#43 config-user.php not escaping values

[Zack B]

When entering special characters into the "Allowed Random Characters" text field ' and " make the config file fail.
addslashes($str) might help.

[Liran Tal]

Thanks for the info.
Instead of adding slashes I think it makes more sense to deny ' and " altogether in random chars for password.

Diff to apply the patch:
Index: config-user.php
===================================================================
--- config-user.php (revision 2111)
+++ config-user.php (working copy)
@@ -34,8 +34,11 @@

 if (isset($_REQUEST['submit'])) {

• if (isset($_REQUEST['config_user_allowedrandomchars']))
• $configValues['CONFIG_USER_ALLOWEDRANDOMCHARS'] = $_REQUEST['config_user_allowedrandomchars'];
• if (isset($_REQUEST['config_user_allowedrandomchars'])) {
• $config_user_allowedrandomchars = str_replace('\'', '', $_REQUEST['config_user_allowedrandomchars']);
• $config_user_allowedrandomchars = str_replace('"', '', $config_user_allowedrandomchars);
• $configValues['CONFIG_USER_ALLOWEDRANDOMCHARS'] = $config_user_allowedrandomchars;

• }

  // this should probably move to some other page at some point
  if (isset($_REQUEST['config_db_pass_encrypt']))
  

  @@ -96,7 +99,7 @@

  <li class='fieldset'>
  <label for='config_user_allowedrandomchars' class='form'><?php echo $l['all']['RandomChars'] ?></label>
  

  • <input type="text" value="&lt;?php echo $configValues&lt;span&gt;['CONFIG_USER_ALLOWEDRANDOMCHARS']&lt;/span&gt; ?&gt;" name="config_user_allowedrandomchars" &gt;<="" li="">
  • <input type="text" value="&lt;?php echo htmlentities($configValues&lt;span&gt;['CONFIG_USER_ALLOWEDRANDOMCHARS']&lt;/span&gt;) ?&gt;" name="config_user_allowedrandomchars" &gt;<br="">