From ab832aec75ef5ddfeaca000c371599461bb1845e Mon Sep 17 00:00:00 2001
From: Retro_Guy <retro.guy@rocksolidbbs.com>
Date: Sat, 5 Nov 2022 19:26:52 +0000
Subject: [PATCH] Add some character restrictions to new usernames.

---
 Rocksolid_Light/common/register.php | 13 +++++++++++++
 1 file changed, 13 insertions(+)

diff --git a/Rocksolid_Light/common/register.php b/Rocksolid_Light/common/register.php
index 3ce54e8..7af7e51 100644
--- a/Rocksolid_Light/common/register.php
+++ b/Rocksolid_Light/common/register.php
@@ -9,6 +9,9 @@ $keys = unserialize(file_get_contents($keyfile));
 $email_registry = $spooldir.'/email_registry.dat';
 unlink($_POST['captchaimage']);
 
+$username_allowed_chars = "a-zA-Z0-9_.";
+$clean_username = preg_replace("/[^$username_allowed_chars]/", "", $_POST['username']);
+
 if((password_verify($keys[0],$_POST['key'])) || (password_verify($keys[1],$_POST['key']))) {
   $auth_ok = true;
 } else {
@@ -172,6 +175,16 @@ if (empty($_POST['username'])) {
   exit(2);
 }
 
+if($clean_username != $_POST['username']) {
+  echo "The username entered contains disallowed characters.<br />";
+  echo "Allowed characters:<br />letters, numbers, underscore, hypen, full stop<br /><br />";
+  echo '<form name="return1" method="post" action="register.php">';
+  echo '<input name="username" type="hidden" id="username" value="'.$clean_username.'" readonly="readonly">';
+  echo '<input name="user_email" type="hidden" id="user_email" value="'.$user_email.'" readonly="readonly">';
+  echo '<input type="submit" name="Submit" value="Please try again"></td>';
+  exit(2);
+}
+
 if (($_POST['password'] !== $_POST['password2']) || $_POST['password'] == '') {
   echo "Your passwords entered do not match\r\n";
   echo '<form name="return1" method="post" action="register.php">';