security: fix vulnerability in changing username

Reported by João Arnaut.
8 years ago · e6dbfd918c
4 changed files with 4 additions and 4 deletions
--- a/gogs.go
+++ b/gogs.go
@ -16,7 +16,7 @@ import (
 	"github.com/gogits/gogs/modules/setting"
 )
-const APP_VER = "0.10.7.0306"
+const APP_VER = "0.10.8.0307"
 func init() {
 	setting.AppVer = APP_VER
--- a/modules/form/user.go
+++ b/modules/form/user.go
@ -90,7 +90,7 @@ func (f *SignIn) Validate(ctx *macaron.Context, errs binding.Errors) binding.Err
 //         \/         \/                                   \/        \/        \/
 type UpdateProfile struct {
-	Name     string `binding:"OmitEmpty;MaxSize(35)"`
+	Name     string `binding:"Required;AlphaDashDot;MaxSize(35)"`
 	FullName string `binding:"MaxSize(100)"`
 	Email    string `binding:"Required;Email;MaxSize(254)"`
 	Website  string `binding:"Url;MaxSize(100)"`
--- a/templates/.VERSION
+++ b/templates/.VERSION
@ -1 +1 @@
-0.10.7.0306
+0.10.8.0307
--- a/templates/user/settings/profile.tmpl
+++ b/templates/user/settings/profile.tmpl
@ -25,7 +25,7 @@
 						</div>
 						<div class="required field {{if .Err_Email}}error{{end}}">
 							<label for="email">{{.i18n.Tr "email"}}</label>
-							<input id="email" name="email" value="{{.SignedUser.Email}}">
+							<input id="email" name="email" value="{{.SignedUser.Email}}" required>
 						</div>
 						<div class="field {{if .Err_Website}}error{{end}}">
 							<label for="website">{{.i18n.Tr "settings.website"}}</label>