Fix #104. Filter user id literal for comparison.

AKSW · Apr 29, 2016 · 1e1253a · 1e1253a
1 parent 40c1caa
commit 1e1253a
Showing 1 changed file with 9 additions and 7 deletions.
diff --git a/library/Erfurt/Auth/Identity/Recovery.php b/library/Erfurt/Auth/Identity/Recovery.php
@@ -60,8 +60,10 @@ public function validateUser($identity)
         $query->addFrom($config->ac->modelUri);
         $query->setSelectClause('SELECT *');
         $query->setWherePart(
-            '{ ?user <' . $config->ac->user->name . '> "' . $identity . '" .
-             OPTIONAL { ?user <' . $config->ac->user->mail . '> ?mail . } }'
+            '{ ?user <' . $config->ac->user->name . '> ?identity .
+            OPTIONAL { ?user <' . $config->ac->user->mail . '> ?mail . }
+            FILTER (STR(?identity) = "' . $identity . '")
+            }'
         );
 
         $resultUser  = $store->sparqlQuery($query, array('use_ac' => false));
@@ -85,7 +87,7 @@ public function validateUser($identity)
             $username = $resultMail[0]['name'];
             $mailAddr = $identity;
         } else {
-            
+
             throw new Erfurt_Auth_Identity_Exception('Unknown user identifier.');
         }
 
@@ -201,7 +203,7 @@ public function validateHash($hash)
         if ( !empty($resultUser) ) {
             return $resultUser[0]['user'];
         } else {
-            
+
             throw new Erfurt_Auth_Identity_Exception('Invalid recovery session identifier.');
         }
 
@@ -222,17 +224,17 @@ public function resetPassword( $hash, $password1, $password2)
         $ret = false;
 
         if ($password1 !== $password2) {
-            
+
             throw new Erfurt_Auth_Identity_Exception('Passwords do not match.');
         } else if (strlen($password1) < 5) {
-            
+
             throw new Erfurt_Auth_Identity_Exception('Password needs at least 5 characters.');
         } else if (
             isset($actionConfig['passregexp']) &&
             $actionConfig['passregexp'] != '' &&
             !@preg_match($actionConfig['passregexp'], $password1)
         ) {
-            
+
             throw new Erfurt_Auth_Identity_Exception('Password does not match regular expression set in system configuration');
         } else {
             // Set new password.