Jforrester has submitted this change and it was merged.

Change subject: SECURITY: Check for valid but unusable user names
......................................................................


SECURITY: Check for valid but unusable user names

Otherwise, if a name is usable on one wiki and reserved on another in
the same SUL grouping, you can log in on the first and be logged in on
the second when you shouldn't be able to.

Bug: T130384
Change-Id: If4c0815b2629d20f979aca41bcee4e8050d2f28e
---
M .gitreview
M CentralAuthHooks.php
2 files changed, 9 insertions(+), 1 deletion(-)

Approvals:
  Anomie: Looks good to me, approved
  Jforrester: Verified; Looks good to me, approved



diff --git a/.gitreview b/.gitreview
index c6f1e35..4617584 100644
--- a/.gitreview
+++ b/.gitreview
@@ -2,4 +2,4 @@
 host=gerrit.wikimedia.org
 port=29418
 project=mediawiki/extensions/CentralAuth.git
-defaultbranch=master
+defaultbranch=REL1_23
diff --git a/CentralAuthHooks.php b/CentralAuthHooks.php
index c2334e1..ec36886 100644
--- a/CentralAuthHooks.php
+++ b/CentralAuthHooks.php
@@ -76,6 +76,10 @@
                                wfDebug( __METHOD__ . ": invalid username\n" );
                                return null;
                        }
+                       if ( !User::isUsableName( $userName ) ) {
+                               wfDebug( __METHOD__ . ": username $userName is 
not usable on this wiki" );
+                               return null;
+                       }
 
                        // Try the central user
                        $centralUser = new CentralAuthUser( $userName );
@@ -545,6 +549,10 @@
                                wfDebug( __METHOD__ . ": invalid username\n" );
                                return true;
                        }
+                       if ( !User::isUsableName( $userName ) ) {
+                               wfDebug( __METHOD__ . ": username $userName is 
not usable on this wiki" );
+                               return true;
+                       }
 
                        // Try the central user
                        // Don't use CentralAuthUser::getInstance, we don't 
want to cache it on failure.

-- 
To view, visit https://gerrit.wikimedia.org/r/304861
To unsubscribe, visit https://gerrit.wikimedia.org/r/settings

Gerrit-MessageType: merged
Gerrit-Change-Id: If4c0815b2629d20f979aca41bcee4e8050d2f28e
Gerrit-PatchSet: 1
Gerrit-Project: mediawiki/extensions/CentralAuth
Gerrit-Branch: REL1_23
Gerrit-Owner: Anomie <bjor...@wikimedia.org>
Gerrit-Reviewer: Alex Monk <a...@wikimedia.org>
Gerrit-Reviewer: Anomie <bjor...@wikimedia.org>
Gerrit-Reviewer: BryanDavis <bda...@wikimedia.org>
Gerrit-Reviewer: Jforrester <jforres...@wikimedia.org>
Gerrit-Reviewer: Legoktm <legoktm.wikipe...@gmail.com>
Gerrit-Reviewer: jenkins-bot <>

_______________________________________________
MediaWiki-commits mailing list
MediaWiki-commits@lists.wikimedia.org
https://lists.wikimedia.org/mailman/listinfo/mediawiki-commits

Reply via email to