From 647a109019beb2d4960c51aa406b68db80a28900 Mon Sep 17 00:00:00 2001
From: Scott Ullrich <sullrich@G5.local>
Date: Sat, 14 Nov 2009 17:39:30 -0500
Subject: Sanitize username and only return letters numbers and spaces on the
 username.  This eliminates the error during login that was cosmetic only in
 nature.  The previous two commits where edge cases as the webConfigurator
 would never allow a blank username or password and was revised just for
 completeness sakes.

---
 etc/inc/auth.inc | 8 +++++++-
 1 file changed, 7 insertions(+), 1 deletion(-)

diff --git a/etc/inc/auth.inc b/etc/inc/auth.inc
index 387f17c..4c02aad 100644
--- a/etc/inc/auth.inc
+++ b/etc/inc/auth.inc
@@ -1,6 +1,7 @@
 <?php
 /* $Id$ */
 /*
+		Copyright (C) 2009 Scott Ullrich <sullrich@gmail.com>
         Copyright (C) 2005-2006 Bill Marquette <bill.marquette@gmail.com>
         All rights reserved.
 
@@ -84,6 +85,11 @@ function passwd_backed_basic_auth() {
 	return false;
 }
 
+function sanitize_username($str) {
+    // return letters, spaces and numbers only
+    return preg_replace('/[^A-Za-z0-9\s ]/', '', $str);
+}
+
 function htpasswd_backed_basic_auth() {
         global $HTTP_SERVER_VARS;
 		
@@ -111,7 +117,7 @@ function htpasswd_backed_basic_auth() {
 				continue;
 
 			/* Check to see if user even exists */
-			$username = $HTTP_SERVER_VARS['AUTH_USER'];
+			$username = sanitize_username($HTTP_SERVER_VARS['AUTH_USER']);
 			if(!($line = array_shift(preg_grep("/^$username:.*$/", $authfile))))
 				continue;
 
-- 
cgit v1.1