Permalink
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Browse files
Synchronization between js and php on login password checking with ti…
- Loading branch information
Showing
with
4 additions
and
5 deletions.
-
+3
−4
ActionPage.php
-
+1
−1
index.html
|
|
@@ -1,13 +1,12 @@ |
|
|
<?php |
|
|
session_start(); |
|
|
if (isset($_POST['uname']) and isset($_POST['psw'])) { |
|
|
if( strpos($_POST['uname'],'/') === false && strpos($_POST['uname'],';') === false && |
|
|
strpos($_POST['psw'],'/') === false && strpos($_POST['psw'],';') === false ) { |
|
|
$user=$_POST['uname']; |
|
|
$pass=$_POST['psw']; |
|
|
if (preg_match('/^[a-z0-9]*$/',$user) && preg_match('/^[a-zA-Z0-9*!@#^_]*$/',$pass)) { |
|
|
// Check if the post request comes from the login page |
|
|
if (isset($_POST['auth2']) and hash_equals($_POST['auth2'],hash_hmac('sha256', '/ActionPage.php', $_SESSION['auth_token']))) { |
|
|
$siausr = trim(shell_exec('source /boot/parameters.txt; echo $SIAUSR')); |
|
|
$user=$_POST['uname']; |
|
|
$pass=$_POST['psw']; |
|
|
exec("sudo bin/checker $user $pass", $output, $exitcode); |
|
|
if ( $exitcode === 0 and strcmp($siausr,$user) === 0 ) { |
|
|
session_regenerate_id(true); |
|
|
|
|
|
@@ -161,7 +161,7 @@ <h1>Welcome to SiaBerryOS</h1> |
|
|
function formChecker() { |
|
|
var usr = document.forms["mainForm"]["uname"].value; |
|
|
var pss = document.forms["mainForm"]["psw"].value; |
|
|
if ( !/^[a-z0-9]*$/.test(usr) || !/^[a-zA-Z0-9*!@#$%]*$/.test(pss)) { |
|
|
if ( !/^[a-z0-9]*$/.test(usr) || !/^[a-zA-Z0-9*!@#^_]*$/.test(pss)) { |
|
|
document.getElementById('auth2').value = 'failed'; |
|
|
} |
|
|
} |
|
|
|
This can be bypassed again. See
$IFS$9,x20etc.