Correctly check username validility

2025-12-12 01:13:10 -06:00 · 2017-09-22 15:25:15 +01:00 · 2017-09-22 15:25:15 +01:00 · 890b481692
parent b2f72e4f44
commit 890b481692
2 changed files with 24 additions and 5 deletions
--- a/src/github.com/matrix-org/dendrite/clientapi/jsonerror/jsonerror.go
+++ b/src/github.com/matrix-org/dendrite/clientapi/jsonerror/jsonerror.go
@ -85,6 +85,12 @@ func WeakPassword(msg string) *MatrixError {
 	return &MatrixError{"M_WEAK_PASSWORD", msg}
 }

+// InvalidUsername is an error returned when the client tries to register an
+// invalid username
+func InvalidUsername(msg string) *MatrixError {
+	return &MatrixError{"M_INVALID_USERNAME", msg}
+}
+
 // GuestAccessForbidden is an error which is returned when the client is
 // forbidden from accessing a resource as a guest.
 func GuestAccessForbidden(msg string) *MatrixError {
--- a/src/github.com/matrix-org/dendrite/clientapi/writers/register.go
+++ b/src/github.com/matrix-org/dendrite/clientapi/writers/register.go
@ -7,6 +7,7 @@ import (
 	"errors"
 	"fmt"
 	"net/http"
+	"regexp"
 	"strings"
 	"time"

@ -29,6 +30,8 @@ const (
 	maxUsernameLength = 254 // http://matrix.org/speculator/spec/HEAD/intro.html#user-identifiers TODO account for domain
 )

+var validUsernameRegex = regexp.MustCompile(`^[0-9a-zA-Z_\-./]+$`)
+
 // registerRequest represents the submitted registration request.
 // It can be broken down into 2 sections: the auth dictionary and registration parameters.
 // Registration parameters vary depending on the request, and will need to remembered across
@ -67,11 +70,11 @@ type authFlow struct {

 // legacyRegisterRequest represents the submitted registration request for v1 API.
 type legacyRegisterRequest struct {
-	Password string              `json:"password"`
-	Username string              `json:"user"`
-	Admin    bool                `json:"admin"`
-	Type     authtypes.LoginType `json:"type"`
-	Mac      gomatrixserverlib.HexString           `json:"mac"`
+	Password string                      `json:"password"`
+	Username string                      `json:"user"`
+	Admin    bool                        `json:"admin"`
+	Type     authtypes.LoginType         `json:"type"`
+	Mac      gomatrixserverlib.HexString `json:"mac"`
 }

 func newUserInteractiveResponse(sessionID string, fs []authFlow) userInteractiveResponse {
@ -106,6 +109,16 @@ func validate(username, password string) *util.JSONResponse {
 			Code: 400,
 			JSON: jsonerror.WeakPassword(fmt.Sprintf("password too weak: min %d chars", minPasswordLength)),
 		}
+	} else if !validUsernameRegex.MatchString(username) {
+		return &util.JSONResponse{
+			Code: 400,
+			JSON: jsonerror.InvalidUsername("User ID can only contain characters a-z, 0-9, or '_-./'"),
+		}
+	} else if username[0] == '_' { // Regex checks its not a zero length string
+		return &util.JSONResponse{
+			Code: 400,
+			JSON: jsonerror.InvalidUsername("User ID can't start with a '_'"),
+		}
 	}
 	return nil
 }