From 66e50d89171647909593636e9d12ecdac964d18f Mon Sep 17 00:00:00 2001
From: nachoparker <nacho@ownyourbits.com>
Date: Tue, 19 Dec 2017 13:27:53 +0100
Subject: [PATCH] ncp-config: validate input

---
 changelog.md   | 6 +++++-
 etc/library.sh | 3 ++-
 2 files changed, 7 insertions(+), 2 deletions(-)

diff --git a/changelog.md b/changelog.md
index f6e7a0426..fb053a9e6 100644
--- a/changelog.md
+++ b/changelog.md
@@ -1,5 +1,9 @@
 
-[v0.42.0](https://github.com/nextcloud/nextcloudpi/commit/9e11b7f) (2017-12-18) added UFW
+[v0.43.1](https://github.com/nextcloud/nextcloudpi/commit/c3205f9) (2017-12-19) ncp-config: validate input
+
+[v0.43.0 ](https://github.com/nextcloud/nextcloudpi/commit/9eeb221) (2017-12-18) added nc-audit
+
+[v0.42.0 ](https://github.com/nextcloud/nextcloudpi/commit/aaac71f) (2017-12-18) added UFW
 
 [v0.41.13](https://github.com/nextcloud/nextcloudpi/commit/d5e90a6) (2017-12-17) security hardening part 3
 
diff --git a/etc/library.sh b/etc/library.sh
index 31636d28e..7329f8afc 100755
--- a/etc/library.sh
+++ b/etc/library.sh
@@ -49,8 +49,9 @@ function config()
       $DIALOG_OK)
         local RET=( $value )
         for i in $( seq 0 1 $(( ${#RET[@]} - 1 )) ); do
+          # check for invalid characters
+          grep -q "[&]" <<< "${RET[$i]}" && { echo "Invalid characters in field ${VARS[$i]}"; return 1; }
           local SEDRULE+="s|^${VARS[$i]}_=.*|${VARS[$i]}_=${RET[$i]}|;"
-          local CONFIG+="${VARS[$i]}=${RET[$i]}\n"
         done
         break
         ;;