From 6514a719ff3ef90eea8736c2ed879028281014da Mon Sep 17 00:00:00 2001
From: Joost van Dijk <Joost.vanDijk@surfnet.nl>
Date: Fri, 2 Oct 2015 15:14:14 +0200
Subject: [PATCH] relax regexp for input validation on userids

---
 www/tiqr/tiqr.php | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/www/tiqr/tiqr.php b/www/tiqr/tiqr.php
index bc7a8320..605d1a5e 100644
--- a/www/tiqr/tiqr.php
+++ b/www/tiqr/tiqr.php
@@ -118,7 +118,7 @@ function register( $enrollmentSecret, $secret, $notificationType, $notificationA
                 break;
             case "login":
                 $sessionKey = preg_replace("/[^a-zA-Z0-9]+/", "", $_POST['sessionKey']);
-                $userId = preg_replace("/[^a-zA-Z0-9]+/", "", $_POST['userId']);
+                $userId = preg_replace("/[^a-zA-Z0-9_-]+/", "", $_POST['userId']);
                 $response = preg_replace("/[^a-zA-Z0-9]+/", "", $_POST['response']);
                 logger()->addInfo(sprintf("received authentication response (%s) from user '%s' for session '%s'", $response, $userId, $sessionKey));
                 $result = login( $sessionKey, $userId, $response );