From 2a526c0702c1a9fad25c0b8b37e9ece651b97667 Mon Sep 17 00:00:00 2001
From: zefie <zefie@zefie.net>
Date: Wed, 16 Feb 2022 18:30:19 -0500
Subject: [PATCH] initial attempt to fix security issue

- likely adds new bug where users will be kicked to relogin after the
  server restarts
- TODO: figure out a way to safely check the user login when session
  data is unknown (eg restart) (hint: ticket?)
---
 .../wtv-head-waiter/login-stage-two.js            |   8 +++-----
 .../ServiceVault/wtv-head-waiter/password.js      |   2 +-
 zefie_wtvp_minisrv/SharedROMCache/NameStrip.gif   | Bin 0 -> 117 bytes
 zefie_wtvp_minisrv/WTVClientSessionData.js        |   5 ++++-
 zefie_wtvp_minisrv/app.js                         |  12 ++++++++++++
 5 files changed, 20 insertions(+), 7 deletions(-)
 create mode 100644 zefie_wtvp_minisrv/SharedROMCache/NameStrip.gif

diff --git a/zefie_wtvp_minisrv/ServiceVault/wtv-head-waiter/login-stage-two.js b/zefie_wtvp_minisrv/ServiceVault/wtv-head-waiter/login-stage-two.js
index c01fb897..6a52b1dc 100644
--- a/zefie_wtvp_minisrv/ServiceVault/wtv-head-waiter/login-stage-two.js
+++ b/zefie_wtvp_minisrv/ServiceVault/wtv-head-waiter/login-stage-two.js
@@ -45,11 +45,10 @@ else {
 		var home_url = "wtv-home:/splash?";
 	}
 	var limitedLogin = ssid_sessions[socket.ssid].lockdown;
-	var limitedLoginRegistered = (limitedLogin || (ssid_sessions[socket.ssid].isRegistered() && ssid_sessions[socket.ssid].getSessionData('password_valid')));
+	var limitedLoginRegistered = (limitedLogin || (ssid_sessions[socket.ssid].isRegistered() && !ssid_sessions[socket.ssid].getSessionData('password_valid')));
 	var offline_user_list = null;
 	if (ssid_sessions[socket.ssid].isRegistered() && ssid_sessions[socket.ssid].user_id == 0) {
 		var accounts = ssid_sessions[socket.ssid].listPrimaryAccountUsers();
-		console.log(accounts);
 		var num_accounts = ssid_sessions[socket.ssid].getNumberOfUserAccounts();
 		var offline_user_list_str = "<user-list>\n";
 		var i = 0;
@@ -143,9 +142,8 @@ wtv-inactive-timeout: 1440
 			if (request_headers.query.guest_login) headers += "&guest_login=true";
 
 			headers += "\nwtv-boot-url: wtv-head-waiter:/relogin?relogin=true";
-			if (request_headers.query.guest_login) headers += "&guest_login=true";
-
-			headers += "\nwtv-home-url: wtv-home:/home?";
+			if (request_headers.query.guest_login) headers += "&guest_login=true";			
+			headers += "\nwtv-home-url: " + home_url;
 		}
 
 		if (ssid_sessions[socket.ssid].get('wtv-need-upgrade') != 'true' && !request_headers.query.reconnect && !limitedLogin)
diff --git a/zefie_wtvp_minisrv/ServiceVault/wtv-head-waiter/password.js b/zefie_wtvp_minisrv/ServiceVault/wtv-head-waiter/password.js
index 4dc80581..237cfaf8 100644
--- a/zefie_wtvp_minisrv/ServiceVault/wtv-head-waiter/password.js
+++ b/zefie_wtvp_minisrv/ServiceVault/wtv-head-waiter/password.js
@@ -18,7 +18,7 @@ data = `<html><HEAD><title>Password</title>
 <img src="images/PasswordBanner.gif" width=50 height=191> <tr> <td absheight=8> 
 </table>
 </sidebar>
-<body background="images/NameStrip.gif"
+<body background="/ROMCache/NameStrip.gif"
 novtilebg
 nohtilebg
 bgcolor=191919 
diff --git a/zefie_wtvp_minisrv/SharedROMCache/NameStrip.gif b/zefie_wtvp_minisrv/SharedROMCache/NameStrip.gif
new file mode 100644
index 0000000000000000000000000000000000000000..8a6930bb84354b8457d941b9f828f40b435f60cb
GIT binary patch
literal 117
zcmZ?wbh9u|>}TL%Sj52a|NnmjGha~&C1GJ<9v&WUZf*uJ&;gMkH4My761(pFGdShB
zdT&H$(1{ZX8huZ8l*X@Im*YKmp7!}I9Lr1By_XXId_du~nvRs?k;O%vo<{S1)JvkK
Q1g*E$F0<aP%D`X^00wj?WdHyG

literal 0
HcmV?d00001

diff --git a/zefie_wtvp_minisrv/WTVClientSessionData.js b/zefie_wtvp_minisrv/WTVClientSessionData.js
index c14db9f9..e218e22d 100644
--- a/zefie_wtvp_minisrv/WTVClientSessionData.js
+++ b/zefie_wtvp_minisrv/WTVClientSessionData.js
@@ -43,6 +43,9 @@ class WTVClientSessionData {
             "wtv-head-waiter:/ValidateLogin",
             "wtv-head-waiter:/login-stage-two",
             "wtv-head-waiter:/relogin",
+			"wtv-head-waiter:/ROMCache/Spacer.gif",
+			"wtv-head-waiter:/ROMCache/NameStrip.gif",
+			"wtv-head-waiter:/images/NameBanner.gif",
             "wtv-head-waiter:/bad-disk",
             "wtv-head-waiter:/images/PasswordBanner.gif",
             "wtv-log:/log",
@@ -682,7 +685,7 @@ class WTVClientSessionData {
 
     isAuthorized(url, whitelist = 'lockdown', ignore_lockdown = false) {
         // not in lockdown so just return true
-        if (!this.lockdown && !ignore_lockdown) return true;
+        if (whitelist == 'lockdown' && !this.lockdown && !ignore_lockdown) return true;
 
         // in lockdown, check whitelisted urls
         var self = this;
diff --git a/zefie_wtvp_minisrv/app.js b/zefie_wtvp_minisrv/app.js
index 5c3a03c7..93232518 100644
--- a/zefie_wtvp_minisrv/app.js
+++ b/zefie_wtvp_minisrv/app.js
@@ -411,6 +411,18 @@ async function processURL(socket, request_headers) {
             console.log(" * Lockdown rejected request for " + shortURL + " on socket ID", socket.id);
             return;
         }
+		
+		 if (ssid_sessions[socket.ssid].isRegistered() && !ssid_sessions[socket.ssid].getSessionData('password_valid')) {
+			 if (!ssid_sessions[socket.ssid].isAuthorized(shortURL,'login')) {
+				// user is not fully logged in, and URL not authorized
+				headers = "300 Unauthorized\n";
+				headers += "Location: client:relogin\n";
+				data = "";
+				sendToClient(socket, headers, data);
+				console.log(" * Incomplete login rejected request for " + shortURL + " on socket ID", socket.id);
+				return;
+			 }
+		 }
 
         if (ssid_sessions[socket.ssid].get("wtv-my-disk-sucks-sucks-sucks")) {
             if (!ssid_sessions[socket.ssid].baddisk) {