check for special characters in login shell

simonLeary42 · simonLeary42 · commit ff260612f5f9 · 2025-04-23T17:56:54.000-04:00
diff --git a/resources/lib/UnityUser.php b/resources/lib/UnityUser.php
@@ -446,8 +446,10 @@ public function getSSHKeys($ignorecache = false)
      */
     public function setLoginShell($shell, $operator = null, $send_mail = true)
     {
-        // FIXME throw error if shell is not ascii
         // ldap schema syntax is "IA5 String (1.3.6.1.4.1.1466.115.121.1.26)"
+        if (!mb_check_encoding($shell, 'ASCII')) {
+            throw new Exception("non ascii characters are not allowed in a login shell!");
+        }
         $ldapUser = $this->getLDAPUser();
         if ($ldapUser->exists()) {
             $ldapUser->setAttribute("loginshell", $shell);
diff --git a/webroot/panel/account.php b/webroot/panel/account.php
@@ -186,49 +186,28 @@
 <hr>
 
 <form action="" method="POST">
-
-    <input type="hidden" name="form_type" value="loginshell">
-
-    <select id="loginSelector" name= "shellSelect">
-
-        <option value="" disabled hidden>Select Login Shell...</option>
-
-        <?php
-        $cur_shell = $USER->getLoginShell();
-        $found_selector = false;
-        foreach ($CONFIG["loginshell"]["shell"] as $shell) {
-            if ($cur_shell == $shell) {
-                echo "<option selected>$shell</option>";
-                $found_selector = true;
-            } else {
-                echo "<option>$shell</option>";
-            }
-        }
-
-        if ($found_selector) {
-            echo "<option value='custom'>Custom</option>";
-        } else {
-            echo "<option value='custom' selected>Custom</option>";
-        }
-        ?>
-    </select>
-
-    <?php
-
-    if ($found_selector) {
-        echo "<input id='customLoginBox' type='text'
-        placeholder='Enter login shell path (ie. /bin/bash)' name='shell'>";
-    } else {
-        echo "<input id='customLoginBox' type='text'
-        placeholder='Enter login shell path (ie. /bin/bash)' name='shell' value='$cur_shell'>";
-    }
-
-    ?>
-    <br>
-    <input type='submit' value='Set Login Shell'>
-
+<input type="hidden" name="form_type" value="loginshell">
+<select id="loginSelector" name= "shellSelect">
+<?php
+foreach ($CONFIG["loginshell"]["shell"] as $shell) {
+    echo "<option>$shell</option>";
+}
+echo "<option>Custom</option>";
+?>
+</select>
+<?php
+echo "
+    <input
+        id='customLoginBox'
+        type='text'
+        placeholder='Enter login shell path (ie. /bin/bash)'
+        name='shell'
+    >
+";
+?>
+<br>
+<input id='submitLoginShell' type='submit' value='Set Login Shell'>
 </form>
-
 <hr>
 
 <h5>Account Deletion</h5>
@@ -255,32 +234,67 @@
 
 <hr>
 
-
 <script>
-    $("button.btnAddKey").click(function() {
-        openModal("Add New Key", "<?php echo $CONFIG["site"]["prefix"]; ?>/panel/modal/new_key.php");
+    const sitePrefix = '<?php echo $CONFIG["site"]["prefix"]; ?>';
+    const ldapLoginShell = '<?php echo $USER->getLoginShell(); ?>';
+
+    $("#loginSelector option").each(function(i, e) {
+        if ($(this).val() == ldapLoginShell) {
+            $(this).attr("selected", true);
+        }
     });
 
-    var customLoginBox = $("#customLoginBox");
-    if (customLoginBox.val() == "") {
-        // login box is empty, so we hide it by default
-        // if the login box had a value, that means it would be a custom shell
-        // and should not hide by default
-        customLoginBox.hide();
-    }
+    $("button.btnAddKey").click(function() {
+        openModal("Add New Key", `${sitePrefix}/panel/modal/new_key.php`);
+    });
 
-    $("#loginSelector").change(function() {
+    function showOrHideCustomLoginBox() {
         var customBox = $("#customLoginBox");
-        if($(this).val() == "custom") {
+        if($("#loginSelector").val() == "Custom") {
             customBox.show();
         } else {
             customBox.hide();
         }
-    });
+    }
+    $("#loginSelector").change(showOrHideCustomLoginBox);
+    showOrHideCustomLoginBox();
 
-    if ($("#loginSelector").val() == "custom") {
-        $("#customLoginBox").show();
+    function getNewLoginShell() {
+        var loginSelectorVal = $("#loginSelector").val();
+        if (loginSelectorVal != "Custom") {
+            return loginSelectorVal;
+        }
+        return $("#customLoginBox").val();
+    }
+    function isLoginShellValid(x) {
+        if (x.trim().length === 0) {
+            return false;
+        }
+        // only ascii characters allowed
+        if (!(/^[\x00-\x7F]*$/.test(x))) {
+            return false;
+        }
+        return true;
+    }
+    function enableOrDisableSubmitLoginShell() {
+        var submitLoginShell = $("#submitLoginShell");
+        var newLoginShell = getNewLoginShell();
+        if (!isLoginShellValid(newLoginShell)) {
+            submitLoginShell.attr("disabled", true);
+            $("#customLoginBox").css("box-shadow", "0 0 0 0.3rem rgba(220, 53, 69, 0.25)");
+            return;
+        } else {
+            $("#customLoginBox").css("box-shadow", "none");
+        }
+        if (newLoginShell == ldapLoginShell) {
+            submitLoginShell.attr("disabled", true);
+            return;
+        }
+        submitLoginShell.attr("disabled", false);
     }
+    $("#customLoginBox").on("input", enableOrDisableSubmitLoginShell);
+    $("#loginSelector").change(enableOrDisableSubmitLoginShell);
+    enableOrDisableSubmitLoginShell()
 </script>
 
 <style>
