fight stupidity - teach your customers not to use password == username
Signed-off-by: Michael Kaufmann (d00p) <d00p@froxlor.org>
This commit is contained in:
Michael Kaufmann (d00p)
@@ -446,6 +446,9 @@ if ($page == 'overview') {
|
||||
}
|
||||
elseif ($password == '' && !(Settings::Get('panel.sendalternativemail') == 1 && validateEmail($alternative_email))) {
|
||||
standard_error(array('stringisempty', 'mypassword'));
|
||||
}
|
||||
elseif ($password == $email_full) {
|
||||
standard_error('passwordshouldnotbeusername');
|
||||
} else {
|
||||
if ($password == '') {
|
||||
$password = substr(md5(uniqid(microtime(), 1)), 12, 6);
|
||||
@@ -632,6 +635,10 @@ if ($page == 'overview') {
|
||||
standard_error(array('stringisempty', 'mypassword'));
|
||||
exit;
|
||||
}
|
||||
elseif ($password = $result['email_full']) {
|
||||
standard_error('passwordshouldnotbeusername');
|
||||
exit;
|
||||
}
|
||||
|
||||
$password = validatePassword($password);
|
||||
|
||||
@@ -887,5 +894,3 @@ if ($page == 'overview') {
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
?>
|
||||
|
||||
@@ -133,6 +133,8 @@ if ($page == 'overview') {
|
||||
standard_error(array('stringisempty', 'mypassword'));
|
||||
} elseif ($path == '') {
|
||||
standard_error('patherror');
|
||||
} elseif ($_POST['directory_password'] == $username) {
|
||||
standard_error('passwordshouldnotbeusername');
|
||||
} else {
|
||||
$stmt = Database::prepare("INSERT INTO `" . TABLE_PANEL_HTPASSWDS . "` SET
|
||||
`customerid` = :customerid,
|
||||
@@ -184,6 +186,10 @@ if ($page == 'overview') {
|
||||
$password = crypt($_POST['directory_password']);
|
||||
}
|
||||
|
||||
if ($_POST['directory_password'] == $result['username']) {
|
||||
standard_error('passwordshouldnotbeusername');
|
||||
}
|
||||
|
||||
$params = array(
|
||||
"customerid" => $userinfo['customerid'],
|
||||
"id" => $id
|
||||
|
||||
@@ -178,6 +178,11 @@ if ($page == 'overview') {
|
||||
$userinfo['mysql_lastaccountnumber']
|
||||
);
|
||||
|
||||
// we've checked against the password in dbm->createDatabase
|
||||
if ($username == false) {
|
||||
standard_error('passwordshouldnotbeusername');
|
||||
}
|
||||
|
||||
// Statement modified for Database description -- PH 2004-11-29
|
||||
$stmt = Database::prepare('INSERT INTO `' . TABLE_PANEL_DATABASES . '`
|
||||
(`customerid`, `databasename`, `description`, `dbserver`)
|
||||
@@ -307,6 +312,10 @@ if ($page == 'overview') {
|
||||
// validate password
|
||||
$password = validatePassword($password);
|
||||
|
||||
if ($password == $result['databasename']) {
|
||||
standard_error('passwordshouldnotbeusername');
|
||||
}
|
||||
|
||||
// Begin root-session
|
||||
Database::needRoot(true);
|
||||
foreach (array_map('trim', explode(',', Settings::Get('system.mysql_access_host'))) as $mysql_access_host) {
|
||||
|
||||
@@ -64,7 +64,7 @@ class DbManager {
|
||||
* @param string $password
|
||||
* @param int $last_accnumber
|
||||
*
|
||||
* @return string $username
|
||||
* @return string|bool $username if successful or false of username is equal to the password
|
||||
*/
|
||||
public function createDatabase($loginname = null, $password = null, $last_accnumber = 0) {
|
||||
|
||||
@@ -84,6 +84,11 @@ class DbManager {
|
||||
$username = $loginname . Settings::Get('customer.mysqlprefix') . (intval($last_accnumber) + 1);
|
||||
}
|
||||
|
||||
// don't use a password that is the same as the username
|
||||
if ($username == $password) {
|
||||
return false;
|
||||
}
|
||||
|
||||
// now create the database itself
|
||||
$this->getManager()->createDatabase($username);
|
||||
$this->_log->logAction(USR_ACTION, LOG_INFO, "created database '" . $username . "'");
|
||||
|
||||
Reference in New Issue
Block a user