Joomla! Issue Tracker | Joomla! CMS #28739 - Creating a user with a username of more than 150 characters gives a misleading error message

Closed
21 Apr 2020
Medium
Build: staging
# 28739

AndyGaskell
21 Apr 2020

Steps to reproduce the issue

Go to https:///administrator/index.php?option=com_users&view=user&layout=edit
Enter details...
Name: test
Login Name: aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
Password: anything
Confirm Password: anything
Email: test@example.com
Click "Save"

Note, the login name...
aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
...has 151 characters.

Expected result

In Joomla 3.9.16 a username limit of 150 characters was introduced. The expected result would be an error message that says the username was too long.

Actual result

The user is shown the error message...

"Save failed with the following error: Please enter a valid username. No space at beginning or end, at least 2 characters and must not have the following characters: < > \ " ' % ; ( ) &."

...which is "JLIB_DATABASE_ERROR_VALID_AZ09".

System information (as much as possible)

PHP Built On Linux hp-i5 5.3.0-46-generic #38-Ubuntu SMP Fri Mar 27 17:37:05 UTC 2020 x86_64
Database Type mysql
Database Version 8.0.19-0ubuntu0.19.10.3
Database Collation utf8mb4_0900_ai_ci
Database Connection Collation utf8mb4_0900_ai_ci
PHP Version 7.3.11-0ubuntu0.19.10.4
Web Server Apache/2.4.41 (Ubuntu)
WebServer to PHP Interface apache2handler
Joomla! Version Joomla! 3.9.16 Stable [ Amani ] 10-March-2020 15:00 GMT
Joomla! Platform Version Joomla Platform 13.1.0 Stable [ Curiosity ] 24-Apr-2013 00:00 GMT
User Agent Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:75.0) Gecko/20100101 Firefox/75.0

Additional comments

This code is...

if (preg_match('#[<>"\'%;()&\\\\]|\\.\\./#', $this->username) || StringHelper::strlen($this->username) < 2
    || $filterInput->clean($this->username, 'TRIM') !== $this->username || StringHelper::strlen($this->username) > 150)
{
    $this->setError(\JText::sprintf('JLIB_DATABASE_ERROR_VALID_AZ09', 2));

    return false;
}

...in the file...
https://github.com/joomla/joomla-cms/blob/staging/libraries/src/Table/User.php

So, the options are, I think...

Possible solution 1

Break out the if statement into separate conditionals, to give more specific error messages

So, from...

if (preg_match('#[<>"\'%;()&\\\\]|\\.\\./#', $this->username) || StringHelper::strlen($this->username) < 2
    || $filterInput->clean($this->username, 'TRIM') !== $this->username || StringHelper::strlen($this->username) > 150)
{
    $this->setError(\JText::sprintf('JLIB_DATABASE_ERROR_VALID_AZ09', 2));

    return false;
}

...to...

if (preg_match('#[<>"\'%;()&\\\\]|\\.\\./#', $this->username) || StringHelper::strlen($this->username) < 2
    || $filterInput->clean($this->username, 'TRIM') !== $this->username )
{
    $this->setError(\JText::sprintf('JLIB_DATABASE_ERROR_VALID_AZ09', 2));

    return false;
}
if (StringHelper::strlen($this->username) > 150)
{
    $this->setError(\JText::sprintf('JLIB_DATABASE_ERROR_VALID_TOOLONG', 2));

    return false;
}

...and add...
JLIB_DATABASE_ERROR_VALID_TOOLONG="Please enter a valid username. Must be less than 150 characters"
...to...
https://github.com/joomla/joomla-cms/blob/staging/language/en-GB/en-GB.lib_joomla.ini

Possible solution 2

Change the JLIB_DATABASE_ERROR_VALID_AZ09 string to include details on the cause of the error.

So, change...
JLIB_DATABASE_ERROR_VALID_AZ09="Please enter a valid username. No space at beginning or end, at least %d characters and must <strong>not</strong> have the following characters: < > \ " ' % ; ( ) &."
...to...
JLIB_DATABASE_ERROR_VALID_AZ09="Please enter a valid username. No space at beginning or end, at least %d characters, must <strong>not</strong> have the following characters: < > \ " ' % ; ( ) & and be less than 150 characters"

...in...
https://github.com/joomla/joomla-cms/blob/staging/language/en-GB/en-GB.lib_joomla.ini

AndyGaskell - open - 21 Apr 2020

joomla-cms-bot - change - 21 Apr 2020

Labels

Added: ?

joomla-cms-bot - labeled - 21 Apr 2020

AndyGaskell - change - 21 Apr 2020

The description was changed

AndyGaskell - edited - 21 Apr 2020

AndyGaskell - comment - 21 Apr 2020

I'd be happy to make the code changes for this. Keen to get some feedback on the two possible solutions described above, or if another options would be better.

infograf768 - comment - 21 Apr 2020

Simpler to use solution 2 imho

infograf768 - comment - 21 Apr 2020

don't forget the PR should be towards both admin and site en-GB.lib_joomla.ini

AndyGaskell - comment - 21 Apr 2020

ok, thanks for the feedback @infograf768, yea, I agree, I'll do the PR :)

infograf768 - comment - 21 Apr 2020

Closing as we have patch #28741

infograf768 - change - 21 Apr 2020

Status	New	⇒	Closed
Closed_Date	0000-00-00 00:00:00	⇒	2020-04-21 11:27:07
Closed_By		⇒	infograf768

infograf768 - close - 21 Apr 2020

Add a Comment

Older
Newer

Joomla! Issue Tracker - CMS

[#28739] - Creating a user with a username of more than 150 characters gives a misleading error message

Steps to reproduce the issue

Expected result

Actual result

System information (as much as possible)

Additional comments

Possible solution 1

Possible solution 2

Add a Comment