[mantisbt-commits] mantisbt.git branch, master-1.2.x, updated. release-1.2.0rc2-105-g9c0f46d

SourceForge Headquarters 225 Broadway Suite 1600 San Diego, CA 92101 +1 (858) 454-5900

The branch, master-1.2.x has been updated
       via  9c0f46d6e40f769ab421ce0101bd0b7a74bd4ce5 (commit)
      from  868c1d6cbddce42253945d9ee60af6f1d688246f (commit)

Those revisions listed above that are new to this repository have
not appeared on any other notification email; so we list those
revisions in full, below.

- Log -----------------------------------------------------------------
commit 9c0f46d6e40f769ab421ce0101bd0b7a74bd4ce5
Author: David Hicks <hic...@op...>
Date:   Tue Dec 1 17:39:50 2009 +1100

    Fix #11234: Validate user name and email on account_page.php
    
    manage_user_edit_page.php correctly validates the real name and email
    address of user accounts that are updated by managers/admins. However,
    the user account update page (account_page.php) doesn't perform these
    validation checks, allowing users to set their real name and email
    address to invalid and potentially unsafe strings.

-----------------------------------------------------------------------

Summary of changes:
 account_update.php |    2 ++
 1 files changed, 2 insertions(+), 0 deletions(-)

-----------------------------------------------------------------------

commit 9c0f46d6e40f769ab421ce0101bd0b7a74bd4ce5
Author: David Hicks <hic...@op...>
Date:   Tue Dec 1 17:39:50 2009 +1100

    Fix #11234: Validate user name and email on account_page.php
    
    manage_user_edit_page.php correctly validates the real name and email
    address of user accounts that are updated by managers/admins. However,
    the user account update page (account_page.php) doesn't perform these
    validation checks, allowing users to set their real name and email
    address to invalid and potentially unsafe strings.

diff --git a/account_update.php b/account_update.php
index f19743c..59b4003 100644
--- a/account_update.php
+++ b/account_update.php
@@ -56,6 +56,7 @@
 
 	if ( OFF == config_get( 'use_ldap_email' ) ) {
 		$f_email = email_append_domain( $f_email );
+		email_ensure_valid( $f_email );
 		email_ensure_not_disposable( $f_email );
 
 		if ( $f_email != user_get_email( $t_user_id ) ) {
@@ -68,6 +69,7 @@
     $t_realname = string_normalize( $f_realname );
 	if ( $t_realname != user_get_field( $t_user_id, 'realname' ) ) {
 		# checks for problems with realnames
+		user_ensure_realname_valid( $t_realname );
 		$t_username = user_get_field( $t_user_id, 'username' );
 		user_ensure_realname_unique( $t_username, $t_realname );
 		user_set_realname( $t_user_id, $t_realname );

-----------------------------------------------------------------------


--
Mantis Bug Tracker


