Prevent very long and very short usernames (#9815)

* Prevent very long usernames

Currently a troll is killing the server with very long usernames.  This should validate each person's username up to being a maximum of 500 characters long (similar to the truncated message length).
This commit is contained in:
spjspj 2022-12-19 07:03:33 +11:00 committed by GitHub
parent 6027d7e987
commit 0f5d58724b
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23

View file

@ -120,14 +120,7 @@ public class Session {
} }
} }
private String validateUserName(String userName) { private String validateUserNameLength(String userName) {
// return error message or null on good name
if (userName.equals("Admin")) {
// virtual user for admin console
return "User name Admin already in use";
}
ConfigSettings config = managerFactory.configSettings(); ConfigSettings config = managerFactory.configSettings();
if (userName.length() < config.getMinUserNameLength()) { if (userName.length() < config.getMinUserNameLength()) {
return "User name may not be shorter than " + config.getMinUserNameLength() + " characters"; return "User name may not be shorter than " + config.getMinUserNameLength() + " characters";
@ -135,6 +128,26 @@ public class Session {
if (userName.length() > config.getMaxUserNameLength()) { if (userName.length() > config.getMaxUserNameLength()) {
return "User name may not be longer than " + config.getMaxUserNameLength() + " characters"; return "User name may not be longer than " + config.getMaxUserNameLength() + " characters";
} }
if (userName.length() <= 3) {
return "User name is too short (3 characters or fewer)";
}
if (userName.length() >= 500) {
return "User name is too long (500 characters or more)";
}
return null;
}
private String validateUserName(String userName) {
// return error message or null on good name
if (userName.equals("Admin")) {
// virtual user for admin console
return "User name Admin already in use";
}
String returnMessage = validateUserNameLength(userName);
if (returnMessage != null) {
return returnMessage;
}
Pattern invalidUserNamePattern = Pattern.compile(managerFactory.configSettings().getInvalidUserNamePattern(), Pattern.CASE_INSENSITIVE); Pattern invalidUserNamePattern = Pattern.compile(managerFactory.configSettings().getInvalidUserNamePattern(), Pattern.CASE_INSENSITIVE);
Matcher m = invalidUserNamePattern.matcher(userName); Matcher m = invalidUserNamePattern.matcher(userName);
@ -183,7 +196,12 @@ public class Session {
} }
public String connectUser(String userName, String password) throws MageException { public String connectUser(String userName, String password) throws MageException {
String returnMessage = connectUserHandling(userName, password); String returnMessage = validateUserNameLength(userName);
if (returnMessage != null) {
sendErrorMessageToClient(returnMessage);
return returnMessage;
}
returnMessage = connectUserHandling(userName, password);
if (returnMessage != null) { if (returnMessage != null) {
sendErrorMessageToClient(returnMessage); sendErrorMessageToClient(returnMessage);
} }