WMDE
/
LDAPAccountManager
1
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity

additional checks

This commit is contained in:
Roland Gruber 2012-03-13 21:02:37 +00:00
parent 90b83be7c8
commit e61324a599
5 changed files with 29 additions and 19 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

8
lam/lib/config.inc
View File

@ -289,9 +289,13 @@ class LAMConfig {
/** /**
* Loads preferences from config file * Loads preferences from config file
* *
* @param integer $file Index number in config file array * @param String $file file name without ".conf" (e.g. lam)
*/ */
function __construct($file = 0) { function __construct($file) {
if (empty($file) || !preg_match("/^[a-z0-9_-]+$/i", $file)) {
logNewMessage('ERROR', 'Invalid config file name: ' . $file);
die();
}
// load first profile if none is given // load first profile if none is given
if (!is_string($file)) { if (!is_string($file)) {
$profiles = getConfigProfiles(); $profiles = getConfigProfiles();

2
lam/lib/security.inc
View File

@ -90,7 +90,7 @@ function checkClientIP() {
$grantAccess = false; $grantAccess = false;
for ($i = 0; $i < sizeof($allowedHosts); $i++) { for ($i = 0; $i < sizeof($allowedHosts); $i++) {
$host = $allowedHosts[$i]; $host = $allowedHosts[$i];
$ipRegex = '/^[0-9\\.\\*]+$/'; $ipRegex = '/^[0-9a-z\\.:\\*]+$/i';
if (!preg_match($ipRegex, $host)) continue; if (!preg_match($ipRegex, $host)) continue;
$hostRegex = str_replace(".", "\\.", $host); $hostRegex = str_replace(".", "\\.", $host);
$hostRegex = '/^' . str_replace("*", ".*", $hostRegex) . '$/'; $hostRegex = '/^' . str_replace("*", ".*", $hostRegex) . '$/';

4
lam/templates/config/confmain.php
View File

@ -434,10 +434,10 @@ function checkInput() {
if (isLAMProVersion()) { if (isLAMProVersion()) {
$conf->setAccessLevel($_POST['accessLevel']); $conf->setAccessLevel($_POST['accessLevel']);
if (!$conf->setLamProMailFrom($_POST['pwdResetMail_from'])) { if (!$conf->setLamProMailFrom($_POST['pwdResetMail_from'])) {
$errors[] = array("ERROR", _("From address for password mails is invalid."), $_POST['pwdResetMail_from']); $errors[] = array("ERROR", _("From address for password mails is invalid."), htmlspecialchars($_POST['pwdResetMail_from']));
} }
if (!$conf->setLamProMailReplyTo($_POST['pwdResetMail_replyTo'])) { if (!$conf->setLamProMailReplyTo($_POST['pwdResetMail_replyTo'])) {
$errors[] = array("ERROR", _("Reply-to address for password mails is invalid."), $_POST['pwdResetMail_replyTo']); $errors[] = array("ERROR", _("Reply-to address for password mails is invalid."), htmlspecialchars($_POST['pwdResetMail_replyTo']));
} }
$conf->setLamProMailSubject($_POST['pwdResetMail_subject']); $conf->setLamProMailSubject($_POST['pwdResetMail_subject']);
if (isset($_POST['pwdResetMail_isHTML']) && ($_POST['pwdResetMail_isHTML'] == 'on')) { if (isset($_POST['pwdResetMail_isHTML']) && ($_POST['pwdResetMail_isHTML'] == 'on')) {

4
lam/templates/config/mainmanage.php
View File

@ -90,9 +90,9 @@ if (isset($_POST['submit'])) {
continue; continue;
} }
// check each line // check each line
$ipRegex = '/^[0-9\\.\\*]+$/'; $ipRegex = '/^[0-9a-f\\.:\\*]+$/i';
if (!preg_match($ipRegex, $allowedHostsList[$i]) || (strlen($allowedHostsList[$i]) > 15)) { if (!preg_match($ipRegex, $allowedHostsList[$i]) || (strlen($allowedHostsList[$i]) > 15)) {
$errors[] = sprintf(_("The IP address %s is invalid!"), str_replace('%', '%%', $allowedHostsList[$i])); $errors[] = sprintf(_("The IP address %s is invalid!"), htmlspecialchars(str_replace('%', '%%', $allowedHostsList[$i])));
} }
} }
$allowedHosts = implode(",", $allowedHostsList); $allowedHosts = implode(",", $allowedHostsList);

30
lam/templates/config/profmanage.php
View File

@ -109,22 +109,28 @@ if (isset($_POST['action'])) {
} }
// set new profile password // set new profile password
elseif ($_POST['action'] == "setpass") { elseif ($_POST['action'] == "setpass") {
if ($_POST['setpassword'] && $_POST['setpassword2'] && ($_POST['setpassword'] == $_POST['setpassword2'])) { if (preg_match("/^[a-z0-9_-]+$/i", $_POST['setprofile'])) {
$config = new LAMConfig($_POST['setprofile']); if ($_POST['setpassword'] && $_POST['setpassword2'] && ($_POST['setpassword'] == $_POST['setpassword2'])) {
$config->set_Passwd($_POST['setpassword']); $config = new LAMConfig($_POST['setprofile']);
$config->save(); $config->set_Passwd($_POST['setpassword']);
$config = null; $config->save();
$msg = _("New password set successfully."); $config = null;
$msg = _("New password set successfully.");
}
else $error = _("Profile passwords are different or empty!");
} }
else $error = _("Profile passwords are different or empty!"); else $error = _("Profile name is invalid!");
} }
// set default profile // set default profile
elseif ($_POST['action'] == "setdefault") { elseif ($_POST['action'] == "setdefault") {
$configMain = new LAMCfgMain(); if (preg_match("/^[a-z0-9_-]+$/i", $_POST['defaultfilename'])) {
$configMain->default = $_POST['defaultfilename']; $configMain = new LAMCfgMain();
$configMain->save(); $configMain->default = $_POST['defaultfilename'];
$configMain = null; $configMain->save();
$msg = _("New default profile set successfully."); $configMain = null;
$msg = _("New default profile set successfully.");
}
else $error = _("Profile name is invalid!");
} }
} }