From 3742a9d5c49646805a28caef8a2a557ced999562 Mon Sep 17 00:00:00 2001 From: Robin Malley Date: Tue, 13 Oct 2020 18:10:55 +0000 Subject: [PATCH] Throw an error message if the user enters a bad username For some reason kore isn't checking parameters anymore, so check them lua-side. --- src/lua/init.lua | 10 ++++++++++ 1 file changed, 10 insertions(+) diff --git a/src/lua/init.lua b/src/lua/init.lua index a87734b..d0b0c5f 100644 --- a/src/lua/init.lua +++ b/src/lua/init.lua @@ -513,6 +513,16 @@ function claim(req) --Actually claim a name http_request_populate_post(req) local name = assert(http_argument_get_string(req,"user")) + --What in the world, Kore should be rejecting names that + --are not lower case & no symbols, but some still get through somehow. + if not name:match("^[a-z0-9]{1,30}$") then + print("Bad username:",name) + text = pages.claim{ + err = "Usernames must match ^[a-z0-9]{1,30}$" + } + http_response(req,200,text) + return + end local rngf = assert(io.open("/dev/urandom","rb")) local passlength = string.byte(rngf:read(1)) + 64 local salt = rngf:read(64)