Page Index Toggle Pages: [1] 2 3 4
Topic Tools
Very Hot Topic (More than 25 Replies) [Serious] Check usernames when registering (Read 18,606 times)
Jet Li
Legacy Dev Team
Development Team
****
Offline



Posts: 6,588
Location: Hong Kong
Re: [Serious] Check usernames when registering
Reply #48 - Jun 12th, 2010 at 5:19pm
Post Tools
New
cgi-bin/yabb2/Admin/Admin.pl
cgi-bin/yabb2/Languages/English/Register.lng
cgi-bin/yabb2/Sources/Profile.pl
cgi-bin/yabb2/Sources/Register.pl
cgi-bin/yabb2/Sources/UserSelect.pl

public_html/yabbfiles/ajax.js

in CVS/SVN.

Changelog:
=============
- Add Reserved Name check on 'Register', 'Edit profile' and 'Add Member' (Admin Center) page (Ajax)

Credits:
=============
Unilat (thnx for add Reserved Name Check in Ajax that I request for it)
« Last Edit: Jun 12th, 2010 at 7:25pm by Jet Li »  

reseved_name-ajax_check.png ( 26 KB | 95 Downloads )
reseved_name-ajax_check.png

PM me for YaBB Installation Service
Back to top
WWWGTalkFacebook  
IP Logged
 
Jet Li
Legacy Dev Team
Development Team
****
Offline



Posts: 6,588
Location: Hong Kong
Re: [Serious] Check usernames when registering
Reply #47 - Apr 18th, 2010 at 7:18pm
Post Tools
New
Admin/Admin.pl
in CVS.

Changelog:
=============
- Add Username, Displayed Name and Email Check (Ajax) in Admin Center -> Member Controls -Add Member

ToDo:
=============
  • Add Displayname and Email Check (Ajax) in User CP - Edit Profile
  • Check for Reserved Names (Ajax) in
    • Admin Center -> Member Controls -Add Member
    • User CP - Edit Profile
    • Registration Page
« Last Edit: Apr 18th, 2010 at 7:27pm by Jet Li »  

PM me for YaBB Installation Service
Back to top
WWWGTalkFacebook  
IP Logged
 
Jet Li
Legacy Dev Team
Development Team
****
Offline



Posts: 6,588
Location: Hong Kong
Re: [Serious] Check usernames when registering
Reply #46 - Mar 27th, 2010 at 1:51pm
Post Tools
New
cgi-bin/yabb2/Languages/English/Register.lng
cgi-bin/yabb2/Sources/Register.pl
cgi-bin/yabb2/Sources/SubList.pl
cgi-bin/yabb2/Sources/UserSelect.pl
cgi-bin/yabb2/YaBB.pl

public_html/yabbfiles/ajax.js
public_html/yabbfiles/Templates/Forum/default/check.png
public_html/yabbfiles/Templates/Forum/default/cross.png
public_html/yabbfiles/Templates/Forum/yabb21/check.png
public_html/yabbfiles/Templates/Forum/yabb21/cross.png

in CVS.
  

PM me for YaBB Installation Service
Back to top
WWWGTalkFacebook  
IP Logged
 
Unilat
Development Team
Theme Team
****
Offline



Posts: 1,047
Location: Columbus Ohio, USA
Re: Check usernames when registering
Reply #45 - Jul 13th, 2009 at 3:11am
Post Tools
Yes, deti that is correct. The only possible thing a user could cause by putting code into the form variables and then sending it is receiving an error message because the perl script doesn't know what to do. And if they get that, then it's deserved and will alert someone that there's an issue, considering my subroutine should never throw an error Wink Only return true or false.
  
Back to top
 
IP Logged
 
cepheid
Senior Member
****
Offline



Posts: 516
Re: Check usernames when registering
Reply #44 - Jul 13th, 2009 at 12:57am
Post Tools
Matt Siegman wrote on Jul 12th, 2009 at 11:55pm:
The code to handle potentially dangerous input would have to be in the Perl script.

That's what I was getting at. Wink
  
Back to top
WWW  
IP Logged
 
Matt Siegman
YaBB Legends (Inactive)
*
Offline



Posts: 3,380
Location: Wichita, KS
Re: Check usernames when registering
Reply #43 - Jul 12th, 2009 at 11:55pm
Post Tools
Well, the Javascript code is just to fix a bug.

The code to handle potentially dangerous input would have to be in the Perl script.
  

