From f2fc77f29ce81b6493ab629e0f8f9da2b3df857d Mon Sep 17 00:00:00 2001
From: Till Brehm <tbrehm@ispconfig.org>
Date: Thu, 31 Jul 2014 15:46:18 -0400
Subject: [PATCH] Improved input validation.

---
 interface/web/sites/shell_user_edit.php |   14 ++++++++++++++
 1 files changed, 14 insertions(+), 0 deletions(-)

diff --git a/interface/web/sites/shell_user_edit.php b/interface/web/sites/shell_user_edit.php
index 3c72a5f..9731889 100644
--- a/interface/web/sites/shell_user_edit.php
+++ b/interface/web/sites/shell_user_edit.php
@@ -135,6 +135,8 @@
 			}
 		}
 		unset($blacklist);
+		
+		if($app->functions->is_allowed_user(trim(strtolower($this->dataRecord['username']))) == false) $app->tform->errorMessage .= $app->tform->lng('username_not_allowed_txt');
 
 		/*
 		 * If the names should be restricted -> do it!
@@ -163,6 +165,11 @@
 		$dir = $app->db->quote($web["document_root"]);
 		$uid = $app->db->quote($web["system_user"]);
 		$gid = $app->db->quote($web["system_group"]);
+		
+		// Check system user and group
+		if($app->functions->is_allowed_user($uid) == false || $app->functions->is_allowed_group($gid) == false) {
+			$app->error($app->tform->lng('invalid_system_user_or_group_txt'));
+		}
 
 		// The FTP user shall be owned by the same group then the website
 		$sys_groupid = $app->functions->intval($web['sys_groupid']);
@@ -183,6 +190,13 @@
 			}
 		}
 		unset($blacklist);
+		
+		// Check system user and group
+		if(isset($this->dataRecord['puser'])) {
+			if($app->functions->is_allowed_user(strtolower($this->dataRecord['puser']),true) == false || $app->functions->is_allowed_group(strtolower($this->dataRecord['pgroup']),true) == false) {
+				$app->tform->errorMessage .= $app->tform->lng('invalid_system_user_or_group_txt');
+			}
+		}
 
 		/*
 		 * If the names should be restricted -> do it!

--
Gitblit v1.9.1