From f0fb87c1b9101f6111d4f73b2f99db2e476415a5 Mon Sep 17 00:00:00 2001 From: Luigi Pinca Date: Fri, 22 Feb 2013 19:28:02 +0100 Subject: [PATCH] changed username policy to allow only unreserved URI characters --- app.js | 3 +-- lib/room.js | 10 ++++++---- lib/utils.js | 11 ++++++++++- package.json | 2 +- public/js/app.js | 21 +++++++++------------ public/js/leaderboards.js | 2 +- routes/user.js | 36 ++++++++++++++---------------------- views/changepasswd.jade | 4 ++-- views/home.jade | 4 ++-- views/leaderboards.jade | 6 ++---- views/room.jade | 4 ++-- views/user.jade | 4 ++-- 12 files changed, 52 insertions(+), 55 deletions(-) diff --git a/app.js b/app.js index f950a07..9c3cc6c 100644 --- a/app.js +++ b/app.js @@ -127,8 +127,7 @@ io.sockets.on('connection', function(socket) { } }); socket.on('joinanonymously', function(nickname, roomname) { - if (!socket.nickname && typeof nickname === 'string' && nickname !== '' && - ~config.rooms.indexOf(roomname)) { + if (!socket.nickname && typeof nickname === 'string' && ~config.rooms.indexOf(roomname)) { rooms[roomname].setNickName(socket, nickname); } }); diff --git a/lib/room.js b/lib/room.js index 3163df2..75d26b2 100644 --- a/lib/room.js +++ b/lib/room.js @@ -8,6 +8,7 @@ var amatch = require('./match') , config = require('../config') , fifolength = config.songsinarun * config.gameswithnorepeats , io + , isUsername = require('./utils').isUsername , sockets , songsdb = clients.songs , usersdb = clients.users; @@ -405,12 +406,13 @@ function Room(roomname) { this.setNickName = function(socket, nickname) { var feedback = null; - if (nickname.length > 15) { - feedback = 'That name is too long.'; - } - else if (nickname === 'binb') { + if (nickname === 'binb') { feedback = 'That name is reserved.'; } + else if (!isUsername(nickname)) { + feedback = 'Name must contain only '; + feedback += 'alphanumeric characters.'; + } else if (sockets[nickname]) { feedback = 'Name already taken.'; } diff --git a/lib/utils.js b/lib/utils.js index b5118ec..d5b81ca 100644 --- a/lib/utils.js +++ b/lib/utils.js @@ -22,7 +22,7 @@ exports.buildLeaderboards = function(pointsresults, timesresults) { }; /** - * Check if the provided string is a valid email address. + * Check whether a given string is a valid email address. */ exports.isEmail = function(str) { @@ -31,6 +31,15 @@ exports.isEmail = function(str) { return filter.test(str); }; +/** + * Check whether a given string is a well formed username. + */ + +exports.isUsername = function(str) { + var filter = /^[a-zA-Z0-9\-_]{1,15}$/; + return filter.test(str); +}; + /** * Get a random slogan. */ diff --git a/package.json b/package.json index 40758d3..3aa5d9e 100644 --- a/package.json +++ b/package.json @@ -21,5 +21,5 @@ "start": "app.js" }, "subdomain": "binb", - "version": "0.3.5-6" + "version": "0.3.5-7" } diff --git a/public/js/app.js b/public/js/app.js index ebb4bf0..e899f83 100644 --- a/public/js/app.js +++ b/public/js/app.js @@ -394,9 +394,8 @@ for(var i=0;i<3;i++) { if (podium[i]) { - var playername = podium[i].nickname.encodeEntities(); html += '
'; - html += ''+playername+''; + html += ''+podium[i].nickname+''; html += ''+podium[i].points+''; html += ''+podium[i].golds+''+podium[i].silvers+''; html += ''+podium[i].bronzes+''+podium[i].guessed+''; @@ -466,8 +465,7 @@ // Prompt for name and send it var joinAnonymously = function(msg) { if (/nickname\s*\=/.test(document.cookie) && !msg) { - var encodednickname = document.cookie.replace(/.*nickname\s*\=\s*([^;]*);?.*/, '$1'); - nickname = decodeURIComponent(encodednickname); + var nickname = document.cookie.replace(/.*nickname\s*\=\s*([^;]*);?.*/, '$1'); return socket.emit('joinanonymously', nickname, roomname); } @@ -480,7 +478,7 @@ html += '

