Ticket #2729 (closed defect (bug): fixed)
Regular expression bug in sanitize_user
| Reported by: |
|
Owned by: |
|
|---|---|---|---|
| Priority: | normal | Milestone: | |
| Component: | General | Version: | 2.0.2 |
| Severity: | normal | Keywords: | has-patch commit |
| Cc: |
Description
I think I may have found a bug in the sanitize_user function in functions-formatting.php. Currently, lines 275 - 277 read:
If strict, reduce to ASCII for max portability. if ( $strict )
$username = preg_replace('|[a-z0-9 _.-@]|i', , $username);
It appears that what this is trying to do is allow hyphens (along with many other characters). However, the regex does not match the hyphens. I believe the reg ex needs a back slash like this:
$username = preg_replace('|[a-z0-9 _.\-@]|i', , $username);
I checked on the hackers mailing list and received confirmation that this appears to be a bug before submitting it here.
NOTE: The wiki formatting is stripping some of the information from the regular expressions above. I looked at the formatting guide, and didn't see a good way to escape it correctly. The gist of the ticket is that a backslash needs to be put before the hyphen. Please check the original source code to get a clean version of the regex.
Attachments
-
regex_escape_dash.diff
(529 bytes) -
added by markjaquith 6 years ago.
- patch to fix the regex
Change History
markjaquith — 6 years ago
-
attachment
regex_escape_dash.diff
added
comment:1
markjaquith — 6 years ago
- Keywords has-patch commit added
- Owner changed from anonymous to markjaquith
- Status changed from new to assigned
Uploaded patch adds escaping slash to the regex.
- Status changed from assigned to closed
- Resolution set to fixed
- Resolution set to fixed
patch to fix the regex