Only alphanumeric characters are allowed in the user name, so terminate
the connection if any "strage" characters have been supplied by the user.
This is how other IRC daemons (like ircd2.11 and ircd-seven) behave ...
IRC_USER(CLIENT * Client, REQUEST * Req)
{
CLIENT *c;
-#ifdef IDENTAUTH
char *ptr;
-#endif
assert(Client != NULL);
assert(Req != NULL);
Client_ID(Client),
Req->command);
- /* User name */
+ /* User name: only alphanumeric characters are allowed! */
+ ptr = Req->argv[0];
+ while (*ptr) {
+ if ((*ptr < '0' || *ptr > '9') &&
+ (*ptr < 'A' || *ptr > 'Z') &&
+ (*ptr < 'a' || *ptr > 'z')) {
+ Conn_Close(Client_Conn(Client), NULL,
+ "Invalid user name", true);
+ return DISCONNECTED;
+ }
+ ptr++;
+ }
+
#ifdef IDENTAUTH
ptr = Client_User(Client);
if (!ptr || !*ptr || *ptr == '~')