From 82a4018507c62ab78717e2a84d2077ff021b1c58 Mon Sep 17 00:00:00 2001
From: Seth <seth@collectiveaccess.org>
Date: Fri, 1 Oct 2021 08:31:24 -0400
Subject: [PATCH] Filter group codes to avoid unexpected input (Eg. wildcards)

---
 app/controllers/LoginRegController.php | 8 ++++++++
 1 file changed, 8 insertions(+)

diff --git a/app/controllers/LoginRegController.php b/app/controllers/LoginRegController.php
index 69a6fba1a6..4cc72d0e7b 100644
--- a/app/controllers/LoginRegController.php
+++ b/app/controllers/LoginRegController.php
@@ -606,6 +606,8 @@ function joinGroup() {
 		
 			if (!$t_user_group) {
 				$this->view->setVar("message", _t("Group code %1 is not valid", $group_code));
+				$this->notification->addNotification($this->view->getVar('message'), __NOTIFICATION_TYPE_ERROR__);
+				$this->response->setRedirect(caNavUrl($this->request, '', 'Front', 'Index'));
 				return;
 			}
 			if($t_user_group){
@@ -624,14 +626,19 @@ function joinGroup() {
 						$controller = "Lightbox";
 					}
 					$this->response->setRedirect(caNavUrl($this->request, "", $controller, "Index"));
+					return;
 				} else {
 					Session::setVar('join_user_group_id', $group_id);
 					$this->view->setVar("message", _t("Login/Register to join \"%1\"", $t_user_group->get("name")));
 					$this->loginForm();
+					return;
 				}
 			}else{
 				$this->view->setVar("message", _t("Invalid user group"));
 			}
+			$this->notification->addNotification($this->view->getVar('message'), __NOTIFICATION_TYPE_ERROR__);
+			$this->response->setRedirect(caNavUrl($this->request, '', 'Front', 'Index'));
+			return;
 		}
 		# -------------------------------------------------------
 		function resetSend(){
@@ -769,6 +776,7 @@ function resetSave(){
 		 *
 		 */
 		private function _validateGroup(string $group) {
+			$group = preg_replace('![^A-Za-z0-9_]+!u', '', $group);
 			if(!strlen($group)) {
 				$this->view->setVar("message", _t("Group code is empty"));
 				return false;