Auto encrypting password does not work if username contains a square bracket

[SXN31]

Code of Conduct

• I agree to follow this project's Code of Conduct.

Submission validity

• This is not a personal support request, that should be posted on discussions community.
• I checked current issues and this request isn't a duplicate of an existing issue, opened or closed.

Self troubleshooting

• I've read the documentation and made sure to follow it.
• I've read the troubleshooting first steps and frequent issues guides.

Version

1.9.1

Description

If a user's name includes square brackets, the password will not be encrypted and a preg_replace error is reported.

Expectation

The password to be encrypted without any issue.

Reproduction steps

Add

$yourls_user_passwords = array(
    'testuser[2]' => 'password',
);

Context

Seems like the bracket might be breaking something for the preg_replace pattern.

YOURLS/includes/functions-auth.php

Line 216 in 3b69f2b

$pattern = "/[$quotes]${user}[$quotes]\s*=>\s*[$quotes]" . preg_quote( $password, '/' ) . "[$quotes]/";

I only tried curly braces as an additional test, which did work, but even just 1 square bracket breaks the encryption.

[ozh]

That's a very clear issue, thanks for reporting

Looks like a simple case of enclosing $user inside a preg_quote(), see https://3v4l.org/8t8Po

[SXN31]

Changing line 216 to

$pattern = "/[$quotes]" . preg_quote( $user, '/' ) . "[$quotes]\s*=>\s*[$quotes]" . preg_quote( $password, '/' ) . "[$quotes]/";

Appears to have worked for my test user with square brackets.

[LeoColomb]

Looks great!
Do you think you could open a pull request with that change?

[ozh]

Closed via linked PR