Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Input sanitization for wpa client, Fix for #1325 #1326

Merged
merged 2 commits into from
Mar 31, 2023
Merged

Conversation

eldstal
Copy link
Contributor

@eldstal eldstal commented Mar 30, 2023

I'm not familiar enough with wpa_supplicant, but if the intended network ID is always numerical, I would recommend also adding a check for isnumeric() of the $_POST parameter for a little bit of extra constraint.

@billz
Copy link
Member

billz commented Mar 30, 2023

@eldstal thanks for the PR. network ID is an integer so agreed adding is_numeric() would be prudent here.

@eldstal
Copy link
Contributor Author

eldstal commented Mar 31, 2023

There, a more robust check is in place, and this should resolve the last part of #1325

@billz
Copy link
Member

billz commented Mar 31, 2023

Excellent, thanks. Resolves #1325

@billz billz merged commit ce7e84e into RaspAP:master Mar 31, 2023
@billz
Copy link
Member

billz commented Apr 3, 2023

Unfortunately this introduces a new bug. escapeshellarg() wraps $netid with single quotes, thus causing it to fail the is_numeric check. I also believe wpa_cli expects integer values.

I missed this in testing, will open a new PR.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

None yet

2 participants