@@ 40,6 40,12 @@ async fn require_me(user: UserIDOrMe, me: UserID) -> Result<(), Error> {
}
}
+fn is_allowed_username(username: &str) -> bool {
+ username
+ .chars()
+ .all(|chr| chr.is_ascii_alphabetic() || chr.is_ascii_digit())
+}
+
pub fn route_users() -> crate::RouteNode<()> {
let route_brackets = crate::RouteNode::new()
.with_handler_async("GET", |(user,), ctx, req| async move {
@@ 91,6 97,10 @@ async fn route_users_create_fn(
let client = db_pool.get().await?;
let (user_id, username): (i32, _) = match if let Some(username) = body.username {
+ if !is_allowed_username(&username) {
+ return Err(Error::UserError(crate::simple_response(hyper::StatusCode::BAD_REQUEST, "Invalid characters in username")));
+ }
+
if let Some(password) = body.password {
let password_hash =
tokio::task::spawn_blocking(|| bcrypt::hash(password, bcrypt::DEFAULT_COST))
@@ 222,10 232,7 @@ async fn route_users_edit_fn(
let mut columns = Vec::with_capacity(3);
if let Some(username) = body.username {
- if !username
- .chars()
- .all(|chr| chr.is_ascii_alphabetic() || chr.is_ascii_digit())
- {
+ if !is_allowed_username(&username) {
return Err(Error::UserError({
let mut res = hyper::Response::new("Invalid characters in username".into());
*res.status_mut() = hyper::StatusCode::BAD_REQUEST;