From 9beb47c0676962440d94b2bedac6a6f5bc8c5f8e Mon Sep 17 00:00:00 2001
From: FreddleSpl0it <patschul@posteo.de>
Date: Mon, 7 Aug 2023 09:20:06 +0200
Subject: [PATCH] [Web] fix malformed_username check

---
 data/web/inc/functions.auth.inc.php | 30 ++++++++++++++++-------------
 1 file changed, 17 insertions(+), 13 deletions(-)

diff --git a/data/web/inc/functions.auth.inc.php b/data/web/inc/functions.auth.inc.php
index 6cc0166f1a..8c35c11849 100644
--- a/data/web/inc/functions.auth.inc.php
+++ b/data/web/inc/functions.auth.inc.php
@@ -47,12 +47,14 @@ function check_login($user, $pass, $app_passwd_data = false, $extra = null) {
 function admin_login($user, $pass){
   global $pdo;
 
-  if (!ctype_alnum(str_replace(array('_', '.', '-'), '', $user))) {
-    $_SESSION['return'][] =  array(
-      'type' => 'danger',
-      'log' => array(__FUNCTION__, $user, '*'),
-      'msg' => 'malformed_username'
-    );
+  if (!filter_var($user, FILTER_VALIDATE_EMAIL) && !ctype_alnum(str_replace(array('_', '.', '-'), '', $user))) {
+    if (!$is_internal){
+      $_SESSION['return'][] =  array(
+        'type' => 'danger',
+        'log' => array(__FUNCTION__, $user, '*'),
+        'msg' => 'malformed_username'
+      );
+    }
     return false;
   }
 
@@ -99,12 +101,14 @@ function admin_login($user, $pass){
 function domainadmin_login($user, $pass){
   global $pdo;
 
-  if (!ctype_alnum(str_replace(array('_', '.', '-'), '', $user))) {
-    $_SESSION['return'][] =  array(
-      'type' => 'danger',
-      'log' => array(__FUNCTION__, $user, '*'),
-      'msg' => 'malformed_username'
-    );
+  if (!filter_var($user, FILTER_VALIDATE_EMAIL) && !ctype_alnum(str_replace(array('_', '.', '-'), '', $user))) {
+    if (!$is_internal){
+      $_SESSION['return'][] =  array(
+        'type' => 'danger',
+        'log' => array(__FUNCTION__, $user, '*'),
+        'msg' => 'malformed_username'
+      );
+    }
     return false;
   }
 
@@ -315,7 +319,7 @@ function keycloak_mbox_login_rest($user, $pass, $iam_settings, $extra = null){
 
   $is_internal = $extra['is_internal'];
   $create = $extra['create'];
-  
+
   if (!filter_var($user, FILTER_VALIDATE_EMAIL) && !ctype_alnum(str_replace(array('_', '.', '-'), '', $user))) {
     if (!$is_internal){
       $_SESSION['return'][] =  array(