You are joining the '+roomname+' room

'; html += '

'+(msg || "What's your name?")+'

'; html += '
'; - html += ''; + html += ''; html += ''; html += 'or'; @@ -492,9 +490,8 @@ var button = $('#join'); button.click(function() { - var val = $.trim(login.val()); - if (val !== '') { - nickname = val; + if ($.trim(login.val()) !== '') { + nickname = login.val(); socket.emit('joinanonymously', nickname, roomname); } else { @@ -633,7 +630,7 @@ // Successfully joined the room var ready = function(usersData, trackscount, loggedin) { if (!loggedin && !/nickname\s*\=/.test(document.cookie)) { - document.cookie = 'nickname='+encodeURIComponent(nickname)+';path=/;'; + document.cookie = 'nickname='+nickname+';path=/;'; } DOM.modal.modal('hide').empty(); @@ -843,7 +840,7 @@ li.append(pvt, username, points, roundrank, roundpointsel, guesstime); if (user.registered) { - var href = 'href="/user/'+encodeURIComponent(user.nickname)+'"'; + var href = 'href="/user/'+user.nickname+'"'; pvt.after(''); } DOM.users.append(li); @@ -901,12 +898,12 @@ // Convert any URLs in text into clickable links var urlize = function(text) { - if (text.match(urlregex)) { + if (urlregex.test(text)) { var html = ''; var splits = text.split(urlregex); for (var i=0; i'+escapedsplit+''; continue; } diff --git a/public/js/leaderboards.js b/public/js/leaderboards.js index d009716..81d84b6 100644 --- a/public/js/leaderboards.js +++ b/public/js/leaderboards.js @@ -1,7 +1,7 @@ (function() { var appendResults = function(data, leaderboard, offset, type) { for (var i=0; i').text(data[i]) + var link = $('').text(data[i]) , col1 = ''+(++offset)+'' , col2 = $('').append(link) , col3 = (type === 'points') diff --git a/routes/user.js b/routes/user.js index 43b6629..c30ec04 100644 --- a/routes/user.js +++ b/routes/user.js @@ -65,13 +65,12 @@ exports.validateChangePasswd = function(req, res, next) { } var errors = {}; - - req.body.oldpassword = req.body.oldpassword.trim(); - if (req.body.oldpassword === '') { + + if (req.body.oldpassword.trim() === '') { errors.oldpassword = "can't be empty"; } - if (!/^[\x21-\x7E]{6,15}$/.test(req.body.newpassword)) { - errors.newpassword = '6 to 15 characters required'; + if (req.body.newpassword.length < 6) { + errors.newpassword = 'must be at least 6 characters long'; } else if(req.body.newpassword === req.body.oldpassword) { errors.newpassword = "can't be changed to the old one"; @@ -123,13 +122,11 @@ exports.validateLogin = function(req, res, next) { } var errors = {}; - - req.body.username = req.body.username.trim(); // Username sanitization - req.body.password = req.body.password.trim(); // Password sanitization - if (req.body.username === '') { + + if (req.body.username.trim() === '') { errors.username = "can't be empty"; } - if (req.body.password === '') { + if (req.body.password.trim() === '') { errors.password = "can't be empty"; } @@ -194,23 +191,18 @@ exports.validateSignUp = function(req, res, next) { } var errors = {}; - - req.body.username = req.body.username.trim(); // Username sanitization + if (req.body.username === 'binb') { errors.username = 'is reserved'; } - else if (/\.\.?/.test('/'+req.body.username+'/')) { - // Username contains dot segments which will be removed by URL normalization - errors.username = 'is not valid'; - } - else if (!