From a90e31be4f9cbd39d86b12657dbf1a2dc221f498 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Jos=C3=A9=20Gonz=C3=A1lez?= Date: Fri, 18 Mar 2022 14:03:36 +0100 Subject: [PATCH 1/2] Fix credential storing with spaces --- .../include/class/CredentialStore.class.php | 13 ++++++++++--- 1 file changed, 10 insertions(+), 3 deletions(-) diff --git a/pandora_console/include/class/CredentialStore.class.php b/pandora_console/include/class/CredentialStore.class.php index 82ab94ee97..5919eef8f0 100644 --- a/pandora_console/include/class/CredentialStore.class.php +++ b/pandora_console/include/class/CredentialStore.class.php @@ -14,7 +14,7 @@ * |___| |___._|__|__|_____||_____|__| |___._| |___| |__|_|__|_______| * * ============================================================================ - * Copyright (c) 2005-2021 Artica Soluciones Tecnologicas + * Copyright (c) 2005-2022 Artica Soluciones Tecnologicas * Please see http://pandorafms.org for full contribution list * This program is free software; you can redistribute it and/or * modify it under the terms of the GNU General Public License @@ -644,8 +644,15 @@ class CredentialStore extends Wizard ]; // Spaces are not allowed. - $values['identifier'] = preg_replace('/\s+/', '-', trim($identifier)); - + $values['identifier'] = \io_safe_input( + preg_replace( + '/\s+/', + '-', + trim( + \io_safe_output($identifier) + ) + ) + ); return $values; } From 61713b453a0ad96f2e685264a751f806b504862a Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Jos=C3=A9=20Gonz=C3=A1lez?= Date: Thu, 24 Mar 2022 13:53:22 +0100 Subject: [PATCH 2/2] Added control for ascii characters --- .../include/class/CredentialStore.class.php | 8 ++-- .../include/graphs/functions_utils.php | 40 +++++++++++++++++++ 2 files changed, 45 insertions(+), 3 deletions(-) diff --git a/pandora_console/include/class/CredentialStore.class.php b/pandora_console/include/class/CredentialStore.class.php index 5919eef8f0..27486433ee 100644 --- a/pandora_console/include/class/CredentialStore.class.php +++ b/pandora_console/include/class/CredentialStore.class.php @@ -623,11 +623,13 @@ class CredentialStore extends Wizard $error = __('You must select a group where store this key!'); } else if (empty($product) === true) { $error = __('You must specify a product type'); - } else if (empty($username) === true && (empty($password) === true)) { + } else if (empty($username) === true || (empty($password) === true)) { $error = __('You must specify a username and/or password'); + } else if (evaluate_ascii_valid_string(io_safe_output($identifier)) === false) { + $error = __('Identifier with forbidden characters. Check the documentation.'); } - if (isset($error)) { + if (isset($error) === true) { $this->ajaxMsg('error', $error); exit; } @@ -1277,7 +1279,7 @@ class CredentialStore extends Wizard }); } - + /** * Delete selected key */ diff --git a/pandora_console/include/graphs/functions_utils.php b/pandora_console/include/graphs/functions_utils.php index 11737099a8..e68a11a9f1 100644 --- a/pandora_console/include/graphs/functions_utils.php +++ b/pandora_console/include/graphs/functions_utils.php @@ -328,3 +328,43 @@ function convert_array_multi($array, $glue) $result = substr($result, 0, (0 - strlen($glue))); return $result; } + + +/** + * Evaluate if the chars of coming variable has in the range stablished. + * + * @param string $string String for be evaluated. + * @param array $ranges Ranges for valid chars. Min: [ x <= Y ] Max: [ Y > x ]. + * Example of valid ranges: [ '32:126', '150:188' ]. + * + * @return boolean. + */ +function evaluate_ascii_valid_string(string $string='', array $ranges=[ '33:38', '40:126' ]) +{ + if (empty($string) === true) { + return false; + } + + $countChars = strlen($string); + // Let's explore all the chars. + for ($i = 0; $i < $countChars; $i++) { + // Get ascii number of the char. + $asciiNumber = ord($string[$i]); + // Check in all ranges. + $rangeValidation = false; + foreach ($ranges as $range) { + list($minRangeValue, $maxRangeValue) = explode(':', $range, 2); + // Check if is in range. + if ($asciiNumber > (int) $minRangeValue && $asciiNumber < (int) $maxRangeValue) { + $rangeValidation = true; + } + } + + // None of the ranges was validated. + if ($rangeValidation === false) { + return false; + } + } + + return true; +}