diff options
| author | Andreas Gohr <andi@splitbrain.org> | 2014-09-27 12:39:46 +0200 |
|---|---|---|
| committer | Andreas Gohr <andi@splitbrain.org> | 2014-09-27 12:39:46 +0200 |
| commit | 3df1d4a6fec3db26f0cb9888fdbf9fe67359c9ee (patch) | |
| tree | de54f27ee6e8de164553d01292d25129e06693fe | |
| parent | b24ed43ebbe0bddef3f397baf54ead1304b71bbf (diff) | |
| parent | 5e9e1054045318cfb23f64db7be36a677dc9481a (diff) | |
| download | rpg-3df1d4a6fec3db26f0cb9888fdbf9fe67359c9ee.tar.gz rpg-3df1d4a6fec3db26f0cb9888fdbf9fe67359c9ee.tar.bz2 | |
Merge pull request #868 from splitbrain/authclean
clean user credentials from control chars
| -rw-r--r-- | inc/auth.php | 7 |
1 files changed, 4 insertions, 3 deletions
diff --git a/inc/auth.php b/inc/auth.php index 6abaa166f..e938830ef 100644 --- a/inc/auth.php +++ b/inc/auth.php @@ -95,9 +95,10 @@ function auth_setup() { $INPUT->set('http_credentials', true); } - // apply cleaning + // apply cleaning (auth specific user names, remove control chars) if (true === $auth->success) { - $INPUT->set('u', $auth->cleanUser($INPUT->str('u'))); + $INPUT->set('u', $auth->cleanUser(stripctl($INPUT->str('u')))); + $INPUT->set('p', stripctl($INPUT->str('p'))); } if($INPUT->str('authtok')) { @@ -228,7 +229,7 @@ function auth_login($user, $pass, $sticky = false, $silent = false) { if(!empty($user)) { //usual login - if($auth->checkPass($user, $pass)) { + if(!empty($pass) && $auth->checkPass($user, $pass)) { // make logininfo globally available $INPUT->server->set('REMOTE_USER', $user); $secret = auth_cookiesalt(!$sticky, true); //bind non-sticky to session |