From 7af8744c856545f62a2f24fd1a700f40b90b8e37 Mon Sep 17 00:00:00 2001
From: Andrew Dolgov <noreply@fakecake.org>
Date: Thu, 11 Feb 2021 09:57:57 +0300
Subject: authentication: make logins case-insensitive (force lowercase)

---
 classes/handler/public.php | 10 +++++-----
 1 file changed, 5 insertions(+), 5 deletions(-)

(limited to 'classes/handler/public.php')

diff --git a/classes/handler/public.php b/classes/handler/public.php
index 13a6af4b1..a1ed667be 100755
--- a/classes/handler/public.php
+++ b/classes/handler/public.php
@@ -248,7 +248,7 @@ class Handler_Public extends Handler {
 		$login = clean($_REQUEST["login"]);
 		$fresh = clean($_REQUEST["fresh"]) == "1";
 
-		$sth = $this->pdo->prepare("SELECT id FROM ttrss_users WHERE login = ?");
+		$sth = $this->pdo->prepare("SELECT id FROM ttrss_users WHERE LOWER(login) = LOWER(?)");
 		$sth->execute([$login]);
 
 		if ($row = $sth->fetch()) {
@@ -272,7 +272,7 @@ class Handler_Public extends Handler {
 
 		if ($login) {
 			$sth = $this->pdo->prepare("SELECT ttrss_settings_profiles.* FROM ttrss_settings_profiles,ttrss_users
-			WHERE ttrss_users.id = ttrss_settings_profiles.owner_uid AND login = ? ORDER BY title");
+			WHERE ttrss_users.id = ttrss_settings_profiles.owner_uid AND LOWER(login) = LOWER(?) ORDER BY title");
 			$sth->execute([$login]);
 
 			$rv = [ [ "value" => 0, "label" => __("Default profile") ] ];
@@ -941,7 +941,7 @@ class Handler_Public extends Handler {
 
 			if ($login) {
 				$sth = $this->pdo->prepare("SELECT id, resetpass_token FROM ttrss_users
-					WHERE login = ?");
+					WHERE LOWER(login) = LOWER(?)");
 				$sth->execute([$login]);
 
 				if ($row = $sth->fetch()) {
@@ -1026,7 +1026,7 @@ class Handler_Public extends Handler {
 				$_SESSION["pwdreset:testvalue2"] = rand(1, 1000);
 
 				$sth = $this->pdo->prepare("SELECT id FROM ttrss_users
-					WHERE login = ? AND email = ?");
+					WHERE LOWER(login) = LOWER(?) AND email = ?");
 				$sth->execute([$login, $email]);
 
 				if ($row = $sth->fetch()) {
@@ -1066,7 +1066,7 @@ class Handler_Public extends Handler {
 
 						$sth = $this->pdo->prepare("UPDATE ttrss_users
 							SET resetpass_token = ?
-							WHERE login = ? AND email = ?");
+							WHERE LOWER(login) = LOWER(?) AND email = ?");
 
 						$sth->execute([$resetpass_token_full, $login, $email]);
 
-- 
cgit v1.2.3