From: Luigi Pinca <luigipinca@gmail.com>
Date: Sun, 11 Nov 2012 10:12:20 +0000 (+0100)
Subject: fixed an issue with URL normalization
X-Git-Url: https://git.saalbach.dev/?a=commitdiff_plain;h=f3bb7dc0e127b6ecb89ffcdf4e6c583fc77e131a;p=binbsis50.git

fixed an issue with URL normalization
---

diff --git a/package.json b/package.json
index fc940c4..dfe55b1 100644
--- a/package.json
+++ b/package.json
@@ -21,5 +21,5 @@
     "start": "app.js"
   },
   "subdomain": "binb",
-  "version": "0.3.4-8"
+  "version": "0.3.4-10"
 }
\ No newline at end of file
diff --git a/routes/user.js b/routes/user.js
index 38bf82a..03472ca 100644
--- a/routes/user.js
+++ b/routes/user.js
@@ -60,8 +60,8 @@ exports.validateChangePasswd = function(req, res, next) {
     if (req.body.oldpassword === '') {
         errors.oldpassword = "can't be empty";
     }
-    if (!req.body.newpassword.match(/^[A-Za-z0-9]{6,15}$/)) {
-        errors.newpassword = '6 to 15 alphanumeric characters required';
+    if (!/^[\x21-\x7E]{6,15}$/.test(req.body.newpassword)) {
+        errors.newpassword = '6 to 15 characters required';
     }
     else if(req.body.newpassword === req.body.oldpassword) {
         errors.newpassword = "can't be changed to the old one";
@@ -189,14 +189,18 @@ exports.validateSignUp = function(req, res, next) {
     if (req.body.username === 'binb') {
         errors.username = 'is reserved';
     }
-    else if (!req.body.username.match(/^[^\x00-\x1F\x7F]{1,15}$/)) {
+    else if (/\.\.?/.test('/'+req.body.username+'/')) {
+        // Username contains dot segments which will be removed by URL normalization
+        errors.username = 'is not valid';
+    }
+    else if (!/^[^\x00-\x1F\x7F]{1,15}$/.test(req.body.username)) {
         errors.username = '1 to 15 characters required';
     }
     if (!utils.isEmail(req.body.email)) {
         errors.email = 'is not an email address';
     }
-    if (!req.body.password.match(/^[A-Za-z0-9]{6,15}$/)) {
-        errors.password = '6 to 15 alphanumeric characters required';
+    if (!/^[\x21-\x7E]{6,15}$/.test(req.body.password)) {
+        errors.password = '6 to 15 characters required';
     }
     if (req.body.captcha !== req.session.captchacode) {
         errors.captcha = 'no match';
@@ -339,8 +343,8 @@ exports.resetPasswd = function(req, res) {
     var errors = {};
     
     // Validate new password
-    if (!req.body.password.match(/^[A-Za-z0-9]{6,15}$/)) {
-        errors.password = '6 to 15 alphanumeric characters required';
+    if (!/^[\x21-\x7E]{6,15}$/.test(req.body.password)) {
+        errors.password = '6 to 15 characters required';
     }
     // Check token availability
     if (!req.query.token) {