/^[^\x00-\x1F\x7F]{1,15}$/.test(req.body.username)) { - errors.username = '1 to 15 characters required'; + else if (!utils.isUsername(req.body.username)) { + errors.username = 'must contain only alphanumeric characters'; } if (!utils.isEmail(req.body.email)) { errors.email = 'is not an email address'; } - if (!/^[\x21-\x7E]{6,15}$/.test(req.body.password)) { - errors.password = '6 to 15 characters required'; + if (req.body.password.length < 6) { + errors.password = 'must be at least 6 characters long'; } if (req.body.captcha !== req.session.captchacode) { errors.captcha = 'no match'; @@ -353,8 +345,8 @@ exports.resetPasswd = function(req, res) { var errors = {}; // Validate new password - if (!/^[\x21-\x7E]{6,15}$/.test(req.body.password)) { - errors.password = '6 to 15 characters required'; + if (req.body.password.length < 6) { + errors.password = 'must be at least 6 characters long'; } // Check token availability if (!req.query.token) { diff --git a/views/changepasswd.jade b/views/changepasswd.jade index 031e04a..01c714c 100644 --- a/views/changepasswd.jade +++ b/views/changepasswd.jade @@ -9,11 +9,11 @@ block nav a(href="/") Home li.dropdown a.dropdown-toggle(data-toggle="dropdown", href="#") - | Logged in as #{loggedin.replace(/&/g, '&')} + | Logged in as #{loggedin} span.caret ul.dropdown-menu li - a(href="/user/#{encodeURIComponent(loggedin)}", target="_blank") Profile + a(href="/user/#{loggedin}", target="_blank") Profile li a(href="/logout") Logout diff --git a/views/home.jade b/views/home.jade index 1a061fd..cbbf765 100644 --- a/views/home.jade +++ b/views/home.jade @@ -14,11 +14,11 @@ block nav - if (locals.loggedin) li.dropdown a.dropdown-toggle(data-toggle="dropdown", href="#") - | Logged in as #{loggedin.replace(/&/g, '&')} + | Logged in as #{loggedin} span.caret ul.dropdown-menu li - a(href="/user/#{encodeURIComponent(loggedin)}", target="_blank") Profile + a(href="/user/#{loggedin}", target="_blank") Profile li a(href="/changepasswd") Change password li diff --git a/views/leaderboards.jade b/views/leaderboards.jade index 2dfef06..d8e24d8 100644 --- a/views/leaderboards.jade +++ b/views/leaderboards.jade @@ -24,8 +24,7 @@ block sections tr td #{i+1} td - a(href="/user/#{encodeURIComponent(user.username)}") - | #{user.username.replace(/&/g, '&')} + a(href="/user/#{user.username}") #{user.username} td #{user.totpoints} .loading .loading-block @@ -40,8 +39,7 @@ block sections tr td #{i+1} td - a(href="/user/#{encodeURIComponent(user.username)}") - | #{user.username.replace(/&/g, '&')} + a(href="/user/#{user.username}") #{user.username} td i.icon-time | #{user.bestguesstime} sec diff --git a/views/room.jade b/views/room.jade index 14605d7..7a558d6 100644 --- a/views/room.jade +++ b/views/room.jade @@ -27,11 +27,11 @@ block nav - if (locals.loggedin) li.dropdown a.dropdown-toggle(data-toggle="dropdown", href="#") - | Logged in as #{loggedin.replace(/&/g, '&')} + | Logged in as #{loggedin} span.caret ul.dropdown-menu li - a(href="/user/#{encodeURIComponent(loggedin)}", target="_blank") Profile + a(href="/user/#{loggedin}", target="_blank") Profile li a(href="/changepasswd?followup=/#{roomname}") Change password li diff --git a/views/user.jade b/views/user.jade index 38b2b6d..01cb36f 100644 --- a/views/user.jade +++ b/views/user.jade @@ -1,7 +1,7 @@ extends layout block title - title binb :: #{username.replace(/&/g, '&')} info + title binb :: #{username} info block brand a.brand(href="#") @@ -11,7 +11,7 @@ block sections section .row .span7.offset1 - .profile #{username.replace(/&/g, '&')} + .profile #{username} .icons.img div member since #{joindate} section -- 2.54.0