Skip to content

Commit

Permalink
Merge pull request #3444 from reosarevok/MBS-13857
Browse files Browse the repository at this point in the history
MBS-13857 / MBS-13893: Block invisible characters from usernames
  • Loading branch information
reosarevok authored Jan 9, 2025
2 parents b0de13d + 67e9b80 commit 77aefb5
Show file tree
Hide file tree
Showing 4 changed files with 45 additions and 4 deletions.
4 changes: 2 additions & 2 deletions lib/MusicBrainz/Server/Data/Editor.pm
Original file line number Diff line number Diff line change
Expand Up @@ -19,7 +19,7 @@ use MusicBrainz::Server::Data::Utils qw(
hash_to_row
load_subobjects
placeholders
sanitize
sanitize_username
);
use MusicBrainz::Server::Constants qw(
:create_entity
Expand Down Expand Up @@ -282,7 +282,7 @@ sub find_subscribers

sub _die_if_username_invalid {
my $name = shift;
my $sanitized_name = sanitize($name);
my $sanitized_name = sanitize_username($name);

die 'Invalid user name' if (
$name ne $sanitized_name ||
Expand Down
23 changes: 23 additions & 0 deletions lib/MusicBrainz/Server/Data/Utils.pm
Original file line number Diff line number Diff line change
Expand Up @@ -73,6 +73,7 @@ our @EXPORT_OK = qw(
remove_equal
remove_invisible_characters
sanitize
sanitize_username
take_while
trim
trim_comment
Expand Down Expand Up @@ -349,6 +350,18 @@ sub sanitize {
return $t;
}

sub sanitize_username {
my $t = shift;

return '' unless non_empty($t);

$t = sanitize($t);
$t = remove_invisible_characters($t);
$t = remove_tag_characters($t);

return $t;
}

sub trim {
my $t = shift;

Expand Down Expand Up @@ -470,6 +483,16 @@ sub remove_lineformatting_characters {
=~ s/[\N{ZERO WIDTH SPACE}\N{SOFT HYPHEN}\p{Cc}]//gr;
}

sub remove_tag_characters {
my $string = shift;

# https://en.wikipedia.org/wiki/Tags_(Unicode_block)
# Can be used for flag emojis but also as invisible chars
$string =~ s/[\x{E0000}-\x{E007F}]//g;

return $string;
}

sub type_to_model
{
return $TYPE_TO_MODEL{$_[0]} || die "$_[0] is not a type that has a model";
Expand Down
4 changes: 2 additions & 2 deletions lib/MusicBrainz/Server/Form/Utils.pm
Original file line number Diff line number Diff line change
Expand Up @@ -3,7 +3,7 @@ package MusicBrainz::Server::Form::Utils;
use strict;
use warnings;

use MusicBrainz::Server::Data::Utils qw( sanitize );
use MusicBrainz::Server::Data::Utils qw( sanitize_username );
use MusicBrainz::Server::Translation qw( l lp );
use List::AllUtils qw( sort_by );

Expand Down Expand Up @@ -212,7 +212,7 @@ sub validate_username {

if (defined $username) {
unless (defined $previous_username && $editor_model->are_names_equivalent($previous_username, $username)) {
my $sanitized_name = sanitize($username);
my $sanitized_name = sanitize_username($username);
if (
$username ne $sanitized_name ||
$sanitized_name =~ qr{://}
Expand Down
18 changes: 18 additions & 0 deletions t/lib/t/MusicBrainz/Server/Controller/User/Register.pm
Original file line number Diff line number Diff line change
Expand Up @@ -97,6 +97,24 @@ test 'Trying to register with an invalid name' => sub {
like($mech->uri, qr{/register}, 'stays on registration page');
$mech->content_contains('username contains invalid characters', 'form has error message for consecutive spaces in username');

$mech->submit_form( with_fields => {
'register.username' => "test\N{HANGUL FILLER}\N{HALFWIDTH HANGUL FILLER}\N{BRAILLE PATTERN BLANK}\N{HANGUL CHOSEONG FILLER}\N{HANGUL JUNGSEONG FILLER}",
'register.password' => 'foo',
'register.confirm_password' => 'foo',
'register.email' => '[email protected]',
});
like($mech->uri, qr{/register}, 'stays on registration page');
$mech->content_contains('username contains invalid characters', 'form has error message for invisible characters in username');

$mech->submit_form( with_fields => {
'register.username' => "test\N{TAG LATIN CAPITAL LETTER T}\N{TAG LATIN CAPITAL LETTER E}\N{TAG LATIN CAPITAL LETTER S}\N{TAG LATIN CAPITAL LETTER T}",
'register.password' => 'foo',
'register.confirm_password' => 'foo',
'register.email' => '[email protected]',
});
like($mech->uri, qr{/register}, 'stays on registration page');
$mech->content_contains('username contains invalid characters', 'form has error message for tag characters in username');

$mech->submit_form( with_fields => {
'register.username' => 'looks://like_a_url_to_me',
'register.password' => 'foo',
Expand Down

0 comments on commit 77aefb5

Please sign in to comment.