IRC/#cemetech wrote:

[17:10] <saxjax> [#] <Cemetech> S/jr/W registered and activated a new account
[17:11] <saxjax> [#] <Cemetech> S/jr/W entered the room
[17:14] <saxjax> [D] <TuberPhD> The restrictions on usernames is so lax.
[17:22] <saxjax> [#] <Cemetech> S/jr/W reviewed file [Fractals]( )
[17:24] <notipa> uhh
[17:24] <notipa> why does that file give a 500 now
[17:25] <saxjax> [C] <> The Fractals?
[17:25] <notipa> yes
[17:25] <saxjax> [C] <> It started giving 500 since I tried to post the review.
[17:25] <saxjax> [C] <> It says I posted it, but it told me it didn't work.
[17:26] <notipa> sounds like someone didn't sanitize their inputs
[17:26] <saxjax> [C] <> Everything else works good.
[17:27] <saxjax> [C] <> *Well

Yes, their username is being displayed that way in IRC and in Discord, but properly in SAX.
Laughing Laughing Laughing
This needs to be fixed and pronto. It seems like somewhere along the line, in the username registration or in the review system, input isn't being sanitized, and its breaking file uploads. I can't even put into words how egregious of a potential security risk this is.
I wouldn't characterize this as a security risk, it's just a bug in how the archives system defined userinfo URLs that caused it to fail to generate the URL for a username containing slashes. The fix is being rolled out as I write this.

To be clear, there is no missing sanitization.
Tari wrote:
I wouldn't characterize this as a security risk.

To be fair, anything that compromises either the confidentiality, integrity, or availability of a resource is technically a security risk. A user being able to (unintentionally, even) cause a 500 error on a resource is a compromise of "availability". Just saying :p

Technicalities (and partial troll-mode) aside, good that's its being fixed.
