From: Josephos Date: Tue, 4 Jul 2023 10:41:58 +0000 (+0200) Subject: Improved validation of display names (Fixes #3436) (#3437) X-Git-Url: http://these/git/%7B%60%24%7BarchiveUrl%7D/static/gitweb.js?a=commitdiff_plain;h=cdc5b478860607193942d28ba825f9bf00e05e0b;p=lemmy.git Improved validation of display names (Fixes #3436) (#3437) * Fixed validation of display names Fixed validation of display names: reject names beginning with invisible unicode characters. * Formatting Formatting fix. * Expanded list of forbidden Unicode characters. Validation now checks for disallowed characters anywhere in the name. * Formatting * Added a comment detailing source of the list of invisible chars. --- diff --git a/crates/utils/src/utils/validation.rs b/crates/utils/src/utils/validation.rs index 347d791a..e43ddbbb 100644 --- a/crates/utils/src/utils/validation.rs +++ b/crates/utils/src/utils/validation.rs @@ -24,6 +24,62 @@ const BIO_MAX_LENGTH: usize = 300; const SITE_NAME_MAX_LENGTH: usize = 20; const SITE_NAME_MIN_LENGTH: usize = 1; const SITE_DESCRIPTION_MAX_LENGTH: usize = 150; +//Invisible unicode characters, taken from https://invisible-characters.com/ +const FORBIDDEN_DISPLAY_CHARS: [char; 53] = [ + '\u{0009}', + '\u{00a0}', + '\u{00ad}', + '\u{034f}', + '\u{061c}', + '\u{115f}', + '\u{1160}', + '\u{17b4}', + '\u{17b5}', + '\u{180e}', + '\u{2000}', + '\u{2001}', + '\u{2002}', + '\u{2003}', + '\u{2004}', + '\u{2005}', + '\u{2006}', + '\u{2007}', + '\u{2008}', + '\u{2009}', + '\u{200a}', + '\u{200b}', + '\u{200c}', + '\u{200d}', + '\u{200e}', + '\u{200f}', + '\u{202f}', + '\u{205f}', + '\u{2060}', + '\u{2061}', + '\u{2062}', + '\u{2063}', + '\u{2064}', + '\u{206a}', + '\u{206b}', + '\u{206c}', + '\u{206d}', + '\u{206e}', + '\u{206f}', + '\u{3000}', + '\u{2800}', + '\u{3164}', + '\u{feff}', + '\u{ffa0}', + '\u{1d159}', + '\u{1d173}', + '\u{1d174}', + '\u{1d175}', + '\u{1d176}', + '\u{1d177}', + '\u{1d178}', + '\u{1d179}', + '\u{1d17a}', +]; fn has_newline(name: &str) -> bool { name.contains('\n') @@ -42,8 +98,8 @@ pub fn is_valid_actor_name(name: &str, actor_name_max_length: usize) -> LemmyRes // Can't do a regex here, reverse lookarounds not supported pub fn is_valid_display_name(name: &str, actor_name_max_length: usize) -> LemmyResult<()> { - let check = !name.starts_with('@') - && !name.starts_with('\u{200b}') + let check = !name.contains(FORBIDDEN_DISPLAY_CHARS) + && !name.starts_with('@') && name.chars().count() >= 3 && name.chars().count() <= actor_name_max_length && !has_newline(name);