From 98af489386d9ad8aa6d1490c35f600c928eb364c Mon Sep 17 00:00:00 2001 From: Juerd Waalboer Date: Tue, 26 Dec 2023 16:17:26 +0100 Subject: [PATCH] Limit character set for new usernames --- UPGRADING.md | 12 +++++++----- plugins/adduser | 10 +++++----- 2 files changed, 12 insertions(+), 10 deletions(-) diff --git a/UPGRADING.md b/UPGRADING.md index 1953768..db2f87d 100644 --- a/UPGRADING.md +++ b/UPGRADING.md @@ -15,12 +15,14 @@ because it wasn't known if these would show up in barcodes. In more than 13 years of real world use, though, it seems that barcodes and usernames with "special" characters are incredibly uncommon. -Usernames must now only contain the characters from the set `A-Za-z0-9_-`. -Existing usernames with special characters can be used by quoting the username. +Since `' " \ ;` now have special meanings, they are no longer supported in +product IDs. In theory, they could be quoted or escaped, but barcode scanners +don't know that. Existing users with those characters in their names can +continue to use their accounts by quoting or escaping them. -Since `'`, `"`, `\`, and `;` now have special meanings, they are no longer -supported in product IDs. In theory, they could be quoted or escaped, but -barcode scanners don't know that. +New usernames must now only contain the characters from the set +`A-Z a-z 0-9 _ - + / ^ * [] {}` and the first character must not be any of +`- + / ^ *`. ## Update scripts that run revbank commands diff --git a/plugins/adduser b/plugins/adduser index 24b764d..b99d2b3 100644 --- a/plugins/adduser +++ b/plugins/adduser @@ -15,13 +15,13 @@ sub command :Tab(adduser) ($self, $cart, $command, @) { } sub username($self, $cart, $name, @) { - return REJECT, "Sorry, whitespace is not allowed." - if $name =~ /\s/; + return REJECT, "Sorry, only A-Z a-z 0-9 _ - + / ^ * [] {} are allowed." + if $name !~ /^[A-Za-z0-9_\-+\/\^*\[\]{}-]+\z/; - return REJECT, "Sorry, invalid first character." - if $name =~ /^[-+*]/; + return REJECT, "Sorry, - + / ^ * are not allowed as the first character." + if $name =~ /^[-+*\/\^]/; - return REJECT, "That's too numeric to be a user name." + return REJECT, "Sorry, that's too numeric to be a user name." if defined parse_amount($name); return REJECT, "That name already exists."