Advertisement:

Author Topic: Same username is allowed in registration if letter case differs (Postgres)  (Read 918 times)

Offline lwiz

  • Semi-Newbie
  • *
  • Posts: 17
New users could register the same username in our forums if they used different case in letters - for example user and User. The problem is Postgres specific I reckon and for a quick and dirty fix I changed line 970 (the SELECT under // Make sure they don't want someone else's name.) as follows:

Code: [Select]
AND ') . '(LOWER(real_name) LIKE LOWER({string:check_name}) OR LOWER(member_name) LIKE LOWER({string:check_name}))
As this is Postgres specific, it does have impact for a very few boards, but I deem it serious enough to report as it can be used maliciously.

-Lwiz
« Last Edit: July 30, 2018, 10:24:29 AM by Gwenwyfar »

Online albertlast

  • Development Contributor
  • Jr. Member
  • *
  • Posts: 317
In smf 2.1 is this fix already included: https://github.com/SimpleMachines/SMF2.1/blob/release-2.1/Sources/Subs-Members.php#L914

Code: [Select]
// Make sure they don't want someone else's name.
$request = $smcFunc['db_query']('', '
SELECT id_member
FROM {db_prefix}members
WHERE ' . (empty($current_ID_MEMBER) ? '' : 'id_member != {int:current_member}
AND ') . '({raw:real_name} {raw:operator} LOWER({string:check_name}) OR {raw:member_name} {raw:operator} LOWER({string:check_name}))
LIMIT 1',
array(
'real_name' => $smcFunc['db_case_sensitive'] ? 'LOWER(real_name)' : 'real_name',
'member_name' => $smcFunc['db_case_sensitive'] ? 'LOWER(member_name)' : 'member_name',
'current_member' => $current_ID_MEMBER,
'check_name' => $checkName,
'operator' => $operator,
)
);

Offline lwiz

  • Semi-Newbie
  • *
  • Posts: 17
Does the 2.1 code apply cleanly to 2.0 or is it 2.1 specific?

Online albertlast

  • Development Contributor
  • Jr. Member
  • *
  • Posts: 317
dunno,
i only care about smf2.1 and his postgres support.