-- Matt Siegman 8) Wish List
Back to top
 
IP Logged
 
cepheid
Senior Member
****
Offline



Posts: 516
Re: Check usernames when registering
Reply #42 - Jul 12th, 2009 at 9:19pm
Post Tools
Unilat wrote on Jul 11th, 2009 at 11:34pm:
But it is still not needed on type or formsession as neither of these will ever have odd characters.

deti wrote on Jul 12th, 2009 at 9:04pm:
Right. And not insert by a user.

Not usually, no... but it can be inserted by a user, specifically a malicious user who is trying to create buffer overflows or simply take advantage of improper input sanitization.

If this is being done just to fix a bug, then you can do it in ajax.js... if this is being done to increase security (i.e. to prevent malicious users from trying to get the Perl script to run things it shouldn't be running), then you must sanitize all input in POST and GET fields, even if it comes from hidden fields that a normal user wouldn't touch.
  
Back to top
WWW  
IP Logged
 
deti
Legacy Dev Team
Development Team
****
Offline



Posts: 2,650
Location: Prien am Chiemsee, Germany
Re: Check usernames when registering
Reply #41 - Jul 12th, 2009 at 9:04pm
Post Tools
Unilat wrote on Jul 11th, 2009 at 11:34pm:
But it is still not needed on type or formsession as neither of these will ever have odd characters.


Right. And not insert by a user. So it must be in ajax.js:
Code
Select All
function checkAvail(scripturl,val,type) {
	GetXmlHttpObject();
	if (xmlHttp == null) { alert("AJAX not supported."); return; }
	var session = document.getElementsByName("formsession");
	var params = "type=" + type + "&" + type + "=" + encodeURIComponent(val) + "&formsession=" + session[0].value;
	xmlHttp.open("POST", scripturl + "?action=checkavail", true);
	xmlHttp.setRequestHeader("Content-type", "application/x-www-form-urlencoded");
	xmlHttp.setRequestHeader("Content-length", params.length);
	xmlHttp.setRequestHeader("Connection", "close");
	xmlHttp.onreadystatechange=returnAvail;
	xmlHttp.send(params);
} 

  

Was immer Du tun kannst
oder erträumst tun zu können,
beginne es.
Kühnheit besitzt Genie,
Macht und magische Kraft.
Beginne es jetzt.
Whatever you can do
or dream you can,
begin it.
Boldness has genius,
power and magic in it.
Begin it now.
J. W. Goethe
Back to top
WWW  
IP Logged
 
Matt Siegman
YaBB Legends (Inactive)
*
Offline



Posts: 3,380
Location: Wichita, KS
Re: Check usernames when registering
Reply #40 - Jul 12th, 2009 at 12:32am
Post Tools
I didn't look at the values closely, you're correct. It's always a good idea to encode user input, whether or not certain things are allowed. Anything weird in the query string can cause strange results.
  

-- Matt Siegman 8) Wish List
Back to top
 
IP Logged
 
Unilat
Development Team
Theme Team
****
Offline



Posts: 1,047
Location: Columbus Ohio, USA
Re: Check usernames when registering
Reply #39 - Jul 11th, 2009 at 11:34pm
Post Tools
Neither type variables need encoding, as well as formsession. My register page says no & are allowed in usernames or display name. Mine also does no allow equal signs (=). When I hit register it says invalid character even though an equals sign is listed as valid.

So if this is true none of the components need encoding, especially now since POST is used.

Edited:
I take the second part back. No = are allowed in user ID (so the text needs to be changed for that...) but they are allowed in display name so encoding can be used on the val variable. But it is still not needed on type or formsession as neither of these will ever have odd characters.

« Last Edit: Jul 11th, 2009 at 11:38pm by Unilat »  
Back to top
 
IP Logged
 
Matt Siegman
YaBB Legends (Inactive)
*
Offline



Posts: 3,380
Location: Wichita, KS
Re: Check usernames when registering
Reply #38 - Jul 11th, 2009 at 8:50pm
Post Tools
deti wrote on Jul 11th, 2009 at 4:20pm:
deti wrote on Jul 10th, 2009 at 2:01pm:
@ Unilat
If I have a user called --#deti#-- and I try to regist other user with same name, your feature tells me that I can use this name, but if I click "Go" on the reg-page it tells me that I can't register!?!
It looks like the JS doesn't transmit the right name to the Perl-script. Can you give a look after this?

I think the problem is that we send the request with GET, so we will get wrong output if we have ; & # = in the username, displayname or email.
Unilat, is it possible to send the request with POST instead of GET via AJAX?

If that is the problem, it means that we aren't encoding our query strings properly in javascript before building the URL. We need to fix it by calling encodeURIComponent(). We need to do this with GET and POST.

