From aefeff9d9fe53225e9626a411b83dfc1a5adc181 Mon Sep 17 00:00:00 2001
From: "preed%sigkill.com" <>
Date: Fri, 30 Aug 2002 22:24:12 +0000
Subject: Bug 165221: Apostrophes not properly handled during account creation.
 r=joel,r2=bbaetz

---
 createaccount.cgi |  1 -
 globals.pl        | 12 ++++++++++--
 2 files changed, 10 insertions(+), 3 deletions(-)

diff --git a/createaccount.cgi b/createaccount.cgi
index 79be1bb64..13256f47b 100755
--- a/createaccount.cgi
+++ b/createaccount.cgi
@@ -65,7 +65,6 @@ if (defined($login)) {
     # We've been asked to create an account.
     my $realname = trim($::FORM{'realname'});
     CheckEmailSyntax($login);
-    trick_taint($login);
     $vars->{'login'} = $login;
     
     if (!ValidateNewUser($login)) {
diff --git a/globals.pl b/globals.pl
index 21bdc46cf..624f31171 100644
--- a/globals.pl
+++ b/globals.pl
@@ -552,11 +552,19 @@ sub ValidateNewUser {
         return 0;
     }
 
+    my $sqluname = SqlQuote($username);
+
     # Reject if the new login is part of an email change which is 
     # still in progress
+    #
+    # substring/locate stuff: bug 165221; this used to use regexes, but that
+    # was unsafe and required weird escaping; using substring to pull out
+    # the new/old email addresses and locate() to find the delimeter (':')
+    # is cleaner/safer
     SendSQL("SELECT eventdata FROM tokens WHERE tokentype = 'emailold' 
-                AND eventdata like '%:$username' 
-                 OR eventdata like '$username:%'");
+     AND SUBSTRING(eventdata, 1, (LOCATE(':', eventdata) - 1)) = $sqluname 
+     OR SUBSTRING(eventdata, (LOCATE(':', eventdata) + 1)) = $sqluname");
+
     if (my ($eventdata) = FetchSQLData()) {
         # Allow thru owner of token
         if($old_username && ($eventdata eq "$old_username:$username")) {
-- 
cgit v1.2.3-24-g4f1b