From 5fff7504e5e531ae4dadad73ca40624135a01995 Mon Sep 17 00:00:00 2001 From: Apple Sheeple Date: Mon, 18 Sep 2023 22:31:27 +0300 Subject: [PATCH] Reject registration application if sanitizing the username modifies it This removes the possibility of using a mix of sanitized and non-sanitized values for `username` in code. Signed-off-by: Apple Sheeple --- crates/api_crud/src/user/create.rs | 7 +++++-- 1 file changed, 5 insertions(+), 2 deletions(-) diff --git a/crates/api_crud/src/user/create.rs b/crates/api_crud/src/user/create.rs index 02c95cb04..22dcd0dc4 100644 --- a/crates/api_crud/src/user/create.rs +++ b/crates/api_crud/src/user/create.rs @@ -89,7 +89,10 @@ pub async fn register( let slur_regex = local_site_to_slur_regex(&local_site); check_slurs(&data.username, &slur_regex)?; check_slurs_opt(&data.answer, &slur_regex)?; - let username = sanitize_html_api(&data.username); + + if sanitize_html_api(&data.username) != data.username { + Err(LemmyErrorType::InvalidName)?; + } let actor_keypair = generate_actor_keypair()?; is_valid_actor_name(&data.username, local_site.actor_name_max_length as usize)?; @@ -109,7 +112,7 @@ pub async fn register( // Register the new person let person_form = PersonInsertForm::builder() - .name(username) + .name(data.username.clone()) .actor_id(Some(actor_id.clone())) .private_key(Some(actor_keypair.private_key)) .public_key(actor_keypair.public_key)