Extra validation on password

2024-07-28 15:45:40 +01:00 · 2024-07-28 15:45:40 +01:00 · 4a50de31bf
parent 509f9fe4ad
commit 4a50de31bf
2 changed files with 13 additions and 1 deletions
--- a/httpheaders.py
+++ b/httpheaders.py
@ -236,6 +236,9 @@ def contains_suspicious_headers(headers: {}) -> bool:
       'think-lang' in headers or \
       'Think-lang' in headers:
        return True
-    if '../../' in str(headers):
+    headers_str = str(headers)
+    if '../../' in headers_str or \
+       'index.php' in headers_str or \
+       'passwd' in headers_str:
        return True
    return False
--- a/webapp_login.py
+++ b/webapp_login.py
@ -58,8 +58,17 @@ def html_get_login_credentials(login_params: str,
            if '@' in nickname:
                # the full nickname@domain has been entered
                nickname = nickname.split('@')[0]
+            # validation on nickname
+            if 'passwd' in nickname or \
+               '`' in nickname or \
+               ';' in nickname or \
+               ' ' in nickname:
+                nickname = None
        elif arg.split('=', 1)[0] == 'password':
            password = arg.split('=', 1)[1]
+            # validation on password
+            if '`' in password:
+                password = None
        elif registrations_open and arg.split('=', 1)[0] == 'register':
            register = True
    return nickname, password, register