From 4a50de31bf3eef816cd328b22715325c757a3234 Mon Sep 17 00:00:00 2001
From: Bob Mottram <bob@libreserver.org>
Date: Sun, 28 Jul 2024 15:45:40 +0100
Subject: [PATCH] Extra validation on password

---
 httpheaders.py  | 5 ++++-
 webapp_login.py | 9 +++++++++
 2 files changed, 13 insertions(+), 1 deletion(-)

diff --git a/httpheaders.py b/httpheaders.py
index c062fa0f5..4f3a90785 100644
--- a/httpheaders.py
+++ b/httpheaders.py
@@ -236,6 +236,9 @@ def contains_suspicious_headers(headers: {}) -> bool:
        'think-lang' in headers or \
        'Think-lang' in headers:
         return True
-    if '../../' in str(headers):
+    headers_str = str(headers)
+    if '../../' in headers_str or \
+       'index.php' in headers_str or \
+       'passwd' in headers_str:
         return True
     return False
diff --git a/webapp_login.py b/webapp_login.py
index 8b5afeda5..49081b648 100644
--- a/webapp_login.py
+++ b/webapp_login.py
@@ -58,8 +58,17 @@ def html_get_login_credentials(login_params: str,
             if '@' in nickname:
                 # the full nickname@domain has been entered
                 nickname = nickname.split('@')[0]
+            # validation on nickname
+            if 'passwd' in nickname or \
+               '`' in nickname or \
+               ';' in nickname or \
+               ' ' in nickname:
+                nickname = None
         elif arg.split('=', 1)[0] == 'password':
             password = arg.split('=', 1)[1]
+            # validation on password
+            if '`' in password:
+                password = None
         elif registrations_open and arg.split('=', 1)[0] == 'register':
             register = True
     return nickname, password, register