# Validate usernames
--- a/lib/misc.h
+++ b/lib/misc.h
@@ -30,6 +30,7 @@ extern void sanitize_input(strbuffer_t *
extern unsigned int IPtou32(int ip1, int ip2, int ip3, int ip4);
extern char *u32toIP(unsigned int ip32);
extern const char *textornull(const char *text);
+extern int issimpleword(const char *text);
extern int get_fqdn(void);
extern int generate_static(void);
extern void do_extensions(FILE *output, char *extenv, char *family);
--- a/lib/misc.c
+++ b/lib/misc.c
@@ -436,6 +436,11 @@ const char *textornull(const char *text)
return (text ? text : "(NULL)");
}
+int issimpleword(const char *text)
+{
+ if (text == NULL) return 0;
+ return (strlen(text) == strspn(text, "abcdefghijklmnopqrstuvwxyz0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZ._-"));
+}
int get_fqdn(void)
{
--- a/web/useradm.c
+++ b/web/useradm.c
@@ -79,7 +79,7 @@ int parse_query(void)
int main(int argc, char *argv[])
{
- int argi;
+ int argi, event;
char *envarea = NULL;
char *hffile = "useradm";
char *passfile = NULL;
@@ -109,7 +109,15 @@ int main(int argc, char *argv[])
sprintf(passfile, "%s/etc/xymonpasswd", xgetenv("XYMONHOME"));
}
- switch (parse_query()) {
+ event = parse_query();
+
+ if (adduser_name && !issimpleword(adduser_name)) {
+ event = ACT_NONE;
+ adduser_name = strdup("");
+ infomsg = "<strong><big><font color='#FF0000'>Invalid USERNAME. Letters, numbers, dashes, and periods only.</font></big></strong>\n";
+ }
+
+ switch (event) {
case ACT_NONE: /* Show the form */
break;
distrib
>
Mageia
>
5
>
i586
>
media
>
core-updates-src
>
by-pkgid
>
deecb6b6a05b8293e284be1ad9b5f073
>
files
>
4
