From d906a7afe29e5766d3bd88582cf2119795ef2558 Mon Sep 17 00:00:00 2001
From: =?utf8?q?Tim=20D=C3=BCsterhus?= <duesterhus@woltlab.com>
Date: Wed, 19 Apr 2023 14:51:15 +0200
Subject: [PATCH] Generally consider usernames with bytes less than 0x20 as
 invalid

NUL bytes, newlines (LF was already restricted) and other ASCII control
characters have no business of existing within an username.
---
 wcfsetup/install/files/lib/util/UserUtil.class.php | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/wcfsetup/install/files/lib/util/UserUtil.class.php b/wcfsetup/install/files/lib/util/UserUtil.class.php
index 3c4d9d6579..d8487459a5 100644
--- a/wcfsetup/install/files/lib/util/UserUtil.class.php
+++ b/wcfsetup/install/files/lib/util/UserUtil.class.php
@@ -25,7 +25,7 @@ final class UserUtil
         }
 
         // check illegal characters
-        if (!\preg_match('!^[^,\n]+$!', $name)) {
+        if (!\preg_match('/^[^\x00-\x19,]+$/', $name)) {
             return false;
         }
         // check long words
-- 
2.20.1