From 36d8100e17f9dacc0fbc55bcf0794bde8cbdbf85 Mon Sep 17 00:00:00 2001
From: Shoghi Cervantes <shoghicp@gmail.com>
Date: Sat, 20 Sep 2014 18:26:17 +0200
Subject: [PATCH] Protect against \0 attacks on name checking

---
 src/pocketmine/Player.php | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/src/pocketmine/Player.php b/src/pocketmine/Player.php
index cd88e637bc..57ce568375 100644
--- a/src/pocketmine/Player.php
+++ b/src/pocketmine/Player.php
@@ -1182,7 +1182,7 @@ class Player extends Human implements CommandSender, InventoryHolder, IPlayer{
 
 					return;
 				}
-				if(preg_match('#^[a-zA-Z0-9_]{3,16}$#', $packet->username) == 0 or $this->username === "" or $this->iusername === "rcon" or $this->iusername === "console" or strlen($packet->username) > 16 or strlen($packet->username) < 3){
+				if(strpos($packet->username, "\x00") !== false or preg_match('#^[a-zA-Z0-9_]{3,16}$#', $packet->username) == 0 or $this->username === "" or $this->iusername === "rcon" or $this->iusername === "console" or strlen($packet->username) > 16 or strlen($packet->username) < 3){
 					$this->close("", "Bad username");
 
 					return;