Skip to content
GitLab
Menu
Projects
Groups
Snippets
Help
Help
Support
Community forum
Keyboard shortcuts
?
Submit feedback
Contribute to GitLab
Sign in
Toggle navigation
Menu
Open sidebar
tenma
don
Commits
503aefa5
Commit
503aefa5
authored
Oct 29, 2020
by
tenma
Browse files
controller/admin: sanitize emails from pseudos using base64
parent
c68be220
Pipeline
#2753
canceled with stages
Changes
1
Pipelines
1
Hide whitespace changes
Inline
Side-by-side
app/controller/admin.php
View file @
503aefa5
...
...
@@ -1458,7 +1458,7 @@ class Admin extends Controller
AND identifiers.identifier='"
.
$identifier
.
"'"
);
if
(
$result
->
rowCount
()
==
0
)
{
// Identifier does not exist, we must create it. We have either a pseudo or an email.
$user_field
=
explode
(
"_"
,
$identifier
)[
1
];
$user_field
=
explode
(
"_"
,
$identifier
,
2
)[
1
];
$user
=
''
;
if
(
strpos
(
$user_field
,
'@'
))
{
...
...
@@ -1483,6 +1483,14 @@ class Admin extends Controller
$email
=
$user_field
.
"@example.org"
;
$pseudo
=
$user_field
;
}
//! added email sanitizing. TODO reverse where email is needed
//! email norm see rfc822#section-6.1 and rfc5322#section-3.4.1
if
(
!
filter_var
(
$email
,
FILTER_VALIDATE_EMAIL
))
{
//! encode unsanitizable emails to legal characters
$log
->
write
(
"Invalid email: non-ASCII"
);
$email
=
base64_encode
(
$user_field
)
.
"@invalid.com"
;
$log
->
write
(
"base64 email: "
.
$email
);
}
//! hash seems to identify one email at one time
$hash
=
hash
(
'sha256'
,
date
(
"%Y-%m-%d %H:%i:%d"
)
.
$email
);
if
(
!
$testing
)
{
...
...
@@ -1572,8 +1580,7 @@ class Admin extends Controller
'"
.
$user
[
'id'
]
.
"',
'"
.
$cumul
.
"',
'"
.
$identifier
.
"')"
;
}
if
(
!
$testing
)
{
$db
->
query
(
$query
);
// On met alors à jour le cumul et le total de l'utilisateur concerné
$result
=
$db
->
query
(
"UPDATE users
...
...
Write
Preview
Supports
Markdown
0%
Try again
or
attach a new file
.
Attach a file
Cancel
You are about to add
0
people
to the discussion. Proceed with caution.
Finish editing this message first!
Cancel
Please
register
or
sign in
to comment