From: ivan Date: Fri, 29 Feb 2008 02:29:57 +0000 (+0000) Subject: disallow uppercase usernames in the first place. also Record::str2time_sql_closing... X-Git-Tag: TRIXBOX_2_6~46 X-Git-Url: http://git.freeside.biz/gitweb/?p=freeside.git;a=commitdiff_plain;h=d49cc12aee7462cb3f0cc1073777f1e5c3dbb7f4 disallow uppercase usernames in the first place. also Record::str2time_sql_closing snuck in. --- diff --git a/FS/FS/Record.pm b/FS/FS/Record.pm index 703c06fe0..db940034d 100644 --- a/FS/FS/Record.pm +++ b/FS/FS/Record.pm @@ -1555,6 +1555,20 @@ sub ut_alphan { ''; } +=item ut_alpha_lower COLUMN + +Check/untaint lowercase alphanumeric strings (no spaces). May not be null. If +there is an error, returns the error, otherwise returns false. + +=cut + +sub ut_alpha_lower { + my($self,$field)=@_; + $self->getfield($field) =~ /[[:upper:]]/ + and return "Uppercase characters are not permitted in $field"; + $self->ut_alpha($field); +} + =item ut_phonen COLUMN [ COUNTRY ] Check/untaint phone numbers. May be null. If there is an error, returns @@ -2238,9 +2252,9 @@ sub DESTROY { return; } =item str2time_sql [ DRIVER_NAME ] Returns a function to convert to unix time based on database type, such as -"EXTRACT( EPOCH FROM" for Pg or "UNIX_TIMESTAMP(" for mysql. You are -responsible for the closing parenthesis yourself. Don't let it down. It's a -sensitive parenthesis. +"EXTRACT( EPOCH FROM" for Pg or "UNIX_TIMESTAMP(" for mysql. See +the str2time_sql_closing method to return a closing string rather than just +using a closing parenthesis as previously suggested. You can pass an optional driver name such as "Pg", "mysql" or $dbh->{Driver}->{Name} to return a function for that database instead of @@ -2260,6 +2274,24 @@ sub str2time_sql { } +=item str2time_sql_closing [ DRIVER_NAME ] + +Returns the closing suffix of a function to convert to unix time based on +database type, such as ")::integer" for Pg or ")" for mysql. + +You can pass an optional driver name such as "Pg", "mysql" or +$dbh->{Driver}->{Name} to return a function for that database instead of +the current database. + +=cut + +sub str2time_sql_closing { + my $driver = shift || driver_name; + + return ' )::INTEGER ' if $driver =~ /^Pg/i; + return ' ) '; +} + =back =head1 BUGS diff --git a/FS/FS/access_user.pm b/FS/FS/access_user.pm index 250e432dd..a755daff6 100644 --- a/FS/FS/access_user.pm +++ b/FS/FS/access_user.pm @@ -90,6 +90,9 @@ otherwise returns false. sub insert { my $self = shift; + my $error = $self->check; + return $error if $error; + local $SIG{HUP} = 'IGNORE'; local $SIG{INT} = 'IGNORE'; local $SIG{QUIT} = 'IGNORE'; @@ -101,7 +104,7 @@ sub insert { local $FS::UID::AutoCommit = 0; my $dbh = dbh; - my $error = $self->htpasswd_kludge(); + $error = $self->htpasswd_kludge(); if ( $error ) { $dbh->rollback or die $dbh->errstr if $oldAutoCommit; return $error; @@ -111,7 +114,14 @@ sub insert { if ( $error ) { $dbh->rollback or die $dbh->errstr if $oldAutoCommit; + + #make sure it isn't a dup username? or you could nuke people's passwords + #blah. really just should do our own login w/cookies + #and auth out of the db in the first place + #my $hterror = $self->htpasswd_kludge('-D'); + #$error .= " - additionally received error cleaning up htpasswd file: $hterror" return $error; + } else { $dbh->commit or die $dbh->errstr if $oldAutoCommit; ''; @@ -236,7 +246,7 @@ sub check { my $error = $self->ut_numbern('usernum') - || $self->ut_alpha('username') + || $self->ut_alpha_lower('username') || $self->ut_text('_password') || $self->ut_text('last') || $self->ut_text('first')