Unilat's fix needs to be slightly changed:
Code
Select All
var params = "type=" + type + "&" + type + "=" + val + "&formsession=" + session[0].value;
 


Should be
Code
Select All
var params = "type=" + encodeURIComponent(type) + "&" + encodeURIComponent(type) + "=" + encodeURIComponent(val) + "&formsession=" + encodeURIComponent(session[0].value);
 

  

-- Matt Siegman 8) Wish List
Back to top
 
IP Logged
 
Jet Li
Legacy Dev Team
Development Team
****
Offline



Posts: 6,588
Location: Hong Kong
Re: Check usernames when registering
Reply #37 - Jul 11th, 2009 at 8:48pm
Post Tools
@ Unilat

will update later to SVN. Smiley
  

PM me for YaBB Installation Service
Back to top
WWWGTalkFacebook  
IP Logged
 
Unilat
Development Team
Theme Team
****
Offline



Posts: 1,047
Location: Columbus Ohio, USA
Re: Check usernames when registering
Reply #36 - Jul 11th, 2009 at 8:40pm
Post Tools
Updated in ajax.js:
Code
Select All
function checkAvail(scripturl,val,type) {
	GetXmlHttpObject();
	if (xmlHttp == null) { alert("AJAX not supported."); return; }
	var session = document.getElementsByName("formsession");
	var params = "type=" + type + "&" + type + "=" + val + "&formsession=" + session[0].value;
	xmlHttp.open("POST", scripturl + "?action=checkavail", true);
	xmlHttp.setRequestHeader("Content-type", "application/x-www-form-urlencoded");
	xmlHttp.setRequestHeader("Content-length", params.length);
	xmlHttp.setRequestHeader("Connection", "close");
	xmlHttp.onreadystatechange=returnAvail;

	xmlHttp.send(params);
} 



Update in UserSelect.pl:
Code
Select All
sub checkUserAvail {
	my $taken = "false$FORM{'type'}";

	if ($FORM{'type'} eq "email") {
		$FORM{'email'} =~ s~\A\s+|\s+\z~~g;
		if (lc $FORM{'email'} eq lc &MemberIndex("check_exist", $FORM{'email'})) { $taken = "trueemail" };
	} elsif ($FORM{'type'} eq "display") {
		$FORM{'display'} =~ s~\A\s+|\s+\z~~g;
		if (lc $FORM{'display'} eq lc &MemberIndex("check_exist", $FORM{'display'})) { $taken = "truedisplay" };
	} elsif ($FORM{'type'} eq "user") {
		$FORM{'user'} =~ s~\A\s+|\s+\z~~g;
		$FORM{'user'} =~ s/\s/_/g;
		if (lc $FORM{'user'} eq lc &MemberIndex("check_exist", $FORM{'user'})) { $taken = "trueuser" };
	}

	print "Content-type: text/plain\n\n$taken";

	CORE::exit; # This is here only to avoid server error log entries!
} 

  
Back to top
 
IP Logged
 
Unilat
Development Team
Theme Team
****
Offline



Posts: 1,047
Location: Columbus Ohio, USA
Re: Check usernames when registering
Reply #35 - Jul 11th, 2009 at 5:20pm
Post Tools
Yes, I'll change it and post the code here in a bit.
  
Back to top
 
IP Logged
 
deti
Legacy Dev Team
Development Team
****
Offline



Posts: 2,650
Location: Prien am Chiemsee, Germany
Re: Check usernames when registering
Reply #34 - Jul 11th, 2009 at 4:20pm
Post Tools
deti wrote on Jul 10th, 2009 at 2:01pm:
@ Unilat
If I have a user called --#deti#-- and I try to regist other user with same name, your feature tells me that I can use this name, but if I click "Go" on the reg-page it tells me that I can't register!?!
It looks like the JS doesn't transmit the right name to the Perl-script. Can you give a look after this?

I think the problem is that we send the request with GET, so we will get wrong output if we have ; & # = in the username, displayname or email.
Unilat, is it possible to send the request with POST instead of GET via AJAX?
« Last Edit: Jul 11th, 2009 at 4:22pm by deti »  

Was immer Du tun kannst
oder erträumst tun zu können,
beginne es.
Kühnheit besitzt Genie,
Macht und magische Kraft.
Beginne es jetzt.
Whatever you can do
or dream you can,
begin it.
Boldness has genius,
power and magic in it.
Begin it now.
J. W. Goethe
Back to top
WWW  
IP Logged
 
Page Index Toggle Pages: [1] 2 3 4
Topic Tools
 
  « Board Index ‹ Board  ^Top