diff --git a/zefie_wtvp_minisrv/app.js b/zefie_wtvp_minisrv/app.js
index 863da1f7..91a25539 100644
--- a/zefie_wtvp_minisrv/app.js
+++ b/zefie_wtvp_minisrv/app.js
@@ -2009,6 +2009,10 @@ if (minisrv_config.config.user_accounts.max_users_per_account > 99) {
minisrv_config.config.user_accounts.max_users_per_account = 99;
}
+// shenanigans
+if (minisrv_config.config.shenanigans) console.log(" * WARNING: Shenanigans level", minisrv_config.config.shenanigans, "enabled");
+else console.log(" * Shenanigans disabled");
+
process.on('uncaughtException', function (err) {
console.error((err && err.stack) ? err.stack : err);
});
diff --git a/zefie_wtvp_minisrv/includes/ServiceVault/wtv-tricks/access.js b/zefie_wtvp_minisrv/includes/ServiceVault/wtv-tricks/access.js
index 3d4bb2a9..309ababd 100644
--- a/zefie_wtvp_minisrv/includes/ServiceVault/wtv-tricks/access.js
+++ b/zefie_wtvp_minisrv/includes/ServiceVault/wtv-tricks/access.js
@@ -1,14 +1,16 @@
var minisrv_service_file = true;
-// Allow URL access outside our trusted minisrv
+if (wtvshared.shenanigans.checkShenanigan(wtvshared.shenanigans.shenanigans.ENABLE_TRICKS_URLACCESS)) {
+ // Allow URL access outside our trusted minisrv
+ if (request_headers.query.url) var url = request_headers.query.url;
+ else var url = "client:showalert?message=Please%20provide%20a%20%3Furl%3D%20with%20the%20url%20you%20would%20like%20to%20access.&buttonlabel1=Okay&buttonacction1=client:donothing"
-if (request_headers.query.url) var url = request_headers.query.url;
-else var url = "client:showalert?message=Please%20provide%20a%20%3Furl%3D%20with%20the%20url%20you%20would%20like%20to%20access.&buttonlabel1=Okay&buttonacction1=client:donothing"
-
-headers = `300 OK
-wtv-visit: ${url}
-Location: ${url}
-Content-type: text/html`
-
-
-data = '';
\ No newline at end of file
+ headers = `300 OK
+ wtv-visit: ${url}
+ Location: ${url}
+ Content-type: text/html`
+} else {
+ var err = wtvshared.doErrorPage(403, "Access Denied");
+ headers = err[0];
+ data = err[1];
+}
\ No newline at end of file
diff --git a/zefie_wtvp_minisrv/includes/classes/WTVShared.js b/zefie_wtvp_minisrv/includes/classes/WTVShared.js
index 0934265c..aed51f44 100644
--- a/zefie_wtvp_minisrv/includes/classes/WTVShared.js
+++ b/zefie_wtvp_minisrv/includes/classes/WTVShared.js
@@ -2,6 +2,7 @@
* Shared functions across all classes and apps
*/
const CryptoJS = require('crypto-js');
+const WTVShenanigans = require('./WTVShenanigans.js');
class WTVShared {
@@ -15,12 +16,14 @@ class WTVShared {
parentDirectory = process.cwd()
extend = require('util')._extend;
debug = require('debug')('WTVShared')
+ shenanigans = null;
minisrv_config = [];
constructor(minisrv_config, quiet = false) {
if (minisrv_config == null) this.minisrv_config = this.readMiniSrvConfig(true, !quiet);
else this.minisrv_config = minisrv_config;
+ this.shenanigans = new WTVShenanigans(this.minisrv_config);
if (!String.prototype.reverse) {
String.prototype.reverse = function () {
@@ -194,6 +197,11 @@ class WTVShared {
}
htmlEntitize(string, process_newline = false) {
+ if (this.shenanigans.checkShenanigan(this.shenanigans.shenanigans.DISABLE_HTML_ENTITIZER)) {
+ // shenanigans level matches, don't encode
+ return string;
+ }
+
string = this.html_entities.encode(string).replace(/'/g, "'");
if (process_newline) string = string.replace(/\n/gi, "
").replace(/\r/gi, "");
@@ -222,6 +230,11 @@ class WTVShared {
});
self.debug("sanitizeSignature", "allowed protocols:", allowedProtocols);
