Index: moodle/admin/uploaduser.php --- moodle/admin/uploaduser.php Base (1.103) +++ moodle/admin/uploaduser.php Locally Modified (Based On 1.103) @@ -267,9 +267,8 @@ // normalize username $user->username = $textlib->strtolower($user->username); - if (empty($CFG->extendedusernamechars)) { - $user->username = preg_replace('/[^(-\.[:alnum:])]/i', '', $user->username); - } + $user->username = clean_param($user->username, PARAM_USERNAME); + if (empty($user->username)) { $upt->track('status', get_string('missingfield', 'error', 'username'), 'error'); $upt->track('username', $errorstr, 'error'); Index: moodle/lib/moodlelib.php --- moodle/lib/moodlelib.php Base (1.1266) +++ moodle/lib/moodlelib.php Locally Modified (Based On 1.1266) @@ -219,6 +219,10 @@ */ define('PARAM_URL', 'url'); +/** + * PARAM_USERNAME - Clean username to only contains specified characters. + */ +define('PARAM_USERNAME', 'username'); ///// DEPRECATED PARAM TYPES OR ALIASES - DO NOT USE FOR NEW CODE ///// @@ -463,6 +467,7 @@ * @uses PARAM_BASE64 * @uses PARAM_TAG * @uses PARAM_SEQUENCE + * @uses PARAM_USERNAME * @param mixed $param the variable we are cleaning * @param int $type expected format of param after cleaning. * @return mixed @@ -720,6 +725,15 @@ return ''; // Specified theme is not installed } + case PARAM_USERNAME: + $param = str_replace(" " , "", $param); + if (empty($CFG->extendedusernamechars)) { + // regular expression, eliminate all chars EXCEPT: + // alphanum, dash (-), underscore (_), at sign (@) and period (.) characters. + $param = preg_replace('/[^\-\._@[:alnum:]]/i', '', $param); + } + return $param; + default: // throw error, switched parameters in optional_param or another serious problem print_error("unknownparamtype", '', '', $type); } Index: moodle/lib/simpletest/testmoodlelib.php --- moodle/lib/simpletest/testmoodlelib.php Base (1.28) +++ moodle/lib/simpletest/testmoodlelib.php Locally Modified (Based On 1.28) @@ -266,6 +266,7 @@ * @uses PARAM_LOCALURL * @uses PARAM_CLEANHTML * @uses PARAM_SEQUENCE + * @uses PARAM_USERNAME * @param mixed $param the variable we are cleaning * @param int $type expected format of param after cleaning. * @return mixed @@ -295,8 +296,35 @@ $this->assertEqual(clean_param('/just/a/path', PARAM_LOCALURL), '/just/a/path'); $this->assertEqual(clean_param('funny:thing', PARAM_LOCALURL), ''); $this->assertEqual(clean_param('course/view.php?id=3', PARAM_LOCALURL), 'course/view.php?id=3'); + + $currentstatus = $CFG->extendedusernamechars; + + // Run tests with extended character == FALSE; + if($CFG->extendedusernamechars == FALSE){ + $this->assertEqual(clean_param('johndoe123', PARAM_USERNAME), 'johndoe123' ); + $this->assertEqual(clean_param('john.doe', PARAM_USERNAME), 'john.doe'); + $this->assertEqual(clean_param('john-doe', PARAM_USERNAME), 'john-doe'); + $this->assertEqual(clean_param('john- doe', PARAM_USERNAME), 'john-doe'); + $this->assertEqual(clean_param('john_doe', PARAM_USERNAME), 'john_doe'); + $this->assertEqual(clean_param('john@doe', PARAM_USERNAME), 'john@doe'); + $this->assertEqual(clean_param('john~doe', PARAM_USERNAME), 'johndoe'); + $this->assertEqual(clean_param('john´doe', PARAM_USERNAME), 'johndoe'); + $this->assertEqual(clean_param('john#$%&() ', PARAM_USERNAME), 'john'); + $this->assertEqual(clean_param('johndóé ', PARAM_USERNAME), 'johnd'); + $this->assertEqual(clean_param('john.,:;-_/|\ñÑ[]A_X-,D {} ~!@#$%^&*()_+ ?><[] ščřžžý ?ýáž?žý??šdoe ', PARAM_USERNAME), 'john.-_A_X-D@_doe'); + } else { + // Test success condition, if extendedusernamechars == ENABLE; + $this->assertEqual(clean_param('john_doe', PARAM_USERNAME), 'john_doe'); + $this->assertEqual(clean_param('john@doe', PARAM_USERNAME), 'john@doe'); + $this->assertEqual(clean_param('john# $%&()+_^', PARAM_USERNAME), 'john#$%&()+_^'); + $this->assertEqual(clean_param('john~doe', PARAM_USERNAME), 'john~doe'); + $this->assertEqual(clean_param('john´doe', PARAM_USERNAME), 'john´doe'); + $this->assertEqual(clean_param('johndóé ', PARAM_USERNAME), 'johndóé'); } + $CFG->extendedusernamechars = $currentstatus; + } + function test_validate_param() { try { $param = validate_param('11a', PARAM_INT); Index: moodle/login/index.php --- moodle/login/index.php Base (1.167) +++ moodle/login/index.php Locally Modified (Based On 1.167) @@ -114,7 +114,7 @@ $frm->username = trim(moodle_strtolower($frm->username)); if (is_enabled_auth('none') && empty($CFG->extendedusernamechars)) { - $string = preg_replace("~[^(-\.[:alnum:])]~i", "", $frm->username); + $string = clean_param($frm->username, PARAM_USERNAME); if (strcmp($frm->username, $string)) { $errormsg = get_string('username').': '.get_string("alphanumerical"); $errorcode = 2; Index: moodle/login/signup_form.php --- moodle/login/signup_form.php Base (1.44) +++ moodle/login/signup_form.php Locally Modified (Based On 1.44) @@ -99,7 +99,7 @@ $errors['username'] = get_string('usernameexists'); } else { if (empty($CFG->extendedusernamechars)) { - $string = preg_replace("~[^(-\.[:alnum:])]~i", '', $data['username']); + $string = clean_param($data['username'], PARAM_USERNAME); if (strcmp($data['username'], $string)) { $errors['username'] = get_string('alphanumerical'); } Index: moodle/user/editadvanced.php --- moodle/user/editadvanced.php Base (1.63) +++ moodle/user/editadvanced.php Locally Modified (Based On 1.63) @@ -136,7 +136,7 @@ $authplugin = get_auth_plugin($usernew->auth); } - $usernew->username = trim($usernew->username); + $usernew->username = clean_param($usernew->username, PARAM_USERNAME); $usernew->timemodified = time(); if ($usernew->id == -1) { Index: moodle/user/editadvanced_form.php --- moodle/user/editadvanced_form.php Base (1.35) +++ moodle/user/editadvanced_form.php Locally Modified (Based On 1.35) @@ -145,7 +145,7 @@ $err['username'] = get_string('usernamelowercase'); } else { if (empty($CFG->extendedusernamechars)) { - $string = preg_replace("/[^(-\.[:alnum:])]/i", '', $usernew->username); + $string = clean_param($usernew->username, PARAM_USERNAME); if ($usernew->username !== $string) { $err['username'] = get_string('alphanumerical'); }