Anonymous checkout allow user to be created with illegal characters in username

j0rd - May 28, 2009 - 10:20

Project:	Ubercart
Version:	6.x-2.0-rc3
Component:	Code
Category:	bug report
Priority:	normal
Assigned:	Unassigned
Status:	closed
Issue tags:	ubercamp sprint

In Ubercart, when we have an anonymous checkout, we create a username based off of the email address. Unfortunately in this process we do not check to see if that generated username contains characters Drupal considers invalid. This could create issues in the future, but currently, we're able to login with a generated username which contains invalid characters.

To resolve this we check check the username against

<?php
 function user_validate_name($name) 
?>

in user.module. We should trim out the characters from the email which it considers are invalid and generate the username based off that. The function which generates the username is

<?php
 function uc_store_email_to_username($mail) 
?>

Maybe more work than it's worth, but I figure I'd bring it up.

» Login or register to post comments

#1

j0rd - May 28, 2009 - 10:21

oh. Invalid email example would be a special gMail one like:

myemail+spamtag@gmail.com

Drupal doesn't allow the '+'

#2

rszrama - June 7, 2009 - 04:54

Status:

needs review

» active

Issue sounds worth fixing to me; is there an API function we can use to strip out illegitimate characters?

#3

cha0s - June 7, 2009 - 20:01

Assigned to:

Anonymous

» cha0s

Not that I can see. I was planning on repurposing the validate function for this purpose. Unless I'm blind and missed it. :)

#4

rszrama - June 8, 2009 - 00:21

Why don't we just reduce the username to alphanumeric characters to begin with? There's no real need to preserve periods in the usernames, and that's all I can imagine someone would have in their e-mail addy. I don't think hyphens or underscores are allowed. I'm sure alphanumeric names will pass validation. : )

#5

rszrama - June 29, 2009 - 17:23

#6

cedarm - June 30, 2009 - 03:04

Assigned to:

cha0s

» cedarm

#7

cedarm - June 30, 2009 - 22:24

Status:

active

» needs review

Code copied from the user_import module's _user_import_sanitise_username().

Attachment	Size
ubercart-475226-7.patch	1.15 KB

#8

cedarm - June 30, 2009 - 22:32

On second thought, this patch may be more appropriate since we're starting with an email address.

Attachment	Size
ubercart-475226-8.patch	529 bytes

#9

Island Usurper - July 2, 2009 - 15:06

I don't think [:alnum:] works in preg_replace(). I've only seen it in MySQL regular expressions.

(Oh, it also works in ereg_replace(). Interesting.)

Here's an equivalent expression in PCRE syntax.

Attachment	Size
email_replacement.patch	494 bytes

#10

rszrama - July 3, 2009 - 18:06

Status:

needs review

» fixed

Worked for me. Thanks everyone!

#11

rszrama - July 3, 2009 - 18:11

Status:

fixed

» patch (to be ported)

#12

cha0s - July 4, 2009 - 07:48

Assigned to:	cedarm	» Anonymous
Status:	patch (to be ported)	» needs review

Yarrr, the old 3-liner

Attachment	Size
475226.email_replacement.1.x.patch	558 bytes

#13

rszrama - July 8, 2009 - 02:47

Status:

needs review

» fixed

You be da man. Yarr.

#14

System Message - July 22, 2009 - 02:50

Status:

fixed

» closed

Automatically closed -- issue fixed for 2 weeks with no activity.

Anonymous checkout allow user to be created with illegal characters in username

Jump to:

#1

#2

#3

#4

#5

#6

#7

#8

#9

#10

#11

#12

#13

#14

User login

Contributor links