Use "\z" instead of "$" to anchor validating regular expressions

Summary: Via HackerOne. In regular expressions, "$" matches "end of input, or before terminating newline". This means that the expression `/^A$/` matches two strings: `"A"`, and `"A\n"`. When we care about this, use `\z` instead, which matches "end of input" only. This allowed registration of `"username\n"` and similar. Test Plan: - Grepped codebase for all calls to `preg_match()` / `preg_match_all()`. - Fixed the ones where this seemed like it could have an impact. - Added and executed unit tests. Reviewers: btrahan Reviewed By: btrahan Subscribers: aran, epriestley Differential Revision: https://secure.phabricator.com/D8516
2014-03-13 12:42:41 -07:00
parent 58877a9b6c
commit 969d0c3e8d
15 changed files with 27 additions and 13 deletions
--- a/src/applications/diffusion/controller/DiffusionRepositoryCreateController.php
+++ b/src/applications/diffusion/controller/DiffusionRepositoryCreateController.php
@@ -365,7 +365,7 @@ final class DiffusionRepositoryCreateController
      $c_call->setError(pht('Required'));
      $page->addPageError(
        pht('You must choose a callsign for this repository.'));
-    } else if (!preg_match('/^[A-Z]+$/', $v_call)) {
+    } else if (!preg_match('/^[A-Z]+\z/', $v_call)) {
      $c_call->setError(pht('Invalid'));
      $page->addPageError(
        pht('The callsign must contain only UPPERCASE letters.'));