From 1a8133dc057302d1a026e177ec21f80df8d91f8e Mon Sep 17 00:00:00 2001
From: John Klug <john.klug@multitech.com>
Date: Tue, 10 Dec 2019 19:23:59 -0600
Subject: Disallow " in password.

---
 www/commission/index.php | 7 +++++--
 1 file changed, 5 insertions(+), 2 deletions(-)

diff --git a/www/commission/index.php b/www/commission/index.php
index 4c0ac81..10e044e 100644
--- a/www/commission/index.php
+++ b/www/commission/index.php
@@ -75,7 +75,7 @@ if($_SERVER["REQUEST_METHOD"] == "POST"){
     } elseif ($userlen > 80) {
         $username_err = "mLinux username must not exceed 32 characters";
     } elseif (strstr($username,"\"")) {
-        $username_err = "invalid character(s) in username";
+        $username_err = "No &#34; allowed in username";
     } else {
         syslog(LOG_ALERT, "Enter username check: $username");
         $id = chk_username($username);
@@ -100,7 +100,10 @@ if($_SERVER["REQUEST_METHOD"] == "POST"){
     } elseif ($passlen > 4096) {
         $password_err = "Too long. Limit password length to 4096 characters";
         $password = "";
-
+    } elseif (strstr($password,"\"")) {
+        $password_err = "No &#34; allowed in password";
+        $mismatch = 0;
+        $password = "";
     } else {
         if ($save_passwordlen === 0) {
             $mismatch = 0;
-- 
cgit v1.2.3