Fixes possible vulnerabilities with keyword hijacking (#20)

- Added public entries to reserved keywords list
- Rename variables
- Derped comment
tokarchuk/v1.17
LefsFlare 8 years ago committed by Thibault Meyer
parent 3dedc027ac
commit 3ef022b071
  1. 8
      models/user.go

@ -505,12 +505,12 @@ func NewGhostUser() *User {
} }
var ( var (
reversedUsernames = []string{"debug", "raw", "install", "api", "avatar", "user", "org", "help", "stars", "issues", "pulls", "commits", "repo", "template", "admin", "new", ".", ".."} reservedUsernames = []string{"assets", "css", "img", "js", "less", "plugins", "debug", "raw", "install", "api", "avatar", "user", "org", "help", "stars", "issues", "pulls", "commits", "repo", "template", "admin", "new", ".", ".."}
reversedUserPatterns = []string{"*.keys"} reservedUserPatterns = []string{"*.keys"}
) )
// isUsableName checks if name is reserved or pattern of name is not allowed // isUsableName checks if name is reserved or pattern of name is not allowed
// based on given reversed names and patterns. // based on given reserved names and patterns.
// Names are exact match, patterns can be prefix or suffix match with placeholder '*'. // Names are exact match, patterns can be prefix or suffix match with placeholder '*'.
func isUsableName(names, patterns []string, name string) error { func isUsableName(names, patterns []string, name string) error {
name = strings.TrimSpace(strings.ToLower(name)) name = strings.TrimSpace(strings.ToLower(name))
@ -535,7 +535,7 @@ func isUsableName(names, patterns []string, name string) error {
} }
func IsUsableUsername(name string) error { func IsUsableUsername(name string) error {
return isUsableName(reversedUsernames, reversedUserPatterns, name) return isUsableName(reservedUsernames, reservedUserPatterns, name)
} }
// CreateUser creates record of a new user. // CreateUser creates record of a new user.

Loading…
Cancel
Save