From 21cc2faa85e612169d98deca1f72fce9ff9260a5 Mon Sep 17 00:00:00 2001 From: Evgeny Yurchenko Date: Fri, 17 Jun 2011 00:41:24 -0400 Subject: Bug #1437. Check for invalid characters in the fields for ca, cert and csr. --- usr/local/www/system_certmanager.php | 14 +++++++++++++- 1 file changed, 13 insertions(+), 1 deletion(-) (limited to 'usr/local/www/system_certmanager.php') diff --git a/usr/local/www/system_certmanager.php b/usr/local/www/system_certmanager.php index 470f0cd..439969d 100644 --- a/usr/local/www/system_certmanager.php +++ b/usr/local/www/system_certmanager.php @@ -153,7 +153,7 @@ if ($act == "csr") { if ($_POST) { if ($_POST['save'] == gettext("Save")) { - unset($input_errors); + $input_errors = array(); $pconfig = $_POST; /* input validation */ @@ -206,6 +206,18 @@ if ($_POST) { } do_input_validation($_POST, $reqdfields, $reqdfieldsn, &$input_errors); + if ($pconfig['method'] != "import") + /* Make sure we do not have invalid characters in the fields for the certificate */ + for ($i = 0; $i < count($reqdfields); $i++) { + if (preg_match('/email/', $reqdfields[$i])){ /* dn_email or csr_dn_name */ + if (preg_match("/[\!\#\$\%\^\(\)\~\?\>\<\&\/\\\,\"\']/", $_POST["$reqdfields[$i]"])) + array_push($input_errors, "The field 'Distinguished name Email Address' contains invalid characters."); + }else if (preg_match('/commonname/', $reqdfields[$i])){ /* dn_commonname or csr_dn_commonname */ + if (preg_match("/[\!\@\#\$\%\^\(\)\~\?\>\<\&\/\\\,\"\']/", $_POST["$reqdfields[$i]"])) + array_push($input_errors, "The field 'Distinguished name Common Name' contains invalid characters."); + }else if (preg_match("/[\!\@\#\$\%\^\(\)\~\?\>\<\&\/\\\,\.\"\']/", $_POST["$reqdfields[$i]"])) + array_push($input_errors, "The field '" . $reqdfieldsn[$i] . "' contains invalid characters."); + } /* if this is an AJAX caller then handle via JSON */ if (isAjax() && is_array($input_errors)) { -- cgit v1.1