diff options
| author | Phil Davis <phil.davis@inf.org> | 2016-04-19 17:08:00 +0545 |
|---|---|---|
| committer | Stephen Beaver <sbeaver@netgate.com> | 2016-04-19 08:03:21 -0400 |
| commit | a2c12f5da91eedf387ab0c7c2497775e668bd2a5 (patch) | |
| tree | eb411067ccda8ef6b6946d06049f956b78e4a4a1 /src | |
| parent | 0503e477136cae86e9579f895b13e15b26075c94 (diff) | |
| download | pfsense-a2c12f5da91eedf387ab0c7c2497775e668bd2a5.zip pfsense-a2c12f5da91eedf387ab0c7c2497775e668bd2a5.tar.gz | |
Handle single quotes in user names for CP
Forum: https://forum.pfsense.org/index.php?topic=110243.0
This is a trial - make sure it really works before committing.
(cherry picked from commit 6fb36cdd74dd005a9a2bc799889978b4897e6dcf)
Diffstat (limited to 'src')
| -rw-r--r-- | src/etc/inc/captiveportal.inc | 2 |
1 files changed, 1 insertions, 1 deletions
diff --git a/src/etc/inc/captiveportal.inc b/src/etc/inc/captiveportal.inc index 0b620b1..0bb4a8d 100644 --- a/src/etc/inc/captiveportal.inc +++ b/src/etc/inc/captiveportal.inc @@ -2086,7 +2086,7 @@ function portal_allow($clientip, $clientmac, $username, $password = null, $attri /* read in client database */ $query = "WHERE ip = '{$clientip}'"; - $tmpusername = strtolower($username); + $tmpusername = str_replace("'", "''", strtolower($username)); if (isset($config['captiveportal'][$cpzone]['noconcurrentlogins'])) { $query .= " OR (username != 'unauthenticated' AND lower(username) = '{$tmpusername}')"; } |
