Implement Openfire username escaping (#703)

* Fix openfire username sanitize function * Use escaping instead of stripping characters
2025-07-16 16:00:17 +02:00 · 2017-02-10 13:30:57 +10:00 · 2017-02-10 13:30:57 +10:00 · 489b9a601d
commit 489b9a601d
parent ff1c2030ca
2 changed files with 34 additions and 6 deletions
--- a/services/modules/openfire/manager.py
+++ b/services/modules/openfire/manager.py
@ -37,9 +37,30 @@ class OpenfireManager:
        return completed_username

    @staticmethod
-    def __santatize_username(username):
-        sanatized = username.replace(" ", "_")
-        return sanatized.lower()
+    def __sanitize_username(username):
+        # https://xmpp.org/extensions/xep-0106.html#escaping
+        replace = [
+            ("\\", "\\5c"),  # Escape backslashes first to double escape existing escape sequences
+            ("\"", "\\22"),
+            ("&", "\\26"),
+            ("'", "\\27"),
+            ("/", "\\2f"),
+            (":", "\\3a"),
+            ("<", "\\3c"),
+            (">", "\\3e"),
+            ("@", "\\40"),
+            ("\u007F", ""),
+            ("\uFFFE", ""),
+            ("\uFFFF", ""),
+            (" ", "\\20"),
+        ]
+
+        sanitized = username.strip(' ')
+
+        for find, rep in replace:
+            sanitized = sanitized.replace(find, rep)
+
+        return sanitized

    @staticmethod
    def __generate_random_pass():
@ -54,17 +75,17 @@ class OpenfireManager:
    def add_user(username):
        logger.debug("Adding username %s to openfire." % username)
        try:
-            sanatized_username = OpenfireManager.__santatize_username(username)
+            sanitized_username = OpenfireManager.__sanitize_username(username)
            password = OpenfireManager.__generate_random_pass()
            api = ofUsers(settings.OPENFIRE_ADDRESS, settings.OPENFIRE_SECRET_KEY)
-            api.add_user(sanatized_username, password)
+            api.add_user(sanitized_username, password)
            logger.info("Added openfire user %s" % username)
        except exception.UserAlreadyExistsException:
            # User exist
            logger.error("Attempting to add a user %s to openfire which already exists on server." % username)
            return "", ""

-        return sanatized_username, password
+        return sanitized_username, password

    @staticmethod
    def delete_user(username):
--- a/services/modules/openfire/tests.py
+++ b/services/modules/openfire/tests.py
@ -205,3 +205,10 @@ class OpenfireManagerTestCase(TestCase):

        self.assertEqual(len(password), 16)
        self.assertIsInstance(password, type(''))
+
+    def test__sanitize_username(self):
+        test_username = " My_Test User\"'&/:<>@name\\20name"
+
+        result_username = self.manager._OpenfireManager__sanitize_username(test_username)
+
+        self.assertEqual(result_username, 'My_Test\\20User\\22\\27\\26\\2f\\3a\\3c\\3e\\40name\\5c20name')