Bug #418
Zero-width spaces allowed in usernames
| Status: | Closed | Start date: | 08/20/2009 | |
|---|---|---|---|---|
| Priority: | Normal | Due date: | ||
| Assignee: | Ryan Gordon | % Done: | 100% | |
| Category: | - | |||
| Target version: | - | |||
| Reproducibility: | Always | SQA assignments: | ||
| Reported In MyBB Version: | 1.4.8 |
Description
MyBB allows you to copy another users name and put a zero-width space somewhere in it. To a human it looks exactly the same, which can be used to create problems
History
#1 Updated by Ryan Gordon almost 4 years ago
- Status changed from New to Assigned
- Assignee set to Ryan Gordon
- Reproducibility set to Always
- Reported In MyBB Version set to 1.4.8
#2 Updated by Ryan Gordon almost 4 years ago
Corresponding thread: http://community.mybboard.net/thread-54822.html
#3 Updated by Ryan Gordon almost 4 years ago
- % Done changed from 0 to 100
Applied in changeset r4441.
#4 Updated by Michael Schlechtinger almost 4 years ago
- Status changed from Assigned to Feedback
This fix is working but incomplete. In xmlhttp.php find:
$username = str_replace(array(unicode_chr(160), unicode_chr(173), unicode_chr(0xCA), dec_to_utf8(8238), dec_to_utf8(8237)), array(" ", "-", "", "", ""), $username);
Replace with:
$username = str_replace(array(unicode_chr(160), unicode_chr(173), unicode_chr(0xCA), dec_to_utf8(8238), dec_to_utf8(8237), dec_to_utf8(8203)), array(" ", "-", "", "", "", ""), $username);
#5 Updated by Ryan Gordon over 3 years ago
- Status changed from Feedback to Resolved
Applied in changeset r4446
#6 Updated by Ryan Gordon over 3 years ago
- Project changed from Security Issues to MyBB
#7 Updated by Ryan Gordon over 3 years ago
- Category set to 12
- Target version set to 1.4.9
#8 Updated by Ryan Gordon over 3 years ago
- Status changed from Resolved to Closed
#9 Updated by Ryan Gordon about 3 years ago
- Project changed from MyBB to Security Issues
- Category deleted (
12) - Target version deleted (
1.4.9)