summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorScott Ullrich <sullrich@G5.local>2009-11-14 17:39:30 -0500
committerScott Ullrich <sullrich@G5.local>2009-11-14 17:39:30 -0500
commit647a109019beb2d4960c51aa406b68db80a28900 (patch)
tree9f067d2e3d583a7af5262ed056d27498a16533f4
parent7466951af7b3ec98fc6c683e427cbc77c876f99a (diff)
downloadpfsense-647a109019beb2d4960c51aa406b68db80a28900.zip
pfsense-647a109019beb2d4960c51aa406b68db80a28900.tar.gz
Sanitize username and only return letters numbers and spaces on the username. This eliminates the error during login that was cosmetic only in nature. The previous two commits where edge cases as the webConfigurator would never allow a blank username or password and was revised just for completeness sakes.
-rw-r--r--etc/inc/auth.inc8
1 files changed, 7 insertions, 1 deletions
diff --git a/etc/inc/auth.inc b/etc/inc/auth.inc
index 387f17c..4c02aad 100644
--- a/etc/inc/auth.inc
+++ b/etc/inc/auth.inc
@@ -1,6 +1,7 @@
<?php
/* $Id$ */
/*
+ Copyright (C) 2009 Scott Ullrich <sullrich@gmail.com>
Copyright (C) 2005-2006 Bill Marquette <bill.marquette@gmail.com>
All rights reserved.
@@ -84,6 +85,11 @@ function passwd_backed_basic_auth() {
return false;
}
+function sanitize_username($str) {
+ // return letters, spaces and numbers only
+ return preg_replace('/[^A-Za-z0-9\s ]/', '', $str);
+}
+
function htpasswd_backed_basic_auth() {
global $HTTP_SERVER_VARS;
@@ -111,7 +117,7 @@ function htpasswd_backed_basic_auth() {
continue;
/* Check to see if user even exists */
- $username = $HTTP_SERVER_VARS['AUTH_USER'];
+ $username = sanitize_username($HTTP_SERVER_VARS['AUTH_USER']);
if(!($line = array_shift(preg_grep("/^$username:.*$/", $authfile))))
continue;
OpenPOWER on IntegriCloud