people: Tighten regex pattern whenever UIDs are being used

author Michael Tremer <michael.tremer@ipfire.org>

Wed, 30 Oct 2019 14:36:58 +0000 (14:36 +0000)

committer Michael Tremer <michael.tremer@ipfire.org>

Wed, 30 Oct 2019 14:36:58 +0000 (14:36 +0000)
author Michael Tremer <michael.tremer@ipfire.org>
Wed, 30 Oct 2019 14:36:58 +0000 (14:36 +0000)
committer Michael Tremer <michael.tremer@ipfire.org>
Wed, 30 Oct 2019 14:36:58 +0000 (14:36 +0000)
diff --git a/src/backend/accounts.py b/src/backend/accounts.py

index a24c87aa7597562d413ffc7cc2e2091797a4b577..7cd4d726fc6c1a57e9bdde5103c6fd591fd352b0 100644 (file)
--- a/src/backend/accounts.py
+++ b/src/backend/accounts.py
@@ -132,7 +132,7 @@ class Accounts(Object):
                         return False
  
                 # https://unix.stackexchange.com/questions/157426/what-is-the-regex-to-validate-linux-users
-               m = re.match(r"^[a-z_]([a-z0-9_-]{0,31}|[a-z0-9_-]{0,30}\$)$", uid)
+               m = re.match(r"^[a-z_][a-z0-9_-]{0,31}$", uid)
                 if m:
                         return True
  
diff --git a/src/templates/auth/register.html b/src/templates/auth/register.html

index 80966242b6854bf15df949c55f4a9c58db29dd1e..af817fcaa2705bfebb435b6ed8285eeaa006bf0b 100644 (file)
--- a/src/templates/auth/register.html
+++ b/src/templates/auth/register.html
@@ -23,7 +23,7 @@
                                                 </div>
                                                 <input type="text" class="form-control form-control-lg"
                                                         name="uid" placeholder="{{ _("Username") }}" required autofocus
-                                                       pattern="[a-z_]([a-z0-9_-]{0,31}|[a-z0-9_-]{0,30}\$)">
+                                                       pattern="[a-z_][a-z0-9_-]{0,31}">
                                                 <div id="uid-invalid" class="invalid-feedback">
                                                         {{ _("This username is invalid. Please choose a user name in UNIX format starting with a letter, followed by ASCII characters and digits only.") }}
                                                 </div>
diff --git a/src/web/__init__.py b/src/web/__init__.py

index c5527166b8ab1982f5a4799ec9376838de1e430e..d1712816083253cc511b216465d2505e7570a868 100644 (file)
--- a/src/web/__init__.py
+++ b/src/web/__init__.py
@@ -269,20 +269,20 @@ class Application(tornado.web.Application):
                 # people.ipfire.org
                 self.add_handlers(r"people(\.dev)?\.ipfire\.org", [
                         (r"/", people.IndexHandler),
-                       (r"/activate/(\w+)/(\w+)", auth.ActivateHandler),
+                       (r"/activate/([a-z_][a-z0-9_-]{0,31})/(\w+)", auth.ActivateHandler),
                         (r"/conferences", people.ConferencesHandler),
                         (r"/groups", people.GroupsHandler),
                         (r"/groups/(\w+)", people.GroupHandler),
                         (r"/register", auth.RegisterHandler),
                         (r"/search", people.SearchHandler),
                         (r"/users", people.UsersHandler),
-                       (r"/users/(\w+)", people.UserHandler),
-                       (r"/users/(\w+)\.jpg", people.AvatarHandler),
-                       (r"/users/(\w+)/calls/([0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12})", people.CallHandler),
-                       (r"/users/(\w+)/calls(?:/(\d{4}-\d{2}-\d{2}))?", people.CallsHandler),
-                       (r"/users/(\w+)/edit", people.UserEditHandler),
-                       (r"/users/(\w+)/passwd", people.UserPasswdHandler),
-                       (r"/users/(\w+)/sip", people.SIPHandler),
+                       (r"/users/([a-z_][a-z0-9_-]{0,31})", people.UserHandler),
+                       (r"/users/([a-z_][a-z0-9_-]{0,31})\.jpg", people.AvatarHandler),
+                       (r"/users/([a-z_][a-z0-9_-]{0,31})/calls/([0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12})", people.CallHandler),
+                       (r"/users/([a-z_][a-z0-9_-]{0,31})/calls(?:/(\d{4}-\d{2}-\d{2}))?", people.CallsHandler),
+                       (r"/users/([a-z_][a-z0-9_-]{0,31})/edit", people.UserEditHandler),
+                       (r"/users/([a-z_][a-z0-9_-]{0,31})/passwd", people.UserPasswdHandler),
+                       (r"/users/([a-z_][a-z0-9_-]{0,31})/sip", people.SIPHandler),
  
                         # Single-Sign-On for Discourse
                         (r"/sso/discourse", people.SSODiscourse),
author	Michael Tremer <michael.tremer@ipfire.org>
	Wed, 30 Oct 2019 14:36:58 +0000 (14:36 +0000)
committer	Michael Tremer <michael.tremer@ipfire.org>
	Wed, 30 Oct 2019 14:36:58 +0000 (14:36 +0000)
src/backend/accounts.py		patch \| blob \| blame \| history
src/templates/auth/register.html		patch \| blob \| blame \| history
src/web/__init__.py		patch \| blob \| blame \| history