diff options
author | jim-p <jimp@pfsense.org> | 2011-07-27 12:49:55 -0400 |
---|---|---|
committer | jim-p <jimp@pfsense.org> | 2011-07-27 12:49:55 -0400 |
commit | 2c466077934c3812aed9d15b77ab515e4b3e116d (patch) | |
tree | 6c8a9fb343f978ac65ab94c5265114ce775336b9 | |
parent | c355573484bead1410cca17b20ba831d7328d366 (diff) | |
download | pfsense-2c466077934c3812aed9d15b77ab515e4b3e116d.zip pfsense-2c466077934c3812aed9d15b77ab515e4b3e116d.tar.gz |
Relax PPTP password restrictions, just prevent starting with a !, and limit to common printable/keyboard characters so it doesn't result in invalid xml. Fixes #1720
-rw-r--r-- | etc/inc/vpn.inc | 6 | ||||
-rwxr-xr-x | usr/local/www/vpn_pptp_users_edit.php | 6 |
2 files changed, 7 insertions, 5 deletions
diff --git a/etc/inc/vpn.inc b/etc/inc/vpn.inc index a217cc7..b731fd0 100644 --- a/etc/inc/vpn.inc +++ b/etc/inc/vpn.inc @@ -1159,8 +1159,10 @@ EOD; $mpdsecret = ""; if (is_array($pptpdcfg['user'])) { - foreach ($pptpdcfg['user'] as $user) - $mpdsecret .= "{$user['name']} \"{$user['password']}\" {$user['ip']}\n"; + foreach ($pptpdcfg['user'] as $user) { + $pass = str_replace('"', '\"', $user['password']); + $mpdsecret .= "{$user['name']} \"{$pass}\" {$user['ip']}\n"; + } } fwrite($fd, $mpdsecret); diff --git a/usr/local/www/vpn_pptp_users_edit.php b/usr/local/www/vpn_pptp_users_edit.php index b1b4811..7ddf348 100755 --- a/usr/local/www/vpn_pptp_users_edit.php +++ b/usr/local/www/vpn_pptp_users_edit.php @@ -84,12 +84,12 @@ if ($_POST) { if (preg_match("/[^a-zA-Z0-9\.\-_]/", $_POST['username'])) $input_errors[] = gettext("The username contains invalid characters."); - if (preg_match("/[^a-zA-Z0-9\.\-_]/", $_POST['password'])) - $input_errors[] = gettext("The password contains invalid characters."); - if (preg_match("/^!/", $_POST['password'])) $input_errors[] = gettext("The password cannot start with '!'."); + if (!preg_match("/^[\x20-\x7E]*$/", $_POST['password'])) + $input_errors[] = gettext("The password contains invalid characters."); + if (($_POST['password']) && ($_POST['password'] != $_POST['password2'])) { $input_errors[] = gettext("The passwords do not match."); } |