Commit 503aefa5 authored by tenma's avatar tenma
Browse files

controller/admin: sanitize emails from pseudos using base64

parent c68be220
Pipeline #2753 canceled with stages
......@@ -1458,7 +1458,7 @@ class Admin extends Controller
AND identifiers.identifier='".$identifier. "'");
if ($result->rowCount() == 0) {
// Identifier does not exist, we must create it. We have either a pseudo or an email.
$user_field = explode("_", $identifier)[1];
$user_field = explode("_", $identifier, 2)[1];
$user = '';
if (strpos($user_field, '@')) {
......@@ -1483,6 +1483,14 @@ class Admin extends Controller
$email = $user_field . "@example.org";
$pseudo = $user_field;
}
//! added email sanitizing. TODO reverse where email is needed
//! email norm see rfc822#section-6.1 and rfc5322#section-3.4.1
if (!filter_var($email, FILTER_VALIDATE_EMAIL)) {
//! encode unsanitizable emails to legal characters
$log->write("Invalid email: non-ASCII");
$email = base64_encode($user_field)."@invalid.com";
$log->write("base64 email: ".$email);
}
//! hash seems to identify one email at one time
$hash = hash('sha256', date("%Y-%m-%d %H:%i:%d").$email);
if (!$testing) {
......@@ -1572,8 +1580,7 @@ class Admin extends Controller
'".$user['id']."',
'".$cumul."',
'".$identifier."')";
}
if (!$testing) {
$db->query($query);
// On met alors à jour le cumul et le total de l'utilisateur concerné
$result = $db->query("UPDATE users
......
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment