From 0f5d58724badb908b007e05140d22e56aabf3b5c Mon Sep 17 00:00:00 2001
From: spjspj <spjspj4@gmail.com>
Date: Mon, 19 Dec 2022 07:03:33 +1100
Subject: [PATCH] Prevent very long and very short usernames (#9815)

* Prevent very long usernames

Currently a troll is killing the server with very long usernames.  This should validate each person's username up to being a maximum of 500 characters long (similar to the truncated message length).
---
 .../src/main/java/mage/server/Session.java    | 38 ++++++++++++++-----
 1 file changed, 28 insertions(+), 10 deletions(-)

diff --git a/Mage.Server/src/main/java/mage/server/Session.java b/Mage.Server/src/main/java/mage/server/Session.java
index 90bc5bc887..eda0f13392 100644
--- a/Mage.Server/src/main/java/mage/server/Session.java
+++ b/Mage.Server/src/main/java/mage/server/Session.java
@@ -119,15 +119,8 @@ public class Session {
             return null;
         }
     }
-
-    private String validateUserName(String userName) {
-        // return error message or null on good name
-
-        if (userName.equals("Admin")) {
-            // virtual user for admin console
-            return "User name Admin already in use";
-        }
-
+    
+    private String validateUserNameLength(String userName) {
         ConfigSettings config = managerFactory.configSettings();
         if (userName.length() < config.getMinUserNameLength()) {
             return "User name may not be shorter than " + config.getMinUserNameLength() + " characters";
@@ -135,6 +128,26 @@ public class Session {
         if (userName.length() > config.getMaxUserNameLength()) {
             return "User name may not be longer than " + config.getMaxUserNameLength() + " characters";
         }
+        if (userName.length() <= 3) {
+            return "User name is too short (3 characters or fewer)";
+        }
+        if (userName.length() >= 500) {
+            return "User name is too long (500 characters or more)";
+        }
+        return null;
+    }
+
+    private String validateUserName(String userName) {
+        // return error message or null on good name
+        if (userName.equals("Admin")) {
+            // virtual user for admin console
+            return "User name Admin already in use";
+        }
+        
+        String returnMessage = validateUserNameLength(userName);
+        if (returnMessage != null) {
+            return returnMessage;
+        }
 
         Pattern invalidUserNamePattern = Pattern.compile(managerFactory.configSettings().getInvalidUserNamePattern(), Pattern.CASE_INSENSITIVE);
         Matcher m = invalidUserNamePattern.matcher(userName);
@@ -183,7 +196,12 @@ public class Session {
     }
 
     public String connectUser(String userName, String password) throws MageException {
-        String returnMessage = connectUserHandling(userName, password);
+        String returnMessage = validateUserNameLength(userName);
+        if (returnMessage != null) {
+            sendErrorMessageToClient(returnMessage);
+            return returnMessage;
+        }
+        returnMessage = connectUserHandling(userName, password);
         if (returnMessage != null) {
             sendErrorMessageToClient(returnMessage);
         }