Commit 55be2129 authored by Rob Swindell's avatar Rob Swindell 💬
Browse files

Handle duplicate names and aliases better

So some cute user (mine@demon.com) created a new user account on Vertrauen with the alias and real name of "Rob Swindell". Funny.

Now, duplicate user aliases are already and always forbidden (even those that just vaguely match an existing alias) - everyone expects those to be unique. And we already forbid new user real names to match an existing user alias (check_name() enforces this and we use that when checking new user real names too), however, nothing prevented a new user account's alias from matching another existing user's real name. And this is a problem:

1. This new/fake user could post a message or send an email/netmail and it would appear to possibly come from the other/original user (we do have options to send mail and post messages using real names)

2. Received email for real names is supported and if enabled, this second account could be used to intercept mail for the original/first account if it was receiving mail for the original/real user's real name.

So disallowing a new user's real name to match an existing alias fixes one problem. 
However, systems *can* be configured to allow duplicate real names (which is convenient for QWKnet accounts, for example) and so we needed another solution for that problem: meet the 'O' restriction. This restriction flag will prevent a user account from posting messages no sub-boards that require real names. New user accounts that have a duplicate real name (the same as another user account's real name), will automatically be assigned the 'O' restriction flag. Systems that don't allow duplicate real names wouldn't have this issue in the first place.

Scripts that allow the creation of new user accounts might need some updating to match this security logic.
parent 9ae0448c
Pipeline #2605 passed with stage
in 9 minutes and 41 seconds
......@@ -200,6 +200,7 @@ BOOL sbbs_t::newuser()
getstr(useron.alias,LEN_ALIAS,kmode);
truncsp(useron.alias);
if (!check_name(&cfg,useron.alias)
|| userdatdupe(useron.number, U_NAME, LEN_NAME, useron.alias)
|| (!(cfg.uq&UQ_ALIASES) && !strchr(useron.alias,' '))) {
bputs(text[YouCantUseThatName]);
if(text[ContinueQ][0] && !yesno(text[ContinueQ]))
......@@ -222,7 +223,7 @@ BOOL sbbs_t::newuser()
break;
if(text[ContinueQ][0] && !yesno(text[ContinueQ]))
return(FALSE);
}
}
}
else if(cfg.uq&UQ_COMPANY && text[EnterYourCompany][0]) {
bputs(text[EnterYourCompany]);
......@@ -234,6 +235,8 @@ BOOL sbbs_t::newuser()
}
if(!useron.name[0])
SAFECOPY(useron.name,useron.alias);
else if(!(cfg.uq&UQ_DUPREAL) && userdatdupe(useron.number,U_NAME,LEN_NAME,useron.name) > 0)
useron.rest |= FLAG('O'); // Can't post using real name (it's a duplicate)
if(!online) return(FALSE);
if(!useron.handle[0])
SAFECOPY(useron.handle,useron.alias);
......
......@@ -2974,6 +2974,9 @@ BOOL can_user_post(scfg_t* cfg, uint subnum, user_t* user, client_t* client, uin
if(cfg->sub[subnum]->misc&(SUB_QNET|SUB_FIDO|SUB_PNET|SUB_INET)
&& user->rest&FLAG('N')) /* network restriction? */
return FALSE;
if((cfg->sub[subnum]->misc & SUB_NAME)
&& (user->rest & (FLAG('Q') | FLAG('O'))) == FLAG('O'))
return FALSE;
if(reason!=NULL)
*reason=R_Post;
if(user->rest&FLAG('P')) /* post restriction? */
......
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment