diff options
| -rw-r--r-- | inc/auth.php | 7 |
1 files changed, 4 insertions, 3 deletions
diff --git a/inc/auth.php b/inc/auth.php index 6abaa166f..e938830ef 100644 --- a/inc/auth.php +++ b/inc/auth.php @@ -95,9 +95,10 @@ function auth_setup() { $INPUT->set('http_credentials', true); } - // apply cleaning + // apply cleaning (auth specific user names, remove control chars) if (true === $auth->success) { - $INPUT->set('u', $auth->cleanUser($INPUT->str('u'))); + $INPUT->set('u', $auth->cleanUser(stripctl($INPUT->str('u')))); + $INPUT->set('p', stripctl($INPUT->str('p'))); } if($INPUT->str('authtok')) { @@ -228,7 +229,7 @@ function auth_login($user, $pass, $sticky = false, $silent = false) { if(!empty($user)) { //usual login - if($auth->checkPass($user, $pass)) { + if(!empty($pass) && $auth->checkPass($user, $pass)) { // make logininfo globally available $INPUT->server->set('REMOTE_USER', $user); $secret = auth_cookiesalt(!$sticky, true); //bind non-sticky to session |