Hello.

In the code, the previous developer changed the regular expression to create a new user:

#Signup url(r'^(?P<username>.+?)/signup/complete/$',

In the unused Userena, this is the pattern of Line 40 :

 # Signup url(r'^(?P<username>[\.\w]+)/signup/complete/$',

Help me figure out what has changed. I want to throw away the changes for an easier update.

    1 answer 1

    The standard template only omitted a dot, a latin, digits and an underscore in the user name.
    The new template misses anything, as long as it ends in /signup/complete/
    For example:

     Vasja'); DROP TABLE users;/signup/complete/

    Whether it really gives the possibility of injection is unlikely. Most likely, this way they wanted to not bother with regulars in the router, if it was necessary to allow for example Cyrillic or dog in the login.

    • Ie, if I have users from an inherited database with spaces, asterixes, ampersands and asterisks, then just need to change the template? Perhaps here ( docs.djangoproject.com/en/dev/howto/legacy-databases ) I will find all the answers. Thanks :) - Anton Feoktistov