phpBB usernames with unwanted characters in WordPress

User avatar
axew3
w3all User
w3all User
Posts: 1875
Joined: Fri Jan 22, 2016 5:15 pm
Location: Italy
Contact:

phpBB usernames with unwanted characters in WordPress

Post by axew3 »

check WP_w3all plugin option
Activate WordPress to phpBB and phpBB to WP users transfer and/or the phpBB WP users check
which contain all the necessary to check and then fix all about usernames and emails between linked phpBB and WordPress.

As said on the phpBB WordPress help install, if you allow users to register also in phpBB side, you need to setup Limit Username Chars option in phpBB ACP to allow only certain characters for usernames. So what about old phpBB users that may contain into username characters not allowed in WordPress?

Allowed chars in WordPress for usernames are these:
a-z
A-Z
0-9
_ (underscore)
- (hyphen)
. (point)
@
and space


all the rest isn’t allowed in WordPress usernames.
The plugin will detect any unwanted chars in phpBB usernames, for users that need to be added in WordPress.
The user will be warned that can’t be added in WordPress and no error will be thrown. A big warning will display on top of wordpress, asking to inform the admin about this precise problem. And unfortunately for this user, will not be added in WordPress.

"At this time i've not find out any other possible solution to this problem. An user could also be added in WordPress without filtering the username, but as on my fly test, an username archived as
a-z0-9_.\-@
is parsed in WordPress output and treated as
a-z0-9_.-@
so i see very hard to allow the use of any char for WordPress usernames. Also should maybe be considered, before to be applied, the security aspect that this can maybe imply. Any hint or correction on this would be really appreciated!"

User avatar
axew3
w3all User
w3all User
Posts: 1875
Joined: Fri Jan 22, 2016 5:15 pm
Location: Italy
Contact:

But if really want Wordpress accept unwanted characters ...

Post by axew3 »

But if you really want Wordpress accept unwanted characters as usernames/user_login ...
The raw question at wp.org forum:
allow-any-chars-in-wordpress-user_login-anybody-explored?

... making WordPress accept any username with any character.
This could lead to security problems? i'm not totally sure, i just see that all is parsed as needed after something like this, and this procedure still lack about a particular problem on nickname, that is easily resolvable. It seem, to me, secure. All special chars on tests usernames i've try out, are stored as entities, and after correctly parsed as plain text: i've not try out all, but reasonably the behavior should be the same over all WP. Will be the same with all others plugins you may use? Yes with WP_w3all, while i suggest to check with any other before to choose and use this way, allowing any character for wordpress user_login.
can be applied also without using wp_w3all plugin, and extended for any needs, where wordpress need to accept any chars for usernames.
Reading the linked post and this following you should be able to understand the joke, even if my Eng is bad:

Using wp_w3all this is the code:

open wp_w3all.php file and just before the closing ?> php tag on bottom, add the follow code:

Code: Select all

function w3all_sanitize_user($user, $raw_user, $strict) { 
	$raw_user = trim($raw_user);
    return $raw_user;
}
add_filter('sanitize_user', 'w3all_sanitize_user', 10, 3);
if ( ! function_exists( 'wp_validate_auth_cookie' ) ) :
function wp_validate_auth_cookie($cookie = '', $scheme = '') {
	if ( ! $cookie_elements = wp_parse_auth_cookie($cookie, $scheme) ) {
		/**
		 * Fires if an authentication cookie is malformed.
		 *
		 * @since 2.7.0
		 *
		 * @param string $cookie Malformed auth cookie.
		 * @param string $scheme Authentication scheme. Values include 'auth', 'secure_auth',
		 *                       or 'logged_in'.
		 */
		do_action( 'auth_cookie_malformed', $cookie, $scheme );
		return false;
	}

	$scheme = $cookie_elements['scheme'];
	$username = $cookie_elements['username'];
	$hmac = $cookie_elements['hmac'];
	$token = $cookie_elements['token'];
	$expired = $expiration = $cookie_elements['expiration'];

	// Allow a grace period for POST and Ajax requests
	if ( wp_doing_ajax() || 'POST' == $_SERVER['REQUEST_METHOD'] ) {
		$expired += HOUR_IN_SECONDS;
	}

	// Quick check to see if an honest cookie has expired
	if ( $expired < time() ) {
		/**
		 * Fires once an authentication cookie has expired.
		 *
		 * @since 2.7.0
		 *
		 * @param array $cookie_elements An array of data for the authentication cookie.
		 */
		do_action( 'auth_cookie_expired', $cookie_elements );
		return false;
	}
	
