Project

General

Profile

Download (2.18 KB)

Bug #16314 » 16312_16314.patch

Jim Pingle, 11/11/2025 06:10 PM

View differences:

src/etc/inc/auth.inc
2151 2151 
	return $authenticated;
2152 2152 
}
2153 2153 

  		




  
  2154
  
    
/*

  		




  
  2155
  
    
 * Function to remove problematic characters from a username before using it in

  		




  
  2156
  
    
 * logs or other sensitive contexts.

  		




  
  2157
  
    
 *

  		




  
  2158
  
    
 * These usernames are not valid, so there is little use in printing them as-is.

  		




  
  2159
  
    
 */

  		




  
  2160
  
    
function cleanup_invalid_username($username) {

  		




  
  2161
  
    
	$clean_username = "";

  		




  
  2162
  
    
	/* Trim to 32 chars, add string indicate text was removed */

  		




  
  2163
  
    
	if (strlen($username) > 32) {

  		




  
  2164
  
    
		$username = substr($username, 0, 32);

  		




  
  2165
  
    
		$username .= "__truncated__";

  		




  
  2166
  
    
	}

  		




  
  2167
  
    
	/* Replace any non-word characters */

  		




  
  2168
  
    
	for ($i=0; $i < strlen($username); $i++) {

  		




  
  2169
  
    
		if (preg_match('/\w/', $username[$i])) {

  		




  
  2170
  
    
			$clean_username .= $username[$i];

  		




  
  2171
  
    
		} else {

  		




  
  2172
  
    
			$clean_username .= "_";

  		




  
  2173
  
    
		}

  		




  
  2174
  
    
	}

  		




  
  2175
  
    
	return $clean_username;

  		




  
  2176
  
    
}

  		




  
  2177
  
    

  		




  2154
  2178
  
    
function session_auth() {

  		




  2155
  2179
  
    
	global $_SESSION, $page;

  		




  2156
  2180
  
    

  		




  ......




  2217
  2241
  
    
		} else {

  		




  2218
  2242
  
    
			/* give the user an error message */

  		




  2219
  2243
  
    
			$_SESSION['Login_Error'] = gettext("Username or Password incorrect");

  		




  2220
  
  
    
			log_auth(sprintf(gettext("webConfigurator authentication error for user '%1\$s' from: %2\$s"), $_POST['usernamefld'], get_user_remote_address(false)));

  		




  
  2244
  
    
			log_auth(sprintf("webConfigurator authentication error for user '%1\$s' from: %2\$s",

  		




  
  2245
  
    
				cleanup_invalid_username($_POST['usernamefld']),

  		




  
  2246
  
    
				get_user_remote_address(false)));

  		




  2221
  2247
  
    
			if (isAjax()) {

  		




  2222
  2248
  
    
				echo "showajaxmessage('{$_SESSION['Login_Error']}');";

  		




  2223
  2249
  
    
				return;

  		












  

    
      src/usr/local/www/xmlrpc.php
    
  





  65
  65
  
    
		}

  		




  66
  66
  
    

  		




  67
  67
  
    
		if (!$login_ok) {

  		




  68
  
  
    
			log_auth(sprintf(gettext("webConfigurator authentication error for user '%1\$s' from: %2\$s"),

  		




  69
  
  
    
			    $username,

  		




  
  68
  
    
			log_auth(sprintf("webConfigurator authentication error for user '%1\$s' from: %2\$s",

  		




  
  69
  
    
			    cleanup_invalid_username($username),

  		




  70
  70
  
    
			    $this->remote_addr));

  		




  71
  71
  
    

  		




  72
  72
  
    
			require_once("XML/RPC2/Exception.php");

  		















  (2-2/2)