Feature Requests

When attempting to use an email address as a username, m0n0wall rejected the name as invalid. The message is:

The following input errors were detected:

    The username contains invalid characters.

Email addresses are easy for users to remember, so they seem like a natural choice. Plus, they are unique and don't suffer collisions like handles.

I believe the message is from webgui/vpn_pptp_users_edit.php (around line 65):

Code:

if (preg_match("/[^a-zA-Z0-9\.\-_]/", $_POST['username']))
$input_errors[] = "The username contains invalid characters.";

Please allow email addresses as usernames.

*****

The same issue appears to show up in a few places:

Code:

release-1.8.1$ grep -R "The username contains invalid characters" *
webgui/services_captiveportal_users_edit.php: $input_errors[] = "The username contains invalid characters.";
webgui/services_dyndns.php: $input_errors[] = "The username contains invalid characters.";
webgui/system_usermanager.php:     $input_errors[] = "The username contains invalid characters.";
webgui/vpn_pptp_users_edit.php: $input_errors[] = "The username contains invalid characters.";

*****

webgui/system.php appears to have a similar restriction, but the error message is different:

Code:

if ($_POST['username'] && !preg_match("/^[a-zA-Z0-9]*$/", $_POST['username'])) {
$input_errors[] = "The username may only contain the characters a-z, A-Z and 0-9.";
}

*****

Related.... from the same file, it looks like the rejection on passwords is somewhat aggressive:

Code:

if (preg_match("/[^a-zA-Z0-9\.\-_]/", $_POST['password']))
$input_errors[] = "The password contains invalid characters.";

In the case of passwords, it might be best to allow the entire alphabet. Perhaps the "Base 64 Encoding with URL and Filename Safe Alphabet" of RFC 4648 (http://tools.ietf.org/html/rfc4648#page-7) would be helpful. As a matter of fact, it looks like that regex is for the safe alphabet since it includes the dash and underscore (sans the pad character).

The safe alphabet is easy to do in Javascript, and it is amicable to HTML's POST and GET methods. And the safe alphabet does not change the entropy in the password.