by axew3 » Sun Apr 08, 2018 12:54 pm
But if you really want Wordpress accept unwanted characters as usernames/user_login ...
The raw question at wp.org forum:
allow-any-chars-in-wordpress-user_login-anybody-explored?
... making WordPress accept any username with any character.
This could lead to security problems? i'm not totally sure, i just see that all is parsed as needed after something like this, and this procedure still lack about a particular problem on nickname, that is easily resolvable. It seem, to me, secure. All special chars on tests usernames i've try out, are stored as entities, and after correctly parsed as plain text: i've not try out all, but reasonably the behavior should be the same over all WP. Will be the same with all others plugins you may use? Yes with WP_w3all, while i suggest to check with any other before to choose and use this way, allowing any character for wordpress user_login.
can be applied also without using wp_w3all plugin, and extended for any needs, where wordpress need to accept any chars for usernames.
Reading the linked post and this following you should be able to understand the joke, even if my Eng is bad:
Using wp_w3all this is the code:
open
wp_w3all.php file and just before the closing
?> php tag on bottom, add the follow code:
Code: Select all
function w3all_sanitize_user($user, $raw_user, $strict) {
$raw_user = trim($raw_user);
return $raw_user;
}
add_filter('sanitize_user', 'w3all_sanitize_user', 10, 3);
if ( ! function_exists( 'wp_validate_auth_cookie' ) ) :
function wp_validate_auth_cookie($cookie = '', $scheme = '') {
if ( ! $cookie_elements = wp_parse_auth_cookie($cookie, $scheme) ) {
/**
* Fires if an authentication cookie is malformed.
*
* @since 2.7.0
*
* @param string $cookie Malformed auth cookie.
* @param string $scheme Authentication scheme. Values include 'auth', 'secure_auth',
* or 'logged_in'.
*/
do_action( 'auth_cookie_malformed', $cookie, $scheme );
return false;
}
$scheme = $cookie_elements['scheme'];
$username = $cookie_elements['username'];
$hmac = $cookie_elements['hmac'];
$token = $cookie_elements['token'];
$expired = $expiration = $cookie_elements['expiration'];
// Allow a grace period for POST and Ajax requests
if ( wp_doing_ajax() || 'POST' == $_SERVER['REQUEST_METHOD'] ) {
$expired += HOUR_IN_SECONDS;
}
// Quick check to see if an honest cookie has expired
if ( $expired < time() ) {
/**
* Fires once an authentication cookie has expired.
*
* @since 2.7.0
*
* @param array $cookie_elements An array of data for the authentication cookie.
*/
do_action( 'auth_cookie_expired', $cookie_elements );
return false;
}
$username = trim(stripslashes($username));
$user = get_user_by('login', $username);
if ( ! $user ) {
/**
* Fires if a bad username is entered in the user authentication process.
*
* @since 2.7.0
*
* @param array $cookie_elements An array of data for the authentication cookie.
*/
do_action( 'auth_cookie_bad_username', $cookie_elements );
return false;
}
$pass_frag = substr($user->user_pass, 8, 4);
$key = wp_hash( $username . '|' . $pass_frag . '|' . $expiration . '|' . $token, $scheme );
// If ext/hash is not present, compat.php's hash_hmac() does not support sha256.
$algo = function_exists( 'hash' ) ? 'sha256' : 'sha1';
$hash = hash_hmac( $algo, $username . '|' . $expiration . '|' . $token, $key );
if ( ! hash_equals( $hash, $hmac ) ) {
/**
* Fires if a bad authentication cookie hash is encountered.
*
* @since 2.7.0
*
* @param array $cookie_elements An array of data for the authentication cookie.
*/
do_action( 'auth_cookie_bad_hash', $cookie_elements );
return false;
}
$manager = WP_Session_Tokens::get_instance( $user->ID );
if ( ! $manager->verify( $token ) ) {
do_action( 'auth_cookie_bad_session_token', $cookie_elements );
return false;
}
// Ajax/POST grace period set above
if ( $expiration < time() ) {
$GLOBALS['login_grace_period'] = 1;
}
/**
* Fires once an authentication cookie has been validated.
*
* @since 2.7.0
*
* @param array $cookie_elements An array of data for the authentication cookie.
* @param WP_User $user User object.
*/
do_action( 'auth_cookie_valid', $cookie_elements, $user );
return $user->ID;
}
endif;
Save.
When an user come in wp as logged in phpBB with the above code added into wp_w3all.php it will be added and logged in correctly into wordpress even with unwanted chars in wordpress.
