spaces, no trailing newline). + // Blocks & = ' " < > ; ( ) and ALL multibyte/emoji input, which were + // previously accepted and led to stored XSS / display corruption. $form->addError("name", USRNM_CHAR); } elseif (strtolower($_POST['name']) === 'natars') { $form->addError("name", USRNM_TAKEN); diff --git a/anmelden.php b/anmelden.php index 2f9f0470..1a118d75 100644 --- a/anmelden.php +++ b/anmelden.php @@ -61,28 +61,28 @@ if(REG_OPEN == true){ ?>

- + - diff --git a/login.php b/login.php index f65af221..4b494c93 100644 --- a/login.php +++ b/login.php @@ -193,7 +193,7 @@ Element.implement({ - +
+ getError('name'); ?>
- + getError('email'); ?>
- + getError('pw'); ?>
" maxlength="100" autocomplete='off' /> getError("pw"); ?>" maxlength="100" autocomplete='off' /> getError("pw"); ?>
@@ -217,7 +217,7 @@ if($form->getError("activate") != "") { echo "

".EMAIL_NOT_VERIFIED."
".EMAIL_FOLLOW."
- getError("activate")."\">".VERIFY_EMAIL." + getError("activate"))."\">".VERIFY_EMAIL."

"; } if($form->getError("vacation") != "") {