From: <gi...@ma...> - 2009-12-01 06:44:41
|
The branch, master-1.2.x has been updated via 9c0f46d6e40f769ab421ce0101bd0b7a74bd4ce5 (commit) from 868c1d6cbddce42253945d9ee60af6f1d688246f (commit) Those revisions listed above that are new to this repository have not appeared on any other notification email; so we list those revisions in full, below. - Log ----------------------------------------------------------------- commit 9c0f46d6e40f769ab421ce0101bd0b7a74bd4ce5 Author: David Hicks <hic...@op...> Date: Tue Dec 1 17:39:50 2009 +1100 Fix #11234: Validate user name and email on account_page.php manage_user_edit_page.php correctly validates the real name and email address of user accounts that are updated by managers/admins. However, the user account update page (account_page.php) doesn't perform these validation checks, allowing users to set their real name and email address to invalid and potentially unsafe strings. ----------------------------------------------------------------------- Summary of changes: account_update.php | 2 ++ 1 files changed, 2 insertions(+), 0 deletions(-) ----------------------------------------------------------------------- commit 9c0f46d6e40f769ab421ce0101bd0b7a74bd4ce5 Author: David Hicks <hic...@op...> Date: Tue Dec 1 17:39:50 2009 +1100 Fix #11234: Validate user name and email on account_page.php manage_user_edit_page.php correctly validates the real name and email address of user accounts that are updated by managers/admins. However, the user account update page (account_page.php) doesn't perform these validation checks, allowing users to set their real name and email address to invalid and potentially unsafe strings. diff --git a/account_update.php b/account_update.php index f19743c..59b4003 100644 --- a/account_update.php +++ b/account_update.php @@ -56,6 +56,7 @@ if ( OFF == config_get( 'use_ldap_email' ) ) { $f_email = email_append_domain( $f_email ); + email_ensure_valid( $f_email ); email_ensure_not_disposable( $f_email ); if ( $f_email != user_get_email( $t_user_id ) ) { @@ -68,6 +69,7 @@ $t_realname = string_normalize( $f_realname ); if ( $t_realname != user_get_field( $t_user_id, 'realname' ) ) { # checks for problems with realnames + user_ensure_realname_valid( $t_realname ); $t_username = user_get_field( $t_user_id, 'username' ); user_ensure_realname_unique( $t_username, $t_realname ); user_set_realname( $t_user_id, $t_realname ); ----------------------------------------------------------------------- -- Mantis Bug Tracker |