  $username = trim(stripslashes($username));
	$user = get_user_by('login', $username);
	
	if ( ! $user ) {
		/**
		 * Fires if a bad username is entered in the user authentication process.
		 *
		 * @since 2.7.0
		 *
		 * @param array $cookie_elements An array of data for the authentication cookie.
		 */
		do_action( 'auth_cookie_bad_username', $cookie_elements );
		return false;
	}

	$pass_frag = substr($user->user_pass, 8, 4);

	$key = wp_hash( $username . '|' . $pass_frag . '|' . $expiration . '|' . $token, $scheme );

	// If ext/hash is not present, compat.php's hash_hmac() does not support sha256.
	$algo = function_exists( 'hash' ) ? 'sha256' : 'sha1';
	$hash = hash_hmac( $algo, $username . '|' . $expiration . '|' . $token, $key );

	if ( ! hash_equals( $hash, $hmac ) ) {
		/**
		 * Fires if a bad authentication cookie hash is encountered.
		 *
		 * @since 2.7.0
		 *
		 * @param array $cookie_elements An array of data for the authentication cookie.
		 */
		do_action( 'auth_cookie_bad_hash', $cookie_elements );
		return false;
	}

	$manager = WP_Session_Tokens::get_instance( $user->ID );
	if ( ! $manager->verify( $token ) ) {
		do_action( 'auth_cookie_bad_session_token', $cookie_elements );
		return false;
	}

	// Ajax/POST grace period set above
	if ( $expiration < time() ) {
		$GLOBALS['login_grace_period'] = 1;
	}

	/**
	 * Fires once an authentication cookie has been validated.
	 *
	 * @since 2.7.0
	 *
	 * @param array   $cookie_elements An array of data for the authentication cookie.
	 * @param WP_User $user            User object.
	 */
	do_action( 'auth_cookie_valid', $cookie_elements, $user );

	return $user->ID;
}

endif;
Save.
When an user come in wp as logged in phpBB with the above code added into wp_w3all.php it will be added and logged in correctly into wordpress even with unwanted chars in wordpress.
It remain to fix, for what concern the WP_w3all phpBB integration plugin, some line of code into class.wp.w3all-phpbb.php to correctly let pass the username with unwanted chars, on lines like this:

Code: Select all

         if ( preg_match('/[^-0-9A-Za-z _.@]/',$phpbb_user_session[0]->username) ){
	          echo '<p style="padding:30px;background-color:#fff;color:#000;font-size:1.3em">Sorry, your <strong>registered username on our forum contain characters not allowed on this CMS system</strong>, you can\'t be added or login in this site side (and you\'ll see this message) until logged in on forums as <b>'.$phpbb_user_session[0]->username.'</b>. Please return back and contact the administrator reporting about this error issue. Thank you <input type="button" value="Go Back" onclick="history.back(-1)" /></p>';
           return;
         }
need to be changed so into something like:

Code: Select all

// if ( preg_match('/[^-0-9A-Za-z _.@]/',$phpbb_user_session[0]->username) ){
//  echo '<p style="padding:30px;background-color:#fff;color:#000;font-size:1.3em">Sorry, your <strong>registered username on our forum contain characters not allowed on this CMS system</strong>, you can\'t be added or login in this site side (and you\'ll see this message) until logged in on forums as <b>'.$phpbb_user_session[0]->username.'</b>. Please return back and contact the administrator reporting about this error issue. Thank you <input type="button" value="Go Back" onclick="history.back(-1)" /></p>';
 // return;
 // }
substantially to avoid execution of this code and the check of unwanted chars over all WP_w3all integration plugin. It remain a problem on user profile update action, where a nick name like for example
<script>alert(‘test!’);</script>
ins't accepted ... but also this is easily solvable ...
and by the way, when user will go to update the profile, if not fixed, the user will be noticed to change his nick name by WordPress, or on profile update action WP will return ever the same error: "character not allowed for nick name field" (or something like this).

The work around about how allow any char as username in wordpress has been asked on slack and on wordpress.org forum, and even on wp irc channel. But I've get no answers about this.
I'm quite sure all is ok here, but i would like to know opinion of somebody else, without going to look into any method or wp class (whenever it would be easy to understand all implications).
allow-any-chars-in-wordpress-user_login-anybody-explored?

This can be applied also without using wp_w3all plugin, and extended for any needs, where wordpress need to accept any chars for usernames.
This is a way to allow any character on wordpress usernames, but i've not check for all methods that receive the input in this state, i see it is parsed in the right way, both front end and back end, and treated as plain text. So i'm 'quite' sure it not let wp with security holes ...

Post Reply