It remain to fix, for what concern the WP_w3all phpBB integration plugin, some line of code into
class.wp.w3all-phpbb.php to correctly let pass the username with unwanted chars, on lines like this:
Code: Select all
if ( preg_match('/[^-0-9A-Za-z _.@]/',$phpbb_user_session[0]->username) ){
echo '<p style="padding:30px;background-color:#fff;color:#000;font-size:1.3em">Sorry, your <strong>registered username on our forum contain characters not allowed on this CMS system</strong>, you can\'t be added or login in this site side (and you\'ll see this message) until logged in on forums as <b>'.$phpbb_user_session[0]->username.'</b>. Please return back and contact the administrator reporting about this error issue. Thank you <input type="button" value="Go Back" onclick="history.back(-1)" /></p>';
return;
}
need to be changed so into something like:
Code: Select all
// if ( preg_match('/[^-0-9A-Za-z _.@]/',$phpbb_user_session[0]->username) ){
// echo '<p style="padding:30px;background-color:#fff;color:#000;font-size:1.3em">Sorry, your <strong>registered username on our forum contain characters not allowed on this CMS system</strong>, you can\'t be added or login in this site side (and you\'ll see this message) until logged in on forums as <b>'.$phpbb_user_session[0]->username.'</b>. Please return back and contact the administrator reporting about this error issue. Thank you <input type="button" value="Go Back" onclick="history.back(-1)" /></p>';
// return;
// }
substantially to avoid execution of this code and the check of unwanted chars over all WP_w3all integration plugin. It remain a problem on user profile update action, where a nick name like for example
<script>alert(‘test!’);</script>
ins't accepted ... but also this is easily solvable ...
and by the way, when user will go to update the profile, if not fixed, the user will be noticed to change his nick name by WordPress, or on profile update action WP will return ever the same error: "character not allowed for nick name field" (or something like this).
The work around about how allow any char as username in wordpress has been asked on slack and on wordpress.org forum, and even on wp irc channel. But I've get no answers about this.
I'm quite sure all is ok here, but i would like to know opinion of somebody else, without going to look into any method or wp class (whenever it would be easy to understand all implications).
allow-any-chars-in-wordpress-user_login-anybody-explored?
This can be applied also without using wp_w3all plugin, and extended for any needs, where wordpress need to accept any chars for usernames.
This is a way to allow any character on wordpress usernames, but i've not check for all methods that receive the input in this state, i see it is parsed in the right way, both front end and back end, and treated as plain text. So i'm 'quite' sure it not let wp with security holes ...
[b][size=150][color=#0000BF]But if you really want Wordpress accept unwanted characters as usernames/user_login ...[/color][/size][/b]
[b]The raw question at wp.org forum:[/b]
[b][url=https://wordpress.org/support/topic/allow-any-chars-in-wordpress-user_login-anybody-explored/]allow-any-chars-in-wordpress-user_login-anybody-explored?[/url][/b]
... making WordPress accept any username with any character.
This could lead to security problems? i'm not totally sure, i just see that all is parsed as needed after something like this, and this procedure still lack about a particular problem on nickname, that is easily resolvable. It seem, to me, secure. All special chars on tests usernames i've try out, are stored as entities, and after correctly parsed as plain text: i've not try out all, but reasonably the behavior should be the same over all WP. Will be the same with all others plugins you may use? Yes with WP_w3all, while i suggest to check with any other before to choose and use this way, allowing any character for wordpress user_login.
[quote]can be applied also without using wp_w3all plugin, and extended for any needs, where wordpress need to accept any chars for usernames.[/quote]
Reading the linked post and this following you should be able to understand the joke, even if my Eng is bad:
Using wp_w3all this is the code:
open [i][b]wp_w3all.php[/b][/i] file and just before the closing [b]?>[/b] php tag on bottom, add the follow code:
[code]function w3all_sanitize_user($user, $raw_user, $strict) {
$raw_user = trim($raw_user);
return $raw_user;
}
add_filter('sanitize_user', 'w3all_sanitize_user', 10, 3);
if ( ! function_exists( 'wp_validate_auth_cookie' ) ) :
function wp_validate_auth_cookie($cookie = '', $scheme = '') {
if ( ! $cookie_elements = wp_parse_auth_cookie($cookie, $scheme) ) {
/**
* Fires if an authentication cookie is malformed.
*
* @since 2.7.0
*
* @param string $cookie Malformed auth cookie.
* @param string $scheme Authentication scheme. Values include 'auth', 'secure_auth',
* or 'logged_in'.
*/
do_action( 'auth_cookie_malformed', $cookie, $scheme );
return false;
}
$scheme = $cookie_elements['scheme'];
$username = $cookie_elements['username'];
$hmac = $cookie_elements['hmac'];
$token = $cookie_elements['token'];
$expired = $expiration = $cookie_elements['expiration'];
// Allow a grace period for POST and Ajax requests
if ( wp_doing_ajax() || 'POST' == $_SERVER['REQUEST_METHOD'] ) {
$expired += HOUR_IN_SECONDS;
}
// Quick check to see if an honest cookie has expired
if ( $expired < time() ) {
/**
* Fires once an authentication cookie has expired.
