Commit fa6a9ce2 authored by Leigh Stoller's avatar Leigh Stoller

Add "password" URL arg which can have any printable character, even '

and " since the value never goes near a query without being sanitized.
parent e6ea4fdf
<?php
#
# EMULAB-COPYRIGHT
# Copyright (c) 2000-2007 University of Utah and the Flux Group.
# Copyright (c) 2000-2008 University of Utah and the Flux Group.
# All rights reserved.
#
require("defs.php3");
......@@ -11,7 +11,7 @@ require("defs.php3");
#
$optargs = OptionalPageArguments("login", PAGEARG_STRING,
"uid", PAGEARG_STRING,
"password", PAGEARG_STRING,
"password", PAGEARG_PASSWORD,
"key", PAGEARG_STRING,
"vuid", PAGEARG_STRING,
"simple", PAGEARG_BOOLEAN,
......
<?php
#
# EMULAB-COPYRIGHT
# Copyright (c) 2006, 2007 University of Utah and the Flux Group.
# Copyright (c) 2006, 2007, 2008 University of Utah and the Flux Group.
# All rights reserved.
#
......@@ -45,6 +45,7 @@ define("PAGEARG_OSID", "osid");
define("PAGEARG_LOGFILE", "logfile");
define("PAGEARG_BOOLEAN", "boolean");
define("PAGEARG_STRING", "string");
define("PAGEARG_PASSWORD", "password");
define("PAGEARG_INTEGER", "integer");
define("PAGEARG_NUMERIC", "numeric");
define("PAGEARG_ARRAY", "array");
......@@ -597,6 +598,19 @@ function VerifyPageArguments($argspec, $required)
}
break;
case PAGEARG_PASSWORD:
default:
if (isset($_REQUEST[$name])) {
$object = $_REQUEST[$name];
$yep = 1;
# Only printable chars.
if (!preg_match("/^[\040-\176]+$/", $object)) {
PAGEARGERROR("Invalid characters in '$name'");
}
}
break;
case PAGEARG_LOGFILE:
if (isset($_REQUEST[URL_LOGFILE])) {
$logid = $_REQUEST[URL_LOGFILE];
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment