From 11340844b349028764ed868aff149943b1f19635 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?J=C3=A9r=C3=A9my=20Dufraisse?=
 <jeremy.dufraisse-info@orange.fr>
Date: Tue, 5 Oct 2021 12:42:18 +0200
Subject: [PATCH] fix(username): transform < and > to &lt; and &gt; to prevent
 html code interpretation

---
 actions/userstable.php               |  2 +-
 includes/User.class.php              | 21 +++++++++++++--------
 lang/yeswiki_fr.php                  |  1 +
 tools/login/actions/usersettings.php |  4 ++++
 4 files changed, 19 insertions(+), 9 deletions(-)

diff --git a/actions/userstable.php b/actions/userstable.php
index 886620360..46ef01737 100644
--- a/actions/userstable.php
+++ b/actions/userstable.php
@@ -103,7 +103,7 @@
     if ($isAdmin && !$userIsTheOneConnected) { // admin and not the current user, then can be deleted
         echo '<td>';
         echo '<form action="'.$this->href('', $this->tag).'" method="post">';
-        echo '<input type="hidden" name="userstable_action" value="delete_'.$user['name'].'" />';
+        echo '<input type="hidden" name="userstable_action" value="delete_'.htmlspecialchars($user['name']).'" />';
         echo '<input class="btn btn-sm btn-danger" type="submit" onclick="return confirm(\''._t('USER_CONFIRM_DELETE').'\');" value="'._t('USER_DELETE').'" />';
         echo $this->FormClose();
         echo '</td>';
diff --git a/includes/User.class.php b/includes/User.class.php
index d64d696c8..df2b87ad2 100644
--- a/includes/User.class.php
+++ b/includes/User.class.php
@@ -1,6 +1,7 @@
 <?php
 namespace YesWiki;
 
+use YesWiki\Core\Service\DbService;
 use YesWiki\Core\Service\TripleStore;
 use YesWiki\Security\Controller\SecurityController;
 
@@ -33,6 +34,7 @@ class User
     protected $keyVocabulary = 'http://outils-reseaux.org/_vocabulary/key';
 
     protected $securityController;
+    protected $dbService;
     /* ~~~~~~~~~~~~~~~~~~~~~~~~~~ END OF PROPERTIES ~~~~~~~~~~~~~~~~~~~~~~~~ */
 
 
@@ -41,6 +43,7 @@ public function __construct($wiki)
         $this->wiki = $wiki;
         $this->initUsersTable();
         $this->initLimitations();
+        $this->dbService = $this->wiki->services->get(DbService::class);
         $this->securityController = $this->wiki->services->get(SecurityController::class);
     }
 
@@ -237,6 +240,8 @@ protected function checkName($newName)
             $this->error = _t('USER_YOU_MUST_SPECIFY_A_NAME').'.';
         } elseif (strlen($newName) > $this->nameMaxLength) {
             $this->error = _t('USER_NAME_S_MAXIMUM_LENGTH_IS').' '.$this->nameMaxLength.'.';
+        } elseif (preg_match('/[!#@<>\\\\\/][^<>\\\\\/]{2,}/',$newName)) {
+            $this->error = _t('USER_THIS_IS_NOT_A_VALID_NAME').'.';
         } else {
             $result = true;
         }
@@ -404,7 +409,7 @@ public function passwordIsCorrect($pwd, $confPassword = '')
     {
         $correct = true;
         if (isset($confPassword) && (trim($confPassword) !='')) {
-            if ($confPassword != $pwd) {
+            if ($confPassword !== $pwd) {
                 $this->error = _t('USER_PASSWORDS_NOT_IDENTICAL').'.';
                 $correct = false;
             }
@@ -542,7 +547,7 @@ public function updatePassword($password, $confPassword='')
             // Update user's password
             $sql	= 'UPDATE '.$this->usersTable;
             $sql .= ' SET password = "'.MD5($password).'" ';
-            $sql .= 'WHERE name = "'.$this->properties['name'].'" LIMIT 1;';
+            $sql .= 'WHERE name = "'.$this->dbService->escape($this->properties['name']).'" LIMIT 1;';
             $OK = $this->wiki->query($sql); // true or false depending on the query execution
             if ($OK) {
                 $this->properties['password'] = md5($password);
@@ -913,9 +918,9 @@ public function delete()
             if ($OK) {
                 // Delete user in every group
                 $triplesTable = $this->wiki->config['table_prefix'].'triples';
-                $searched_value = '%' . $this->properties['name'] . '%';
-                $seek_value_bf = '' . $this->properties['name'] . '\n'; // username to delete can be followed by another username
-                $seek_value_af = '\n' . $this->properties['name']; // username to delete can follow another username
+                $searched_value = '%' . $this->dbService->escape($this->properties['name']) . '%';
+                $seek_value_bf = '' . $this->dbService->escape($this->properties['name']) . '\n'; // username to delete can be followed by another username
+                $seek_value_af = '\n' . $this->dbService->escape($this->properties['name']); // username to delete can follow another username
                 // get rid of this username everytime it's followed by another
                 $sql  = 'UPDATE '.$triplesTable.'';
                 $sql .= ' SET value = REPLACE(value, "'.$seek_value_bf.'", "")';
@@ -940,7 +945,7 @@ public function delete()
                     $sql = 'UPDATE `'.$pagesTable.'`';
                     // $sql .= ' SET `owner` = NULL';
                     $sql .= ' SET `owner` = "" ';
-                    $sql .= ' WHERE `owner` = "'.$this->properties['name'].'";';
+                    $sql .= ' WHERE `owner` = "'.$this->dbService->escape($this->properties['name']).'";';
                     $OK = $this->wiki->query($sql);
                     if (!$OK) {
                         $this->error = _t('USER_DELETE_QUERY_FAILED').'.';
@@ -949,7 +954,7 @@ public function delete()
                 // Delete the user row from the user table
                 if ($OK) {
                     $sql = 'DELETE FROM `'.$this->usersTable.'`';
-                    $sql .= ' WHERE `name` = "'.$this->properties['name'].'";';
+                    $sql .= ' WHERE `name` = "'.$this->dbService->escape($this->properties['name']).'";';
                     $OK = $this->wiki->query($sql);
                     if (!$OK) {
                         $this->error = _t('USER_DELETE_QUERY_FAILED').'.';
@@ -1024,7 +1029,7 @@ public function listGroupMemberships()
         $sql  = 'SELECT resource FROM '.$triplesTable;
         $sql .= ' WHERE resource LIKE "'.GROUP_PREFIX.'%"';
         $sql .= ' AND property LIKE "'.WIKINI_VOC_ACLS_URI.'"';
-        $sql .= ' AND value LIKE "%'.$this->properties['name'].'%";';
+        $sql .= ' AND value LIKE "%'.$this->dbService->escape($this->properties['name']).'%";';
         /* Execute query */
         $results = array();
         if ($groups = $this->wiki->loadAll($sql)) {
diff --git a/lang/yeswiki_fr.php b/lang/yeswiki_fr.php
index 4e6241e09..50901f327 100755
--- a/lang/yeswiki_fr.php
+++ b/lang/yeswiki_fr.php
@@ -365,6 +365,7 @@
 'USER_PASSWORDS_NOT_IDENTICAL' => 'Les deux mots de passe saisis doivent être identiques',
 'USER_PASSWORD_TOO_SHORT' => 'Mot de passe trop court',
 'USER_THIS_EMAIL_IS_ALLREADY_USED_ON_THIS_WIKI' => 'L\'email saisi est déjà utilisé sur ce wiki',
+'USER_THIS_IS_NOT_A_VALID_NAME' => 'Ceci n\'est pas un nom d\'utilisateur valide',
 'USER_THIS_IS_NOT_A_VALID_EMAIL' => 'Ceci n\'est pas un email valide',
 'USER_UPDATE_QUERY_FAILED' => 'La requête de mise à jour de l\'utilisateur dans la base de données a échoué',
 'USER_YOU_MUST_SPECIFY_A_NAME' => 'Veuillez saisir un nom pour l\'utilisateur',
diff --git a/tools/login/actions/usersettings.php b/tools/login/actions/usersettings.php
index 0b6de0e8a..82dc7318b 100644
--- a/tools/login/actions/usersettings.php
+++ b/tools/login/actions/usersettings.php
@@ -184,6 +184,10 @@
     echo $this->FormClose();
 } // End of the one who runs the session is acting
 } else { // Neither logged in user nor admin trying to do something
+    // sanitize $_POST['name']
+    if (isset($_POST['name'])){
+        $_POST['name'] = htmlspecialchars($_POST['name']);
+    }
     if ($action == 'signup') { // user is trying to register
         if (!$this->user->passwordIsCorrect($_POST['password'], $_POST['confpassword'])) {
             $error = $this->user->error;