From 298ab8b0690925c50062f2a8ebcc8619e74c9cf4 Mon Sep 17 00:00:00 2001
From: Andreas Granig <agranig@sipwise.com>
Date: Wed, 11 Oct 2017 12:08:31 +0200
Subject: [PATCH] TT#8704 Tighten peer name to not break kamailio

This prevents e.g. to insert \", which will break the trigger
populating kamailio, and will also protect against SQL injection
attacks, because the "name" value is taken as is in the trigger
statement without escaping it.

Change-Id: Ic2f911f4ce7fa79516796141d565bd3fe4a4044a
(cherry picked from commit e11ebefbe38ce87ee08bbb21390dbf39bc9d60e5)
---
 lib/NGCP/Panel/Form/Peering/Server.pm | 7 +++++++
 1 file changed, 7 insertions(+)

diff --git a/lib/NGCP/Panel/Form/Peering/Server.pm b/lib/NGCP/Panel/Form/Peering/Server.pm
index cb6dc7c9ae..24096070df 100644
--- a/lib/NGCP/Panel/Form/Peering/Server.pm
+++ b/lib/NGCP/Panel/Form/Peering/Server.pm
@@ -119,6 +119,13 @@ has_block 'actions' => (
     render_list => [qw/save/],
 );
 
+sub validate_name {
+    my ($self, $field) = @_;
+    unless($field->value =~ /^[a-zA-Z0-9_\- ]+$/) {
+        $field->add_error("Invalid characters in name");
+    }
+}
+
 sub validate_via_route {
     my ($self, $field) = @_;