From ac09997e9460ae263769dc7bef990563451ac92d Mon Sep 17 00:00:00 2001
From: Scott Ullrich <sullrich@pfsense.org>
Date: Sat, 1 Dec 2007 01:20:38 +0000
Subject: Add more input validation to settings screen.

* Do not allow < 1
*
 Do not allow > 999
* Turn longs into integers

---
 usr/local/www/system_usermanager_settings.php | 13 ++++++++++---
 1 file changed, 10 insertions(+), 3 deletions(-)

diff --git a/usr/local/www/system_usermanager_settings.php b/usr/local/www/system_usermanager_settings.php
index b707461..acba7a8 100755
--- a/usr/local/www/system_usermanager_settings.php
+++ b/usr/local/www/system_usermanager_settings.php
@@ -42,8 +42,15 @@ if ($_POST) {
 
 	do_input_validation($_POST, $reqdfields, $reqdfieldsn, &$input_errors);
 
-	if ($_POST['session_timeout'] != "" && !is_numeric($_POST['session_timeout']))
-		$input_errors[] = gettext("Session timeout must be an integer with value 0 or greater.");
+	$timeout = intval($_POST['session_timeout']);
+	if ($timeout != "" && !is_numeric($timeout))
+		$input_errors[] = gettext("Session timeout must be an integer with value 1 or greater.");
+
+	if ($timeout < 1) 
+		$input_errors[] = gettext("Session timeout must be an integer with value 1 or greater.");
+	
+	if ($timeout > 999) 
+		$input_errors[] = gettext("Session timeout must be an integer with value 1 or greater.");
 
 	/* if this is an AJAX caller then handle via JSON */
 	if (isAjax() && is_array($input_errors)) {
@@ -53,7 +60,7 @@ if ($_POST) {
 
 
 	if (!$input_errors) {
-		$pconfig['session_timeout'] = $_POST['session_timeout'];
+		$pconfig['session_timeout'] = intval($_POST['session_timeout']);
 
 		write_config();
 
-- 
cgit v1.1