prevent re-registrations using a deleted username - not an issue with Friendica but could create a serious privacy issue with federated platforms

11 years ago · ebdf0ee99e
6 changed files with 38 additions and 2 deletions
--- a/boot.php
+++ b/boot.php
@ -11,7 +11,7 @@ require_once('include/cache.php');
 define ( 'FRIENDICA_PLATFORM',     'Friendica');
 define ( 'FRIENDICA_VERSION',      '2.3.1288' );
 define ( 'DFRN_PROTOCOL_VERSION',  '2.23'    );
-define ( 'DB_UPDATE_VERSION',      1132      );
+define ( 'DB_UPDATE_VERSION',      1133      );

 define ( 'EOL',                    "<br />\r\n"     );
 define ( 'ATOM_TIME',              'Y-m-d\TH:i:s\Z' );
--- a/database.sql
+++ b/database.sql
@ -861,3 +861,9 @@ INDEX ( `term` )
 ) ENGINE = MyISAM DEFAULT CHARSET=utf8;


+CREATE TABLE IF NOT EXISTS `userd` (
+`id` INT NOT NULL AUTO_INCREMENT PRIMARY KEY ,
+`username` CHAR( 255 ) NOT NULL,
+INDEX ( `username` )
+) ENGINE = MyISAM DEFAULT CHARSET=utf8;
+
--- a/include/Contact.php
+++ b/include/Contact.php
@ -15,6 +15,12 @@ function user_remove($uid) {

 	call_hooks('remove_user',$r[0]);

+	// save username (actually the nickname as it is guaranteed 
+	// unique), so it cannot be re-registered in the future.
+
+	q("insert into userd ( username ) values ( '%s' )",
+		$r[0]['nickname']
+	);

 	q("DELETE FROM `contact` WHERE `uid` = %d", intval($uid));
 	q("DELETE FROM `group` WHERE `uid` = %d", intval($uid));
--- a/mod/register.php
+++ b/mod/register.php
@ -150,6 +150,16 @@ function register_post(&$a) {
 	if(count($r))
 		$err .= t('Nickname is already registered. Please choose another.') . EOL;

+	// Check deleted accounts that had this nickname. Doesn't matter to us,
+	// but could be a security issue for federated platforms.
+
+	$r = q("SELECT * FROM `userd`
+               	WHERE `username` = '%s' LIMIT 1",
+               	dbesc($nickname)
+	);
+	if(count($r))
+		$err .= t('Nickname was once registered here and may not be re-used. Please choose another.') . EOL;
+
 	if(strlen($err)) {
 		notice( $err );
 		return;
--- a/mod/regmod.php
+++ b/mod/regmod.php
@ -64,6 +64,11 @@ function user_allow($hash) {

 }

+
+// This does not have to go through user_remove() and save the nickname
+// permanently against re-registration, as the person was not yet
+// allowed to have friends on this system
+
 function user_deny($hash) {

 	$register = q("SELECT * FROM `register` WHERE `hash` = '%s' LIMIT 1",
--- a/update.php
+++ b/update.php
@ -1,6 +1,6 @@
 <?php

-define( 'UPDATE_VERSION' , 1132 );
+define( 'UPDATE_VERSION' , 1133 );

 /**
 *
@ -1127,3 +1127,12 @@ function update_1131() {
 }


+function update_1132() {
+	q("CREATE TABLE IF NOT EXISTS `userd` (
+`id` INT NOT NULL AUTO_INCREMENT PRIMARY KEY ,
+`username` CHAR( 255 ) NOT NULL,
+INDEX ( `username` )
+) ENGINE = MYISAM ");
+
+}
+