summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
-rwxr-xr-xcreateaccount.cgi1
-rw-r--r--globals.pl12
2 files changed, 10 insertions, 3 deletions
diff --git a/createaccount.cgi b/createaccount.cgi
index 79be1bb64..13256f47b 100755
--- a/createaccount.cgi
+++ b/createaccount.cgi
@@ -65,7 +65,6 @@ if (defined($login)) {
# We've been asked to create an account.
my $realname = trim($::FORM{'realname'});
CheckEmailSyntax($login);
- trick_taint($login);
$vars->{'login'} = $login;
if (!ValidateNewUser($login)) {
diff --git a/globals.pl b/globals.pl
index 21bdc46cf..624f31171 100644
--- a/globals.pl
+++ b/globals.pl
@@ -552,11 +552,19 @@ sub ValidateNewUser {
return 0;
}
+ my $sqluname = SqlQuote($username);
+
# Reject if the new login is part of an email change which is
# still in progress
+ #
+ # substring/locate stuff: bug 165221; this used to use regexes, but that
+ # was unsafe and required weird escaping; using substring to pull out
+ # the new/old email addresses and locate() to find the delimeter (':')
+ # is cleaner/safer
SendSQL("SELECT eventdata FROM tokens WHERE tokentype = 'emailold'
- AND eventdata like '%:$username'
- OR eventdata like '$username:%'");
+ AND SUBSTRING(eventdata, 1, (LOCATE(':', eventdata) - 1)) = $sqluname
+ OR SUBSTRING(eventdata, (LOCATE(':', eventdata) + 1)) = $sqluname");
+
if (my ($eventdata) = FetchSQLData()) {
# Allow thru owner of token
if($old_username && ($eventdata eq "$old_username:$username")) {