frodovdr/raspap-webgui
1
0
Fork 0
mirror of https://github.com/billz/raspap-webgui.git synced 2025-03-01 10:31:47 +00:00
Code Issues Packages Projects Releases Wiki Activity

Escape client input, console output etc. before doing any echo.

Browse Source 
Signed-off-by: D9ping <D9ping@users.noreply.github.com>
This commit is contained in:
D9ping
2018-08-04 01:58:34 +02:00
parent 6be3680f8f
commit 2b03fa316d
12 changed files with 221 additions and 201 deletions
Download Patch File Download Diff File Expand all files Collapse all files

8
includes/admin.php
View File

@@ -8,7 +8,7 @@ function DisplayAuthConfig($username, $password){
if (CSRFValidate()) {
if (password_verify($_POST['oldpass'], $password)) {
$new_username=trim($_POST['username']);
if ($_POST['newpass'] != $_POST['newpassagain']) {
if ($_POST['newpass'] !== $_POST['newpassagain']) {
$status->addMessage('New passwords do not match', 'danger');
} else if ($new_username == '') {
$status->addMessage('Username must not be empty', 'danger');
@@ -16,7 +16,8 @@ function DisplayAuthConfig($username, $password){
if (!file_exists(RASPI_ADMIN_DETAILS)) {
$tmpauth = fopen(RASPI_ADMIN_DETAILS, 'w');
fclose($tmpauth);
}
}
if ($auth_file = fopen(RASPI_ADMIN_DETAILS, 'w')) {
fwrite($auth_file, $new_username.PHP_EOL);
fwrite($auth_file, password_hash($_POST['newpass'], PASSWORD_BCRYPT).PHP_EOL);
@@ -46,7 +47,7 @@ function DisplayAuthConfig($username, $password){
<div class="row">
<div class="form-group col-md-4">
<label for="username"><?php echo _("Username"); ?></label>
<input type="text" class="form-control" name="username" value="<?php echo $username; ?>"/>
<input type="text" class="form-control" name="username" value="<?php echo htmlspecialchars($username, ENT_QUOTES); ?>"/>
</div>
</div>
<div class="row">
@@ -76,4 +77,3 @@ function DisplayAuthConfig($username, $password){
<?php
}
?>