additional checks

This commit is contained in:
Roland Gruber 2012-03-13 21:02:37 +00:00
parent 90b83be7c8
commit e61324a599
5 changed files with 29 additions and 19 deletions

View File

@ -289,9 +289,13 @@ class LAMConfig {
/**
* Loads preferences from config file
*
* @param integer $file Index number in config file array
* @param String $file file name without ".conf" (e.g. lam)
*/
function __construct($file = 0) {
function __construct($file) {
if (empty($file) || !preg_match("/^[a-z0-9_-]+$/i", $file)) {
logNewMessage('ERROR', 'Invalid config file name: ' . $file);
die();
}
// load first profile if none is given
if (!is_string($file)) {
$profiles = getConfigProfiles();

View File

@ -90,7 +90,7 @@ function checkClientIP() {
$grantAccess = false;
for ($i = 0; $i < sizeof($allowedHosts); $i++) {
$host = $allowedHosts[$i];
$ipRegex = '/^[0-9\\.\\*]+$/';
$ipRegex = '/^[0-9a-z\\.:\\*]+$/i';
if (!preg_match($ipRegex, $host)) continue;
$hostRegex = str_replace(".", "\\.", $host);
$hostRegex = '/^' . str_replace("*", ".*", $hostRegex) . '$/';

View File

@ -434,10 +434,10 @@ function checkInput() {
if (isLAMProVersion()) {
$conf->setAccessLevel($_POST['accessLevel']);
if (!$conf->setLamProMailFrom($_POST['pwdResetMail_from'])) {
$errors[] = array("ERROR", _("From address for password mails is invalid."), $_POST['pwdResetMail_from']);
$errors[] = array("ERROR", _("From address for password mails is invalid."), htmlspecialchars($_POST['pwdResetMail_from']));
}
if (!$conf->setLamProMailReplyTo($_POST['pwdResetMail_replyTo'])) {
$errors[] = array("ERROR", _("Reply-to address for password mails is invalid."), $_POST['pwdResetMail_replyTo']);
$errors[] = array("ERROR", _("Reply-to address for password mails is invalid."), htmlspecialchars($_POST['pwdResetMail_replyTo']));
}
$conf->setLamProMailSubject($_POST['pwdResetMail_subject']);
if (isset($_POST['pwdResetMail_isHTML']) && ($_POST['pwdResetMail_isHTML'] == 'on')) {

View File

@ -90,9 +90,9 @@ if (isset($_POST['submit'])) {
continue;
}
// check each line
$ipRegex = '/^[0-9\\.\\*]+$/';
$ipRegex = '/^[0-9a-f\\.:\\*]+$/i';
if (!preg_match($ipRegex, $allowedHostsList[$i]) || (strlen($allowedHostsList[$i]) > 15)) {
$errors[] = sprintf(_("The IP address %s is invalid!"), str_replace('%', '%%', $allowedHostsList[$i]));
$errors[] = sprintf(_("The IP address %s is invalid!"), htmlspecialchars(str_replace('%', '%%', $allowedHostsList[$i])));
}
}
$allowedHosts = implode(",", $allowedHostsList);

View File

@ -109,6 +109,7 @@ if (isset($_POST['action'])) {
}
// set new profile password
elseif ($_POST['action'] == "setpass") {
if (preg_match("/^[a-z0-9_-]+$/i", $_POST['setprofile'])) {
if ($_POST['setpassword'] && $_POST['setpassword2'] && ($_POST['setpassword'] == $_POST['setpassword2'])) {
$config = new LAMConfig($_POST['setprofile']);
$config->set_Passwd($_POST['setpassword']);
@ -118,14 +119,19 @@ if (isset($_POST['action'])) {
}
else $error = _("Profile passwords are different or empty!");
}
else $error = _("Profile name is invalid!");
}
// set default profile
elseif ($_POST['action'] == "setdefault") {
if (preg_match("/^[a-z0-9_-]+$/i", $_POST['defaultfilename'])) {
$configMain = new LAMCfgMain();
$configMain->default = $_POST['defaultfilename'];
$configMain->save();
$configMain = null;
$msg = _("New default profile set successfully.");
}
else $error = _("Profile name is invalid!");
}
}