From 2c65e17c2463811f8de431fcdfe85ea8f95ef3aa Mon Sep 17 00:00:00 2001 From: Michael Tremer Date: Wed, 30 Oct 2019 14:36:58 +0000 Subject: [PATCH] people: Tighten regex pattern whenever UIDs are being used This also adds a missing hyphen which was not allowed in some places where we were dealing with UIDs. Signed-off-by: Michael Tremer --- src/backend/accounts.py | 2 +- src/templates/auth/register.html | 2 +- src/web/__init__.py | 16 ++++++++-------- 3 files changed, 10 insertions(+), 10 deletions(-) diff --git a/src/backend/accounts.py b/src/backend/accounts.py index a24c87aa..7cd4d726 100644 --- a/src/backend/accounts.py +++ b/src/backend/accounts.py @@ -132,7 +132,7 @@ class Accounts(Object): return False # https://unix.stackexchange.com/questions/157426/what-is-the-regex-to-validate-linux-users - m = re.match(r"^[a-z_]([a-z0-9_-]{0,31}|[a-z0-9_-]{0,30}\$)$", uid) + m = re.match(r"^[a-z_][a-z0-9_-]{0,31}$", uid) if m: return True diff --git a/src/templates/auth/register.html b/src/templates/auth/register.html index 80966242..af817fca 100644 --- a/src/templates/auth/register.html +++ b/src/templates/auth/register.html @@ -23,7 +23,7 @@ + pattern="[a-z_][a-z0-9_-]{0,31}">
{{ _("This username is invalid. Please choose a user name in UNIX format starting with a letter, followed by ASCII characters and digits only.") }}
diff --git a/src/web/__init__.py b/src/web/__init__.py index c5527166..d1712816 100644 --- a/src/web/__init__.py +++ b/src/web/__init__.py @@ -269,20 +269,20 @@ class Application(tornado.web.Application): # people.ipfire.org self.add_handlers(r"people(\.dev)?\.ipfire\.org", [ (r"/", people.IndexHandler), - (r"/activate/(\w+)/(\w+)", auth.ActivateHandler), + (r"/activate/([a-z_][a-z0-9_-]{0,31})/(\w+)", auth.ActivateHandler), (r"/conferences", people.ConferencesHandler), (r"/groups", people.GroupsHandler), (r"/groups/(\w+)", people.GroupHandler), (r"/register", auth.RegisterHandler), (r"/search", people.SearchHandler), (r"/users", people.UsersHandler), - (r"/users/(\w+)", people.UserHandler), - (r"/users/(\w+)\.jpg", people.AvatarHandler), - (r"/users/(\w+)/calls/([0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12})", people.CallHandler), - (r"/users/(\w+)/calls(?:/(\d{4}-\d{2}-\d{2}))?", people.CallsHandler), - (r"/users/(\w+)/edit", people.UserEditHandler), - (r"/users/(\w+)/passwd", people.UserPasswdHandler), - (r"/users/(\w+)/sip", people.SIPHandler), + (r"/users/([a-z_][a-z0-9_-]{0,31})", people.UserHandler), + (r"/users/([a-z_][a-z0-9_-]{0,31})\.jpg", people.AvatarHandler), + (r"/users/([a-z_][a-z0-9_-]{0,31})/calls/([0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12})", people.CallHandler), + (r"/users/([a-z_][a-z0-9_-]{0,31})/calls(?:/(\d{4}-\d{2}-\d{2}))?", people.CallsHandler), + (r"/users/([a-z_][a-z0-9_-]{0,31})/edit", people.UserEditHandler), + (r"/users/([a-z_][a-z0-9_-]{0,31})/passwd", people.UserPasswdHandler), + (r"/users/([a-z_][a-z0-9_-]{0,31})/sip", people.SIPHandler), # Single-Sign-On for Discourse (r"/sso/discourse", people.SSODiscourse), -- 2.39.2