Synchronization between js and php on login password checking with ti…

…ghter control
ketetefid · Apr 2, 2018 · 0637ec8 · duraki · Jun 11, 2018 · duraki
1 parent 3315674
commit 0637ec8
Show file tree

Hide file tree

Showing 2 changed files with 4 additions and 5 deletions.
diff --git a/ActionPage.php b/ActionPage.php
@@ -1,13 +1,12 @@
 <?php
 session_start();
 if (isset($_POST['uname']) and isset($_POST['psw'])) {
-  if( strpos($_POST['uname'],'/') === false && strpos($_POST['uname'],';') === false &&
+  $user=$_POST['uname'];
-      strpos($_POST['psw'],'/') === false && strpos($_POST['psw'],';') === false ) {
+  $pass=$_POST['psw'];
+  if (preg_match('/^[a-z0-9]*$/',$user) && preg_match('/^[a-zA-Z0-9*!@#^_]*$/',$pass)) {
     // Check if the post request comes from the login page
     if (isset($_POST['auth2']) and hash_equals($_POST['auth2'],hash_hmac('sha256', '/ActionPage.php', $_SESSION['auth_token']))) {
       $siausr = trim(shell_exec('source /boot/parameters.txt; echo $SIAUSR'));
-      $user=$_POST['uname'];
-      $pass=$_POST['psw'];
       exec("sudo bin/checker $user $pass", $output, $exitcode);
       if ( $exitcode === 0 and strcmp($siausr,$user) === 0 ) {
 	session_regenerate_id(true);

diff --git a/index.html b/index.html
@@ -161,7 +161,7 @@ <h1>Welcome to SiaBerryOS</h1>
       function formChecker() {
 	  var usr = document.forms["mainForm"]["uname"].value;
 	  var pss = document.forms["mainForm"]["psw"].value; 
-	  if ( !/^[a-z0-9]*$/.test(usr) || !/^[a-zA-Z0-9*!@#$%]*$/.test(pss)) {
+	  if ( !/^[a-z0-9]*$/.test(usr) || !/^[a-zA-Z0-9*!@#^_]*$/.test(pss)) {
 	      document.getElementById('auth2').value = 'failed';
 	  }
       }