*
* @since 2.7.0
*
* @param array $cookie_elements An array of data for the authentication cookie.
*/
do_action( 'auth_cookie_expired', $cookie_elements );
return false;
}
$username = trim(stripslashes($username));
$user = get_user_by('login', $username);
if ( ! $user ) {
/**
* Fires if a bad username is entered in the user authentication process.
*
* @since 2.7.0
*
* @param array $cookie_elements An array of data for the authentication cookie.
*/
do_action( 'auth_cookie_bad_username', $cookie_elements );
return false;
}
$pass_frag = substr($user->user_pass, 8, 4);
$key = wp_hash( $username . '|' . $pass_frag . '|' . $expiration . '|' . $token, $scheme );
// If ext/hash is not present, compat.php's hash_hmac() does not support sha256.
$algo = function_exists( 'hash' ) ? 'sha256' : 'sha1';
$hash = hash_hmac( $algo, $username . '|' . $expiration . '|' . $token, $key );
if ( ! hash_equals( $hash, $hmac ) ) {
/**
* Fires if a bad authentication cookie hash is encountered.
*
* @since 2.7.0
*
* @param array $cookie_elements An array of data for the authentication cookie.
*/
do_action( 'auth_cookie_bad_hash', $cookie_elements );
return false;
}
$manager = WP_Session_Tokens::get_instance( $user->ID );
if ( ! $manager->verify( $token ) ) {
do_action( 'auth_cookie_bad_session_token', $cookie_elements );
return false;
}
// Ajax/POST grace period set above
if ( $expiration < time() ) {
$GLOBALS['login_grace_period'] = 1;
}
/**
* Fires once an authentication cookie has been validated.
*
* @since 2.7.0
*
* @param array $cookie_elements An array of data for the authentication cookie.
* @param WP_User $user User object.
*/
do_action( 'auth_cookie_valid', $cookie_elements, $user );
return $user->ID;
}
endif;[/code]
[b]Save.[/b]
When an user come in wp as logged in phpBB with the above code added into wp_w3all.php it will be added and logged in correctly into wordpress even with unwanted chars in wordpress.
It remain to fix, for what concern the WP_w3all phpBB integration plugin, some line of code into [i]class.wp.w3all-phpbb.php[/i] to correctly let pass the username with unwanted chars, on lines like this:
[code] if ( preg_match('/[^-0-9A-Za-z _.@]/',$phpbb_user_session[0]->username) ){
echo '<p style="padding:30px;background-color:#fff;color:#000;font-size:1.3em">Sorry, your <strong>registered username on our forum contain characters not allowed on this CMS system</strong>, you can\'t be added or login in this site side (and you\'ll see this message) until logged in on forums as <b>'.$phpbb_user_session[0]->username.'</b>. Please return back and contact the administrator reporting about this error issue. Thank you <input type="button" value="Go Back" onclick="history.back(-1)" /></p>';
return;
}[/code]
need to be changed so into something like:
[code]// if ( preg_match('/[^-0-9A-Za-z _.@]/',$phpbb_user_session[0]->username) ){
// echo '<p style="padding:30px;background-color:#fff;color:#000;font-size:1.3em">Sorry, your <strong>registered username on our forum contain characters not allowed on this CMS system</strong>, you can\'t be added or login in this site side (and you\'ll see this message) until logged in on forums as <b>'.$phpbb_user_session[0]->username.'</b>. Please return back and contact the administrator reporting about this error issue. Thank you <input type="button" value="Go Back" onclick="history.back(-1)" /></p>';
// return;
// }[/code]
substantially to avoid execution of this code and the check of unwanted chars over all WP_w3all integration plugin. It remain a problem on user profile update action, where a nick name like for example
<script>alert(‘test!’);</script>
ins't accepted ... but also this is easily solvable ...
and by the way, when user will go to update the profile, if not fixed, the user will be noticed to change his nick name by WordPress, or on profile update action WP will return ever the same error: "character not allowed for nick name field" (or something like this).
The work around about how allow any char as username in wordpress has been asked on slack and on wordpress.org forum, and even on wp irc channel. But I've get no answers about this.
I'm quite sure all is ok here, but i would like to know opinion of somebody else, without going to look into any method or wp class (whenever it would be easy to understand all implications).
[url=https://wordpress.org/support/topic/allow-any-chars-in-wordpress-user_login-anybody-explored/]allow-any-chars-in-wordpress-user_login-anybody-explored?[/url]
This can be applied also without using wp_w3all plugin, and extended for any needs, where wordpress need to accept any chars for usernames.
This is a way to allow any character on wordpress usernames, but i've not check for all methods that receive the input in this state, i see it is parsed in the right way, both front end and back end, and treated as plain text. So i'm 'quite' sure it not let wp with security holes ...