Adds comment to explain URL decoding in get_user_by_username

diff --git a/engine/lib/users.php b/engine/lib/users.php
index 0b4608034cccfee8c7a430a4b4afb3bea960f46a..bccfb8b0301eac09c584d6e937635a4c0db61891 100644 (file)
--- a/engine/lib/users.php
+++ b/engine/lib/users.php
@@ -553,7 +553,12 @@ function get_user($guid) {
 function get_user_by_username($username) {
        global $CONFIG, $USERNAME_TO_GUID_MAP_CACHE;
 
-       $username = sanitise_string(rawurldecode($username));
+       // Fixes #6052. Username is frequently sniffed from the path info, which,
+       // unlike $_GET, is not URL decoded. If the username was not URL encoded,
+       // this is harmless.
+       $username = rawurldecode($username);
+
+       $username = sanitise_string($username);
        $access = get_access_sql_suffix('e');
 
        // Caching