aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorfriendica <info@friendica.com>2012-03-22 01:46:52 -0700
committerfriendica <info@friendica.com>2012-03-22 01:46:52 -0700
commitebdf0ee99e517c6718099fda2f1b2288c42e66da (patch)
tree274a80868cf7a150ca701bbfc7ddb98152e2e42d
parent576eb6cc389d54c29b29b97d3c6d160e61bbf6ca (diff)
downloadvolse-hubzilla-ebdf0ee99e517c6718099fda2f1b2288c42e66da.tar.gz
volse-hubzilla-ebdf0ee99e517c6718099fda2f1b2288c42e66da.tar.bz2
volse-hubzilla-ebdf0ee99e517c6718099fda2f1b2288c42e66da.zip
prevent re-registrations using a deleted username - not an issue with Friendica but could create a serious privacy issue with federated platforms
-rwxr-xr-xboot.php2
-rwxr-xr-xdatabase.sql6
-rwxr-xr-xinclude/Contact.php6
-rwxr-xr-xmod/register.php10
-rwxr-xr-xmod/regmod.php5
-rwxr-xr-xupdate.php11
6 files changed, 38 insertions, 2 deletions
diff --git a/boot.php b/boot.php
index 910de6f82..04e16e64d 100755
--- a/boot.php
+++ b/boot.php
@@ -11,7 +11,7 @@ require_once('include/cache.php');
define ( 'FRIENDICA_PLATFORM', 'Friendica');
define ( 'FRIENDICA_VERSION', '2.3.1288' );
define ( 'DFRN_PROTOCOL_VERSION', '2.23' );
-define ( 'DB_UPDATE_VERSION', 1132 );
+define ( 'DB_UPDATE_VERSION', 1133 );
define ( 'EOL', "<br />\r\n" );
define ( 'ATOM_TIME', 'Y-m-d\TH:i:s\Z' );
diff --git a/database.sql b/database.sql
index f058bc59e..327b482c0 100755
--- a/database.sql
+++ b/database.sql
@@ -861,3 +861,9 @@ INDEX ( `term` )
) ENGINE = MyISAM DEFAULT CHARSET=utf8;
+CREATE TABLE IF NOT EXISTS `userd` (
+`id` INT NOT NULL AUTO_INCREMENT PRIMARY KEY ,
+`username` CHAR( 255 ) NOT NULL,
+INDEX ( `username` )
+) ENGINE = MyISAM DEFAULT CHARSET=utf8;
+
diff --git a/include/Contact.php b/include/Contact.php
index baccea305..d9949b1ef 100755
--- a/include/Contact.php
+++ b/include/Contact.php
@@ -15,6 +15,12 @@ function user_remove($uid) {
call_hooks('remove_user',$r[0]);
+ // save username (actually the nickname as it is guaranteed
+ // unique), so it cannot be re-registered in the future.
+
+ q("insert into userd ( username ) values ( '%s' )",
+ $r[0]['nickname']
+ );
q("DELETE FROM `contact` WHERE `uid` = %d", intval($uid));
q("DELETE FROM `group` WHERE `uid` = %d", intval($uid));
diff --git a/mod/register.php b/mod/register.php
index 388b3e250..6d0e2700b 100755
--- a/mod/register.php
+++ b/mod/register.php
@@ -150,6 +150,16 @@ function register_post(&$a) {
if(count($r))
$err .= t('Nickname is already registered. Please choose another.') . EOL;
+ // Check deleted accounts that had this nickname. Doesn't matter to us,
+ // but could be a security issue for federated platforms.
+
+ $r = q("SELECT * FROM `userd`
+ WHERE `username` = '%s' LIMIT 1",
+ dbesc($nickname)
+ );
+ if(count($r))
+ $err .= t('Nickname was once registered here and may not be re-used. Please choose another.') . EOL;
+
if(strlen($err)) {
notice( $err );
return;
diff --git a/mod/regmod.php b/mod/regmod.php
index 17e728ba2..21f41eb01 100755
--- a/mod/regmod.php
+++ b/mod/regmod.php
@@ -64,6 +64,11 @@ function user_allow($hash) {
}
+
+// This does not have to go through user_remove() and save the nickname
+// permanently against re-registration, as the person was not yet
+// allowed to have friends on this system
+
function user_deny($hash) {
$register = q("SELECT * FROM `register` WHERE `hash` = '%s' LIMIT 1",
diff --git a/update.php b/update.php
index 6a685a6ff..a69742a94 100755
--- a/update.php
+++ b/update.php
@@ -1,6 +1,6 @@
<?php
-define( 'UPDATE_VERSION' , 1132 );
+define( 'UPDATE_VERSION' , 1133 );
/**
*
@@ -1127,3 +1127,12 @@ function update_1131() {
}
+function update_1132() {
+ q("CREATE TABLE IF NOT EXISTS `userd` (
+`id` INT NOT NULL AUTO_INCREMENT PRIMARY KEY ,
+`username` CHAR( 255 ) NOT NULL,
+INDEX ( `username` )
+) ENGINE = MYISAM ");
+
+}
+