USER command: only allow alphanumeric characters in user name

Only alphanumeric characters are allowed in the user name, so terminate
the connection if any "strage" characters have been supplied by the user.

This is how other IRC daemons (like ircd2.11 and ircd-seven) behave ...

1 files changed, 13 insertions, 3 deletions

diff --git a/src/ngircd/irc-login.c b/src/ngircd/irc-login.c
index 6c1c708a..3fb1b902 100644
--- a/src/ngircd/irc-login.c
+++ b/src/ngircd/irc-login.c
@@ -400,9 +400,7 @@ GLOBAL bool
 IRC_USER(CLIENT * Client, REQUEST * Req)
 {
 	CLIENT *c;
-#ifdef IDENTAUTH
 	char *ptr;
-#endif
 
 	assert(Client != NULL);
 	assert(Req != NULL);
@@ -420,7 +418,19 @@ IRC_USER(CLIENT * Client, REQUEST * Req)
 						  Client_ID(Client),
 						  Req->command);
 
-		/* User name */
+		/* User name: only alphanumeric characters are allowed! */
+		ptr = Req->argv[0];
+		while (*ptr) {
+			if ((*ptr < '0' || *ptr > '9') &&
+			    (*ptr < 'A' || *ptr > 'Z') &&
+			    (*ptr < 'a' || *ptr > 'z')) {
+				Conn_Close(Client_Conn(Client), NULL,
+					   "Invalid user name", true);
+				return DISCONNECTED;
+			}
+			ptr++;
+		}
+
 #ifdef IDENTAUTH
 		ptr = Client_User(Client);
 		if (!ptr || !*ptr || *ptr == '~')