Generally consider usernames with bytes less than 0x20 as invalid

NUL bytes, newlines (LF was already restricted) and other ASCII control
characters have no business of existing within an username.

diff --git a/wcfsetup/install/files/lib/util/UserUtil.class.php b/wcfsetup/install/files/lib/util/UserUtil.class.php
index 3c4d9d6579a3e304e82c0807613f54b54f5faed0..d8487459a5fd59b6ddcf7058bb75684cb10eadf5 100644 (file)
--- a/wcfsetup/install/files/lib/util/UserUtil.class.php
+++ b/wcfsetup/install/files/lib/util/UserUtil.class.php
@@ -25,7 +25,7 @@ final class UserUtil
         }
 
         // check illegal characters
-        if (!\preg_match('!^[^,\n]+$!', $name)) {
+        if (!\preg_match('/^[^\x00-\x19,]+$/', $name)) {
             return false;
         }
         // check long words