Relax PPTP password restrictions, just prevent starting with a !, and limit to common printable/keyboard characters so it doesn't result in invalid xml. Fixes #1720

2 files changed, 7 insertions, 5 deletions

diff --git a/etc/inc/vpn.inc b/etc/inc/vpn.inc
index 921743f..128f403 100644
--- a/etc/inc/vpn.inc
+++ b/etc/inc/vpn.inc
@@ -1189,8 +1189,10 @@ EOD;
 			$mpdsecret = "";
 
 			if (is_array($pptpdcfg['user'])) {
-				foreach ($pptpdcfg['user'] as $user)
-					$mpdsecret .= "{$user['name']} \"{$user['password']}\" {$user['ip']}\n";
+				foreach ($pptpdcfg['user'] as $user) {
+					$pass = str_replace('"', '\"', $user['password']);
+					$mpdsecret .= "{$user['name']} \"{$pass}\" {$user['ip']}\n";
+				}
 			}
 
 			fwrite($fd, $mpdsecret);
diff --git a/usr/local/www/vpn_pptp_users_edit.php b/usr/local/www/vpn_pptp_users_edit.php
index b1b4811..7ddf348 100755
--- a/usr/local/www/vpn_pptp_users_edit.php
+++ b/usr/local/www/vpn_pptp_users_edit.php
@@ -84,12 +84,12 @@ if ($_POST) {
 	if (preg_match("/[^a-zA-Z0-9\.\-_]/", $_POST['username']))
 		$input_errors[] = gettext("The username contains invalid characters.");
 
-	if (preg_match("/[^a-zA-Z0-9\.\-_]/", $_POST['password']))
-		$input_errors[] = gettext("The password contains invalid characters.");
-
 	if (preg_match("/^!/", $_POST['password']))
 		$input_errors[] = gettext("The password cannot start with '!'.");
 
+	if (!preg_match("/^[\x20-\x7E]*$/", $_POST['password']))
+		$input_errors[] = gettext("The password contains invalid characters.");
+
 	if (($_POST['password']) && ($_POST['password'] != $_POST['password2'])) {
 		$input_errors[] = gettext("The passwords do not match.");
 	}