add check for special characters in login shell

simonLeary42 · simonLeary42 · commit 5870d275d69a · 2025-04-24T14:05:40.000-04:00
diff --git a/resources/lib/UnityUser.php b/resources/lib/UnityUser.php
@@ -446,8 +446,10 @@ public function getSSHKeys($ignorecache = false)
      */
     public function setLoginShell($shell, $operator = null, $send_mail = true)
     {
-        // FIXME throw error if shell is not ascii
         // ldap schema syntax is "IA5 String (1.3.6.1.4.1.1466.115.121.1.26)"
+        if (!mb_check_encoding($shell, 'ASCII')) {
+            throw new Exception("non ascii characters are not allowed in a login shell!");
+        }
         $ldapUser = $this->getLDAPUser();
         if ($ldapUser->exists()) {
             $ldapUser->setAttribute("loginshell", $shell);
diff --git a/webroot/panel/account.php b/webroot/panel/account.php
@@ -257,7 +257,6 @@
 
 <hr>
 
-
 <script>
     const sitePrefix = '<?php echo $CONFIG["site"]["prefix"]; ?>';
     const ldapLoginShell = '<?php echo $USER->getLoginShell(); ?>';
@@ -289,6 +288,57 @@ function showOrHideCustomLoginBox() {
     $("#loginSelector").change(showOrHideCustomLoginBox);
     showOrHideCustomLoginBox();
 
+    function getNewLoginShell() {
+        var loginSelectorVal = $("#loginSelector").val();
+        if (loginSelectorVal != "Custom") {
+            return loginSelectorVal;
+        }
+        return $("#customLoginBox").val();
+    }
+
+    function isLoginShellValid(x) {
+        if (x.trim().length === 0) {
+            return false;
+        }
+        // only ascii characters allowed
+        if (!(/^[\x00-\x7F]*$/.test(x))) {
+            return false;
+        }
+        return true;
+    }
+
+    function enableOrDisableCustomLoginBoxHighlight() {
+        if (
+            ($("#customLoginSelectorOption").prop("selected") == true) &&
+            !isLoginShellValid($("#customLoginBox").val())
+        ) {
+            $("#customLoginBox").css("box-shadow", "0 0 0 0.3rem rgba(220, 53, 69, 0.25)");
+        } else {
+            $("#customLoginBox").css("box-shadow", "none");
+        }
+    }
+    $("#customLoginBox").on("input", enableOrDisableCustomLoginBoxHighlight);
+    $("#loginSelector").change(enableOrDisableCustomLoginBoxHighlight);
+    enableOrDisableCustomLoginBoxHighlight();
+
+    function enableOrDisableSubmitLoginShell() {
+        var newLoginShell = getNewLoginShell();
+        if (!isLoginShellValid(newLoginShell)) {
+            $("#submitLoginShell").prop("disabled", true);
+            $("#submitLoginShell").prop("title", "Invalid Login Shell");
+            return;
+        }
+        if (newLoginShell == ldapLoginShell) {
+            $("#submitLoginShell").prop("disabled", true);
+            $("#submitLoginShell").prop("title", "Login Shell Unchanged");
+            return;
+        }
+        $("#submitLoginShell").prop("disabled", false);
+        $("#submitLoginShell").prop("title", "Submit Login Shell");
+    }
+    $("#customLoginBox").on("input", enableOrDisableSubmitLoginShell);
+    $("#loginSelector").change(enableOrDisableSubmitLoginShell);
+    enableOrDisableSubmitLoginShell()
 </script>
 
 <style>
