Make user enumeration harder.

kohler · Sep 5, 2024 · 4259850 · 4259850
1 parent c145497
commit 4259850
Show file tree

Hide file tree

Showing 2 changed files with 5 additions and 2 deletions.
diff --git a/scripts/script.js b/scripts/script.js
@@ -464,7 +464,7 @@ function check_sessioninfo(data, options) {
 $(document).ajaxError(function (evt, jqxhr, options, httperror) {
     if (jqxhr.readyState != 4)
         return;
-    var data;
+    let data;
     if (jqxhr.responseText && jqxhr.responseText.charAt(0) === "{") {
         try {
             data = JSON.parse(jqxhr.responseText);

diff --git a/src/api/api_user.php b/src/api/api_user.php
@@ -21,7 +21,10 @@ static function user(Contact $user, Qrequest $qreq, ?PaperInfo $prow) {
         if (($email = trim($qreq->email ?? "")) === "") {
             return JsonResult::make_missing_error("email");
         }
-        if (!is_valid_utf8($email)) {
+        if (!is_valid_utf8($email)
+            || ($at = strpos($email, "@")) === false
+            || $at === 0
+            || ($dot = strpos($email, ".", $at + 1)) === false) {
             return JsonResult::make_parameter_error("email");
         }