# Validate usernames --- a/lib/misc.h +++ b/lib/misc.h @@ -30,6 +30,7 @@ extern void sanitize_input(strbuffer_t * extern unsigned int IPtou32(int ip1, int ip2, int ip3, int ip4); extern char *u32toIP(unsigned int ip32); extern const char *textornull(const char *text); +extern int issimpleword(const char *text); extern int get_fqdn(void); extern int generate_static(void); extern void do_extensions(FILE *output, char *extenv, char *family); --- a/lib/misc.c +++ b/lib/misc.c @@ -436,6 +436,11 @@ const char *textornull(const char *text) return (text ? text : "(NULL)"); } +int issimpleword(const char *text) +{ + if (text == NULL) return 0; + return (strlen(text) == strspn(text, "abcdefghijklmnopqrstuvwxyz0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZ._-")); +} int get_fqdn(void) { --- a/web/useradm.c +++ b/web/useradm.c @@ -79,7 +79,7 @@ int parse_query(void) int main(int argc, char *argv[]) { - int argi; + int argi, event; char *envarea = NULL; char *hffile = "useradm"; char *passfile = NULL; @@ -109,7 +109,15 @@ int main(int argc, char *argv[]) sprintf(passfile, "%s/etc/xymonpasswd", xgetenv("XYMONHOME")); } - switch (parse_query()) { + event = parse_query(); + + if (adduser_name && !issimpleword(adduser_name)) { + event = ACT_NONE; + adduser_name = strdup(""); + infomsg = "<strong><big><font color='#FF0000'>Invalid USERNAME. Letters, numbers, dashes, and periods only.</font></big></strong>\n"; + } + + switch (event) { case ACT_NONE: /* Show the form */ break;