Fixes possible vulnerabilities with keyword hijacking

[ghost]

This fixes #3700. Apparently nothing in the public/ directory is actually filtered out from possible usernames, which means we can have try.gogs.io/css as a possible username. This could be quite dangerous in terms of XSS or some other exploit.

Also @unknwon, how did you derp so hard in variable naming? reversed? really?

[tboerger]

Please reopen against master.

[bkcsoft]

Quick side-note on this one, can't we use the router to check for collisions? instead of having a static (sometimes broken ) list?

[strk]

Let's go there incrementally @bkcsoft -- bugfix is important.
Rather, @LefsFlarey, could you try adding a testcase for checking reserved username handling ?
Other than that, LGTM

[bkcsoft]

Same request as @strk, we need tests 😄

ping me when it's done and I'll LG_TM and Merge 😉

[bkcsoft]

ooh, and rebase 😒

[ghost]

@strk What do you mean by 'testcase'?

@bkcsoft I don't think a rebase is necessary for a PR, since it merges just fine.

[codecov-io]

Current coverage is 2.18% (diff: 0.00%)

Merging #20 into master will not change coverage

@@            master       #20   diff @@
========================================
  Files           31        31          
  Lines         7508      7508          
  Methods          0         0          
  Messages         0         0          
  Branches         0         0          
========================================
  Hits           164       164          
  Misses        7327      7327          
  Partials        17        17          

Powered by Codecov. Last update 03902bb...427bd15

[bkcsoft]

This function can be tested 🙂

[ghost]

Wait, why does that even need testing? It's a very straightforward function.

[strk]

On Fri, Nov 04, 2016 at 11:52:04AM -0700, LefsFlare wrote:

@strk What do you mean by 'testcase'?

See https://golang.org/pkg/testing/

[strk]

Then it'd be a straightforward test ?

[thibaultmeyer]

LGTM

[tboerger]

@0xBAADF00D stop that! You can't merge prs when there are pending requests for changes!!! Otherwise I will drop the rights for that.

[thibaultmeyer]

ok @tboerger, I understand

[camlafit]

Hello

I've encountered a problem with this patch. With last version 1.9.2, I've tried to rename an organization to "plugins" as it's its final purpose. I've got a simple error 500.

I've check to on gitea.log to see a notice about reserved word without any information. And many thank to our chat as I've got a link to this PR (easier to understand my 500 error :)

I see at least two problems :

• First we can't provide an error 500 when organization is renamed with one of these reserved words. It's only an action forbidden. At least miss an information about this list of reserved words.
• Second problem, in my use case "plugins" is really licit, this organization has to purpose to manage a plugins collection.
  I've do a workaround with "plugin" but If I've understood the initial problem this word should be prohibited. And looks difficult to maintain a harcoded list because we must manage any variant word and could be add many conflict with licit organization purpose.

Edit : New issue was opened #8072

Thank a lot