aboutsummaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorGabriel Pérez-Cerezo <gabriel@gpcf.eu>2020-02-24 13:43:11 +0100
committerGabriel Pérez-Cerezo <gabriel@gpcf.eu>2020-02-24 13:43:11 +0100
commit77f7a301678e6e4b121d0f4729594f5cb34d8c39 (patch)
tree7e6b81afb83b53dd5eb2cfa5f27f1e60c7a15b47
parent65ff7842ba1ecfd2ee6cdba708489de0f987ede2 (diff)
downloadauth_export-77f7a301678e6e4b121d0f4729594f5cb34d8c39.tar.gz
auth_export-77f7a301678e6e4b121d0f4729594f5cb34d8c39.tar.bz2
auth_export-77f7a301678e6e4b121d0f4729594f5cb34d8c39.zip
SECURITY: Fix mediawiki merging accountsHEADmaster
Mediawiki turns any number of _ into whitespace, so Foo__Bar and Foo_Bar and Foo_Bar_ would be mapped to the same account, leading to account takeover.
-rw-r--r--init.lua10
1 files changed, 10 insertions, 0 deletions
diff --git a/init.lua b/init.lua
index 990ee0c..cbf5378 100644
--- a/init.lua
+++ b/init.lua
@@ -14,3 +14,13 @@ if http then
dofile(MP .. "/webmail.lua")
mail.webmail_init(http, webmail_url, webmail_key)
end
+
+
+minetest.register_on_prejoinplayer(function(name, ip)
+ if minetest.player_exists(name) then
+ return
+ end
+ if name:match("_") then
+ return "For security reasons, underscores are banned on this server. Please choose another username!"
+ end
+end)