From f3024402978b79b0e6e2b8cc2549e0ec6df5021d Mon Sep 17 00:00:00 2001
From: Marc Alexander <admin@m-a-styles.de>
Date: Mon, 24 May 2021 17:08:28 +0200
Subject: [PATCH] [ticket/security/254] Disallow whitespace characters that
 might be invisible

SECURITY-254
---
 phpBB/includes/functions_user.php | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/phpBB/includes/functions_user.php b/phpBB/includes/functions_user.php
index a820600eb5..8cfad36773 100644
--- a/phpBB/includes/functions_user.php
+++ b/phpBB/includes/functions_user.php
@@ -1752,7 +1752,8 @@ function validate_username($username, $allowed_username = false, $allow_all_name
 	}
 
 	// ... fast checks first.
-	if (strpos($username, '&quot;') !== false || strpos($username, '"') !== false || empty($clean_username))
+	if (strpos($username, '&quot;') !== false || strpos($username, '"') !== false || empty($clean_username)
+		|| preg_match('/[\x{180E}\x{2005}-\x{200D}\x{202F}\x{205F}\x{2060}\x{FEFF}]/u', $username))
 	{
 		return 'INVALID_CHARS';
 	}