From c6c7b0f384aba0427470c9d184f81d5c9a7af1a1 Mon Sep 17 00:00:00 2001
From: John Klug <john.klug@multitech.com>
Date: Tue, 10 Dec 2019 18:34:39 -0600
Subject: Disallow " in User-ID to prevent shell interpretation

---
 www/commission/index.php | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/www/commission/index.php b/www/commission/index.php
index ef8b68d..4c0ac81 100644
--- a/www/commission/index.php
+++ b/www/commission/index.php
@@ -74,6 +74,8 @@ if($_SERVER["REQUEST_METHOD"] == "POST"){
         $username_err = "Please enter a username.";
     } elseif ($userlen > 80) {
         $username_err = "mLinux username must not exceed 32 characters";
+    } elseif (strstr($username,"\"")) {
+        $username_err = "invalid character(s) in username";
     } else {
         syslog(LOG_ALERT, "Enter username check: $username");
         $id = chk_username($username);
-- 
cgit v1.2.3