1
0
Fork 0
mirror of https://we.phorge.it/source/phorge.git synced 2024-11-11 09:22:40 +01:00
phorge-phorge/src/applications/people
epriestley 969d0c3e8d Use "\z" instead of "$" to anchor validating regular expressions
Summary:
Via HackerOne. In regular expressions, "$" matches "end of input, or before terminating newline". This means that the expression `/^A$/` matches two strings: `"A"`, and `"A\n"`.

When we care about this, use `\z` instead, which matches "end of input" only.

This allowed registration of `"username\n"` and similar.

Test Plan:
  - Grepped codebase for all calls to `preg_match()` / `preg_match_all()`.
  - Fixed the ones where this seemed like it could have an impact.
  - Added and executed unit tests.

Reviewers: btrahan

Reviewed By: btrahan

Subscribers: aran, epriestley

Differential Revision: https://secure.phabricator.com/D8516
2014-03-13 12:42:41 -07:00
..
application Exclude disabled (disapproved) users from count on People application on homepage 2014-03-10 16:20:49 -07:00
capability Add a granular capability for user directory browsing 2014-01-30 11:53:49 -08:00
conduit Calendar upgrades 2014-02-24 10:04:23 -08:00
config Support configuration-driven custom fields 2013-08-14 12:33:53 -07:00
controller Fix calendar part 2 2014-02-25 14:20:59 -08:00
customfield Implement detail views for many Differential fields on ApplicationTransactions 2014-02-26 14:46:18 -08:00
editor Added some additional assertion methods. 2014-03-08 19:16:21 -08:00
event Rename PhabricatorUserStatus to PhabricatorCalendarEvent 2014-02-06 10:07:29 -08:00
garbagecollector Add a GC for user logs 2014-02-03 10:51:41 -08:00
lipsum Fixed Task Generation 2013-04-24 18:17:31 -07:00
phid Extract textual object list parsing from Differential 2014-03-07 17:44:44 -08:00
query Rename PhabricatorUserStatus to PhabricatorCalendarEvent 2014-02-06 10:07:29 -08:00
remarkup Rename PhabricatorUserStatus to PhabricatorCalendarEvent 2014-02-06 10:07:29 -08:00
search Use ApplicationTransactions/CustomField to power Differential global search 2014-02-26 11:18:06 -08:00
storage Use "\z" instead of "$" to anchor validating regular expressions 2014-03-13 12:42:41 -07:00