diff options
author | Scott Ullrich <sullrich@G5.local> | 2009-11-14 17:39:30 -0500 |
---|---|---|
committer | Scott Ullrich <sullrich@G5.local> | 2009-11-14 17:39:30 -0500 |
commit | 647a109019beb2d4960c51aa406b68db80a28900 (patch) | |
tree | 9f067d2e3d583a7af5262ed056d27498a16533f4 /etc/inc/auth.inc | |
parent | 7466951af7b3ec98fc6c683e427cbc77c876f99a (diff) | |
download | pfsense-647a109019beb2d4960c51aa406b68db80a28900.zip pfsense-647a109019beb2d4960c51aa406b68db80a28900.tar.gz |
Sanitize username and only return letters numbers and spaces on the username. This eliminates the error during login that was cosmetic only in nature. The previous two commits where edge cases as the webConfigurator would never allow a blank username or password and was revised just for completeness sakes.
Diffstat (limited to 'etc/inc/auth.inc')
-rw-r--r-- | etc/inc/auth.inc | 8 |
1 files changed, 7 insertions, 1 deletions
diff --git a/etc/inc/auth.inc b/etc/inc/auth.inc index 387f17c..4c02aad 100644 --- a/etc/inc/auth.inc +++ b/etc/inc/auth.inc @@ -1,6 +1,7 @@ <?php /* $Id$ */ /* + Copyright (C) 2009 Scott Ullrich <sullrich@gmail.com> Copyright (C) 2005-2006 Bill Marquette <bill.marquette@gmail.com> All rights reserved. @@ -84,6 +85,11 @@ function passwd_backed_basic_auth() { return false; } +function sanitize_username($str) { + // return letters, spaces and numbers only + return preg_replace('/[^A-Za-z0-9\s ]/', '', $str); +} + function htpasswd_backed_basic_auth() { global $HTTP_SERVER_VARS; @@ -111,7 +117,7 @@ function htpasswd_backed_basic_auth() { continue; /* Check to see if user even exists */ - $username = $HTTP_SERVER_VARS['AUTH_USER']; + $username = sanitize_username($HTTP_SERVER_VARS['AUTH_USER']); if(!($line = array_shift(preg_grep("/^$username:.*$/", $authfile)))) continue; |