From 890b481692a0da9cfb60d014dc855998ae89a29d Mon Sep 17 00:00:00 2001
From: Erik Johnston <erikj@matrix.org>
Date: Fri, 22 Sep 2017 15:25:15 +0100
Subject: [PATCH] Correctly check username validility

---
 .../dendrite/clientapi/jsonerror/jsonerror.go |  6 +++++
 .../dendrite/clientapi/writers/register.go    | 23 +++++++++++++++----
 2 files changed, 24 insertions(+), 5 deletions(-)

diff --git a/src/github.com/matrix-org/dendrite/clientapi/jsonerror/jsonerror.go b/src/github.com/matrix-org/dendrite/clientapi/jsonerror/jsonerror.go
index d267355e2..8f168f4fa 100644
--- a/src/github.com/matrix-org/dendrite/clientapi/jsonerror/jsonerror.go
+++ b/src/github.com/matrix-org/dendrite/clientapi/jsonerror/jsonerror.go
@@ -85,6 +85,12 @@ func WeakPassword(msg string) *MatrixError {
 	return &MatrixError{"M_WEAK_PASSWORD", msg}
 }
 
+// InvalidUsername is an error returned when the client tries to register an
+// invalid username
+func InvalidUsername(msg string) *MatrixError {
+	return &MatrixError{"M_INVALID_USERNAME", msg}
+}
+
 // GuestAccessForbidden is an error which is returned when the client is
 // forbidden from accessing a resource as a guest.
 func GuestAccessForbidden(msg string) *MatrixError {
diff --git a/src/github.com/matrix-org/dendrite/clientapi/writers/register.go b/src/github.com/matrix-org/dendrite/clientapi/writers/register.go
index 40901bbf5..9be1ba915 100644
--- a/src/github.com/matrix-org/dendrite/clientapi/writers/register.go
+++ b/src/github.com/matrix-org/dendrite/clientapi/writers/register.go
@@ -7,6 +7,7 @@ import (
 	"errors"
 	"fmt"
 	"net/http"
+	"regexp"
 	"strings"
 	"time"
 
@@ -29,6 +30,8 @@ const (
 	maxUsernameLength = 254 // http://matrix.org/speculator/spec/HEAD/intro.html#user-identifiers TODO account for domain
 )
 
+var validUsernameRegex = regexp.MustCompile(`^[0-9a-zA-Z_\-./]+$`)
+
 // registerRequest represents the submitted registration request.
 // It can be broken down into 2 sections: the auth dictionary and registration parameters.
 // Registration parameters vary depending on the request, and will need to remembered across
@@ -67,11 +70,11 @@ type authFlow struct {
 
 // legacyRegisterRequest represents the submitted registration request for v1 API.
 type legacyRegisterRequest struct {
-	Password string              `json:"password"`
-	Username string              `json:"user"`
-	Admin    bool                `json:"admin"`
-	Type     authtypes.LoginType `json:"type"`
-	Mac      gomatrixserverlib.HexString           `json:"mac"`
+	Password string                      `json:"password"`
+	Username string                      `json:"user"`
+	Admin    bool                        `json:"admin"`
+	Type     authtypes.LoginType         `json:"type"`
+	Mac      gomatrixserverlib.HexString `json:"mac"`
 }
 
 func newUserInteractiveResponse(sessionID string, fs []authFlow) userInteractiveResponse {
@@ -106,6 +109,16 @@ func validate(username, password string) *util.JSONResponse {
 			Code: 400,
 			JSON: jsonerror.WeakPassword(fmt.Sprintf("password too weak: min %d chars", minPasswordLength)),
 		}
+	} else if !validUsernameRegex.MatchString(username) {
+		return &util.JSONResponse{
+			Code: 400,
+			JSON: jsonerror.InvalidUsername("User ID can only contain characters a-z, 0-9, or '_-./'"),
+		}
+	} else if username[0] == '_' { // Regex checks its not a zero length string
+		return &util.JSONResponse{
+			Code: 400,
+			JSON: jsonerror.InvalidUsername("User ID can't start with a '_'"),
+		}
 	}
 	return nil
 }