No check for loading chatbox with other name
TijsC - November 21, 2005 - 15:17
| Project: | Chat Box |
| Version: | HEAD |
| Component: | Code |
| Category: | bug report |
| Priority: | critical |
| Assigned: | Unassigned |
| Status: | closed |
Jump to:
Description
Nearly two hours after site launch my first members found out that you can assign yourself another nickname in the chatbox when just altering the querystring and reloading the page.
#1
This is too vague (how do you change the query string?). I can't reproduce this bug.
#2
Resetting to active. Maybe someone will investigate this in more detail.
#3
Nicknames are set by GET and POST requests. I'll take suggestions to change this. Here is the name-setting code:
if (isset($_GET['nickname']) && $_GET['nickname'] != '') {$nickname = $_GET['nickname'];
}
elseif (isset($_POST['nickname']) && $_POST['nickname'] != '') {
$nickname = $_POST['nickname'];
}
else {
srand(time());
$nickname = $user->uid ? $user->name : t('Guest') . rand(100, 999);
}
#4
I modified the code to require users to use either there user name or a system-assigned guest name:
// figure nicknameif (isset($_GET['nickname']) && $_GET['nickname'] != '') {
$nickname = $user->uid ? $user->name : $_GET['nickname'];
}
elseif (isset($_POST['nickname']) && $_POST['nickname'] != '') {
$nickname = $user->uid ? $user->name : $_POST['nickname'];
}
else {
srand(time());
$nickname = $user->uid ? $user->name : t('Guest') . rand(100, 999);
}
#5
Fixed in DRUPAL-4-5, DRUPAL-4-6, DRUPAL-4-7, and HEAD.
#6