Creating a user with a username of more than 150 characters gives a misleading error message #28739
Description
Steps to reproduce the issue
- Go to https:///administrator/index.php?option=com_users&view=user&layout=edit
- Enter details...
Name: test
Login Name: aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
Password: anything
Confirm Password: anything
Email: [email protected] - Click "Save"
Note, the login name...
aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
...has 151 characters.
Expected result
In Joomla 3.9.16 a username limit of 150 characters was introduced. The expected result would be an error message that says the username was too long.
Actual result
The user is shown the error message...
"Save failed with the following error: Please enter a valid username. No space at beginning or end, at least 2 characters and must not have the following characters: < > \ " ' % ; ( ) &."
...which is "JLIB_DATABASE_ERROR_VALID_AZ09".
System information (as much as possible)
PHP Built On Linux hp-i5 5.3.0-46-generic #38-Ubuntu SMP Fri Mar 27 17:37:05 UTC 2020 x86_64
Database Type mysql
Database Version 8.0.19-0ubuntu0.19.10.3
Database Collation utf8mb4_0900_ai_ci
Database Connection Collation utf8mb4_0900_ai_ci
PHP Version 7.3.11-0ubuntu0.19.10.4
Web Server Apache/2.4.41 (Ubuntu)
WebServer to PHP Interface apache2handler
Joomla! Version Joomla! 3.9.16 Stable [ Amani ] 10-March-2020 15:00 GMT
Joomla! Platform Version Joomla Platform 13.1.0 Stable [ Curiosity ] 24-Apr-2013 00:00 GMT
User Agent Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:75.0) Gecko/20100101 Firefox/75.0
Additional comments
This code is...
if (preg_match('#[<>"\'%;()&\\\\]|\\.\\./#', $this->username) || StringHelper::strlen($this->username) < 2
|| $filterInput->clean($this->username, 'TRIM') !== $this->username || StringHelper::strlen($this->username) > 150)
{
$this->setError(\JText::sprintf('JLIB_DATABASE_ERROR_VALID_AZ09', 2));
return false;
}
...in the file...
https://github.com/joomla/joomla-cms/blob/staging/libraries/src/Table/User.php
So, the options are, I think...
Possible solution 1
Break out the if statement into separate conditionals, to give more specific error messages
So, from...
if (preg_match('#[<>"\'%;()&\\\\]|\\.\\./#', $this->username) || StringHelper::strlen($this->username) < 2
|| $filterInput->clean($this->username, 'TRIM') !== $this->username || StringHelper::strlen($this->username) > 150)
{
$this->setError(\JText::sprintf('JLIB_DATABASE_ERROR_VALID_AZ09', 2));
return false;
}
...to...
if (preg_match('#[<>"\'%;()&\\\\]|\\.\\./#', $this->username) || StringHelper::strlen($this->username) < 2
|| $filterInput->clean($this->username, 'TRIM') !== $this->username )
{
$this->setError(\JText::sprintf('JLIB_DATABASE_ERROR_VALID_AZ09', 2));
return false;
}
if (StringHelper::strlen($this->username) > 150)
{
$this->setError(\JText::sprintf('JLIB_DATABASE_ERROR_VALID_TOOLONG', 2));
return false;
}
...and add...
JLIB_DATABASE_ERROR_VALID_TOOLONG="Please enter a valid username. Must be less than 150 characters"
...to...
https://github.com/joomla/joomla-cms/blob/staging/language/en-GB/en-GB.lib_joomla.ini
Possible solution 2
Change the JLIB_DATABASE_ERROR_VALID_AZ09 string to include details on the cause of the error.
So, change...
JLIB_DATABASE_ERROR_VALID_AZ09="Please enter a valid username. No space at beginning or end, at least %d characters and must <strong>not</strong> have the following characters: < > \ " ' % ; ( ) &."
...to...
JLIB_DATABASE_ERROR_VALID_AZ09="Please enter a valid username. No space at beginning or end, at least %d characters, must <strong>not</strong> have the following characters: < > \ " ' % ; ( ) & and be less than 150 characters"