commit 6680b536c4da7dc27e11490fe098e98cb0393fa2
from: Alexander Barton <alex@barton.de>
date: Fri Jun 01 21:57:51 2012 UTC

USER command: only allow alphanumeric characters in user name

Only alphanumeric characters are allowed in the user name, so terminate
the connection if any "strage" characters have been supplied by the user.

This is how other IRC daemons (like ircd2.11 and ircd-seven) behave ...

commit - a21a7d8b66bada3c581b7d1fe4279432344f2fd5
commit + 6680b536c4da7dc27e11490fe098e98cb0393fa2
blob - 6c1c708a61d49532e29d8c86136228fb492e4af7
blob + 3fb1b902412118e2cad5b58bcae8af0dacec6379
--- src/ngircd/irc-login.c
+++ src/ngircd/irc-login.c
@@ -400,9 +400,7 @@ GLOBAL bool
 IRC_USER(CLIENT * Client, REQUEST * Req)
 {
 	CLIENT *c;
-#ifdef IDENTAUTH
 	char *ptr;
-#endif
 
 	assert(Client != NULL);
 	assert(Req != NULL);
@@ -420,7 +418,19 @@ IRC_USER(CLIENT * Client, REQUEST * Req)
 						  Client_ID(Client),
 						  Req->command);
 
-		/* User name */
+		/* User name: only alphanumeric characters are allowed! */
+		ptr = Req->argv[0];
+		while (*ptr) {
+			if ((*ptr < '0' || *ptr > '9') &&
+			    (*ptr < 'A' || *ptr > 'Z') &&
+			    (*ptr < 'a' || *ptr > 'z')) {
+				Conn_Close(Client_Conn(Client), NULL,
+					   "Invalid user name", true);
+				return DISCONNECTED;
+			}
+			ptr++;
+		}
+
 #ifdef IDENTAUTH
 		ptr = Client_User(Client);
 		if (!ptr || !*ptr || *ptr == '~')