xinyin025/TravianZ
1
0
Fork 0
mirror of https://github.com/Shadowss/TravianZ.git synced 2026-06-28 00:24:23 +00:00
Code Issues Packages Projects Releases Wiki Activity

security: harden signup username validation + fix reflected XSS (#184) (#187)

Browse Source
This commit is contained in:
Ferywir
2026-06-09 13:57:56 +02:00
committed by GitHub
parent fabe77e3b8
commit d30bef0a40
3 changed files with 15 additions and 7 deletions
Download Patch File Download Diff File Expand all files Collapse all files
GameEngine/Account.php
+9 -1
View File
@@ -77,9 +77,17 @@ class Account {
} else {
if (strlen($_POST['name']) < USRNM_MIN_LENGTH) {
$form->addError("name", USRNM_SHORT);
} elseif (strlen($_POST['name']) > (defined('USRNM_MAX_LENGTH') ? USRNM_MAX_LENGTH : 15)) {
// Hard upper bound on the username length (issue #184).
$form->addError("name", USRNM_CHAR);
} elseif (!USRNM_SPECIAL && preg_match('/[^0-9A-Za-z]/', $_POST['name'])) {
$form->addError("name", USRNM_CHAR);
} elseif (USRNM_SPECIAL && preg_match("/[:,\\. \\n\\r\\t\\s\\<\\>]+/", $_POST['name'])) {
} elseif (USRNM_SPECIAL && !preg_match('/^[A-Za-z0-9._-]+(?: [A-Za-z0-9._-]+)*$/D', $_POST['name'])) {
// SECURITY (issue #184): positive ASCII allowlist instead of the old
// negative filter. Allows letters, digits, . _ - and single internal
// spaces only (no leading/trailing/double spaces, no trailing newline).
// Blocks & = ' " < > ; ( ) and ALL multibyte/emoji input, which were
// previously accepted and led to stored XSS / display corruption.
$form->addError("name", USRNM_CHAR);
} elseif (strtolower($_POST['name']) === 'natars') {
$form->addError("name", USRNM_TAKEN);