From 4c2c955ee31b39403082455e8812a9a02850a79b Mon Sep 17 00:00:00 2001 From: dsc Date: Wed, 23 Mar 2022 12:04:02 +0200 Subject: [PATCH] Disallow annoying chars --- yellow/auth.py | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/yellow/auth.py b/yellow/auth.py index de05baf..40515d5 100644 --- a/yellow/auth.py +++ b/yellow/auth.py @@ -1,3 +1,5 @@ +import re + import peewee from quart import session, redirect, url_for @@ -14,6 +16,9 @@ async def handle_user_login(resp: dict): username = user['preferred_username'] uid = user['sub'] + if not re.match(r"^[a-zA-Z0-9_\.-]+$", username): + raise Exception("bad username") + try: user = User.select().where(User.id == uid).get() except peewee.DoesNotExist: