2013-10-10, 12:13 PM
https://github.com/mybb/mybb/commit/21a6...23117a6ac5
Seems like a really ugly fix. If it's a DB issue, why are the changes sprinkled around everywhere instead of being put in the MySQL class?
Though apart from the PM issue (which is really a bug in the PM code), I don't really see how this is particularly a security issue, though it does cause odd behaviour in places. I'd recommend fixing these bugs instead of trying to prevent blank usernames, since you can't simply assume you can catch all possible loopholes (hint: the current codebase doesn't).
Firstly, plug this, inc/datahandlers/pm.php:
Fixes security issue, plus saves an unnecessary query in most cases.
Next, I'd go through and see which places break with unexpected blank strings (eg user being displayed as Guest).
Oh, and if you're going to block these characters, puh-lease revert the above commit and do it in the right place (MySQL class). Neater code, less gunk spread everywhere, and also "fixes" plugins or other code modifications that use MyBB properly.
You may also wish to consider people who are using the utf8mb4 character set, as they probably want 4 byte UTF-8 characters, or those not even using UTF-8 (yeah, I know MyBB doesn't really support anything other than UTF-8, so moot point perhaps).
I'm guessing the installation here has a latin1 character set, hence it not barfing at this user name. It could've been fun otherwise.
Nevertheless, thanks for the work that went into fix, as well as the focus on security and continued development of the project.
Seems like a really ugly fix. If it's a DB issue, why are the changes sprinkled around everywhere instead of being put in the MySQL class?
Though apart from the PM issue (which is really a bug in the PM code), I don't really see how this is particularly a security issue, though it does cause odd behaviour in places. I'd recommend fixing these bugs instead of trying to prevent blank usernames, since you can't simply assume you can catch all possible loopholes (hint: the current codebase doesn't).
Firstly, plug this, inc/datahandlers/pm.php:
foreach(array("to", "bcc") as $recipient_type)
{
Add below: if(!$pm[$recipient_type])
{
continue;
}
Fixes security issue, plus saves an unnecessary query in most cases.
Next, I'd go through and see which places break with unexpected blank strings (eg user being displayed as Guest).
Oh, and if you're going to block these characters, puh-lease revert the above commit and do it in the right place (MySQL class). Neater code, less gunk spread everywhere, and also "fixes" plugins or other code modifications that use MyBB properly.
You may also wish to consider people who are using the utf8mb4 character set, as they probably want 4 byte UTF-8 characters, or those not even using UTF-8 (yeah, I know MyBB doesn't really support anything other than UTF-8, so moot point perhaps).
I'm guessing the installation here has a latin1 character set, hence it not barfing at this user name. It could've been fun otherwise.
Nevertheless, thanks for the work that went into fix, as well as the focus on security and continued development of the project.