--- loncom/lcuserdel	2000/10/29 22:38:21	1.9
+++ loncom/lcuserdel	2000/10/30 03:08:28	1.11
@@ -25,6 +25,11 @@ use strict;
 # Standard input usage
 # First line is USERNAME
 
+# Valid user names must consist of ascii
+# characters that are alphabetical characters
+# (A-Z,a-z), numeric (0-9), or the underscore
+# mark (_). (Essentially, the perl regex \w).
+
 # Command-line arguments [USERNAME]
 # Yes, but be very careful here (don't pass shell commands)
 # and this is only supported to allow perl-system calls.
@@ -37,9 +42,10 @@ use strict;
 # These are the exit codes.
 # ( (0,"ok"),
 #   (1,"User ID mismatch.  This program must be run as user 'www'"),
-#   (2,"Error. Too many other simultaneous password change requests being made."),
+#   (2,"Error. This program needs just 1 command-line argument (username).") )
 #   (3,"Error. Only one line should be entered into standard input."),
-#   (4,"Error. This program needs just 1 command-line argument (username).") )
+#   (4,"Error. Too many other simultaneous password change requests being made."),
+#   (5,"Error. The user name specified has invalid characters.") )
 
 # Security
 $ENV{'PATH'}=""; # Nullify path information.
@@ -96,6 +102,11 @@ else {
 my ($username)=@input;
 $username=~/^(\w+)$/;
 my $safeusername=$1;
+if ($username ne $safeusername) {
+    print "Error. The user name specified has invalid characters.\n";
+    unlink('/tmp/lock_lcpasswd');
+    exit 5;
+}
 
 &enable_root_capability;