mirror/librenms-librenms
1
0
Fork 0
mirror of https://github.com/librenms/librenms.git synced 2024-10-07 16:52:45 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity

Fix html injection in user fields (#10535)

Browse Source 
validate realname and descr to alpha/numeric/spaces only
This flaw is actually in bootgrid, the html isn't interpreted until bootgrid loads.
This commit is contained in:
Tony Murray
2019-08-21 20:36:22 -05:00
committed by GitHub
parent a1c8fe63ee
commit 2441096015
4 changed files with 9 additions and 4 deletions
Download Patch File Download Diff File Expand all files Collapse all files

4
app/Http/Requests/StoreUserRequest.php
View File

@@ -34,9 +34,9 @@ class StoreUserRequest extends FormRequest
'max:255',
Rule::unique('users', 'username')->where('auth_type', LegacyAuth::getType()),
],
'realname' => 'max:64',
'realname' => 'nullable|max:64|alpha_space',
'email' => 'nullable|email|max:64',
'descr' => 'max:30',
'descr' => 'nullable|max:30|alpha_space',
'level' => 'int',
'new_password' => 'required|confirmed|min:' . Config::get('password.min_length', 8),
'dashboard' => 'int',

4
app/Http/Requests/UpdateUserRequest.php
View File

@@ -37,9 +37,9 @@ class UpdateUserRequest extends FormRequest
public function rules()
{
return [
'realname' => 'max:64',
'realname' => 'nullable|max:64|alpha_space',
'email' => 'nullable|email|max:64',
'descr' => 'max:30',
'descr' => 'nullable|max:30|alpha_space',
'level' => 'int',
'old_password' => 'nullable|string',
'new_password' => 'nullable|confirmed|min:' . Config::get('password.min_length', 8),

4
app/Providers/AppServiceProvider.php
View File

@@ -101,6 +101,10 @@ class AppServiceProvider extends ServiceProvider
private function bootCustomValidators()
{
Validator::extend('alpha_space', function ($attribute, $value) {
return preg_match('/^[\w\s]+$/u', $value);
});
Validator::extend('ip_or_hostname', function ($attribute, $value, $parameters, $validator) {
$ip = substr($value, 0, strpos($value, '/') ?: strlen($value)); // allow prefixes too
return IP::isValid($ip) || Validate::hostname($value);

1
resources/lang/en/validation.php
View File

@@ -20,6 +20,7 @@ return [
'alpha' => 'The :attribute may only contain letters.',
'alpha_dash' => 'The :attribute may only contain letters, numbers, dashes and underscores.',
'alpha_num' => 'The :attribute may only contain letters and numbers.',
'alpha_space' => 'The :attribute may only contain letters, numbers, underscores and spaces.',
'array' => 'The :attribute must be an array.',
'before' => 'The :attribute must be a date before :date.',
'before_or_equal' => 'The :attribute must be a date before or equal to :date.',