Mercurial > prosody-modules
changeset 429:ea6641deec12
mod_register_json: added check for invalid characters in the username.
| author | Marco Cirillo <maranda@lightwitch.org> |
|---|---|
| date | Thu, 15 Sep 2011 03:32:23 +0000 |
| parents | a46c2326eed7 |
| children | f0fafd19fd72 |
| files | mod_register_json/mod_register_json.lua |
| diffstat | 1 files changed, 11 insertions(+), 3 deletions(-) [+] |
line wrap: on
line diff
--- a/mod_register_json/mod_register_json.lua Sun Sep 11 23:30:06 2011 +0200 +++ b/mod_register_json/mod_register_json.lua Thu Sep 15 03:32:23 2011 +0000 @@ -94,9 +94,17 @@ -- We first check if the supplied username for registration is already there. if not usermanager.user_exists(req_body["username"], req_body["host"]) then - usermanager.create_user(req_body["username"], req_body["password"], req_body["host"]); - module:log("debug", "%s registration data submission for %s is successful", user, req_body["username"]); - return http_response(200, "Done."); + -- Sanity checks for the username. + if req_body["username"]:find(" ") or req_body["username"]:find("@") or req_body["username"]:find("<") or + req_body["username"]:find(">") or req_body["username"]:find("\"") or req_body["username"]:find("\'") or + req_body["username"]:find("/") then + module:log("debug", "%s supplied an username containing invalid characters: %s", user, req_body["username"]); + return http_response(406, "Supplied username contains invalid characters, see RFC 6122."); + else + usermanager.create_user(req_body["username"], req_body["password"], req_body["host"]); + module:log("debug", "%s registration data submission for %s is successful", user, req_body["username"]); + return http_response(200, "Done."); + end else module:log("debug", "%s registration data submission for %s failed (user already exists)", user, req_body["username"]); return http_response(409, "User already exists.");