+ if (this.shenanigans.checkShenanigan(this.shenanigans.shenanigans.DISABLE_HTML_SANITIZER)) {
+ // shenanigans level matches, don't filter
+ return string;
+ }
+
const clean = this.sanitizeHtml(string, {
allowedTags: ['a', 'audioscope', 'b', 'bgsound', 'big', 'blackface', 'blockquote', 'bq', 'br', 'caption', 'center', 'cite', 'c', 'dd', 'dfn', 'div', 'dl', 'dt', 'em', 'fn', 'font', 'h1', 'h2', 'h3', 'h4', 'h5', 'h6', 'html', 'i', 'img', 'label', 'li', 'listing', 'marquee', 'nobr', 'ol', 'p', 'plaintext', 'pre', 's', 'samp', 'small', 'shadow', 'span', 'strike', 'strong', 'sub', 'sup', 'tbody', 'table', 'td', 'th', 'tr', 'tt', 'u', 'ul'],
disallowedTagsMode: 'discard',
diff --git a/zefie_wtvp_minisrv/includes/classes/WTVShenanigans.js b/zefie_wtvp_minisrv/includes/classes/WTVShenanigans.js
new file mode 100644
index 00000000..90ee8903
--- /dev/null
+++ b/zefie_wtvp_minisrv/includes/classes/WTVShenanigans.js
@@ -0,0 +1,42 @@
+class WTVShenanigans {
+ minisrv_config = null;
+ shenanigans = {
+ // PLEASE NOTE: anything that is broken with any shenigan level besides "false" is NOT a bug!!!!
+
+ "NO_SHENANIGANS": false, // no shenanigans, minisrv as intended, most secure option
+ "ENABLE_TRICKS_URLACCESS": 1, // allows users to use wtv-tricks:/access?url=
+ "DISABLE_HTML_ENTITIZER": 4, // disables HTML Entitizer, allowing things such as HTML in email/usenet subjects
+ "DISABLE_HTML_SANITIZER": 5 // disables HTML Sanitizer, allowing all sorts of chaos in email/usenet posts and signatures
+ }
+
+ constructor(minisrv_config) {
+ this.minisrv_config = minisrv_config;
+ }
+
+ getShenanigansLevel() {
+ return this.minisrv_config.config.shenanigans;
+ }
+
+ checkShenanigan(value) {
+ var level = this.getShenanigansLevel();
+
+ // shenanigans are disabled, don't iterate
+ if (level === false) return false;
+
+ var retval = false;
+ var shenanigans = this.shenanigans;
+
+ // shenanigans are enabled, so check if the requested shenanigan is within the level enabled
+ Object.keys(shenanigans).forEach((k) => {
+ if (shenanigans[k] == value) {
+ if (level >= shenanigans[k]) {
+ retval = true;
+ return false;
+ }
+ }
+ });
+
+ return retval;
+ }
+}
+module.exports = WTVShenanigans;
\ No newline at end of file
diff --git a/zefie_wtvp_minisrv/includes/config.json b/zefie_wtvp_minisrv/includes/config.json
index 91d60e76..c39bcf59 100644
--- a/zefie_wtvp_minisrv/includes/config.json
+++ b/zefie_wtvp_minisrv/includes/config.json
@@ -95,7 +95,12 @@
"wtv-head-waiter:/images/signin_new_mail.gif",
"wtv-head-waiter:/images/signin_no_mail.gif",
"wtv-log:/log"
- ]
+ ],
+ /* shenanigans: this allows you to intentionally enable old minisrv bugs, as well as official WebTV Networks exploits
+ Each level of shenanigans includes the previous level (eg 5 will also disable filters like 4)
+ See WTVShenanigans.js for more info.
+ */
+ "shenanigans": false
},
"services": {
// service definitions
@@ -300,10 +305,10 @@
"force_https": false,
"https_cert": {
/* self-signed, can be replaced with another cert */
- // "domain": "mycooldomain.com",
- "cert": "%ServiceDeps%/https/selfsigned_cert.pem",
- "key": "%ServiceDeps%/https/selfsigned_key.pem"
- }
+ // "domain": "mycooldomain.com",
+ "cert": "%ServiceDeps%/https/selfsigned_cert.pem",
+ "key": "%ServiceDeps%/https/selfsigned_key.pem"
+ }
}
},
"favorites": {
diff --git a/zefie_wtvp_minisrv/zefie_wtvp_minisrv.njsproj b/zefie_wtvp_minisrv/zefie_wtvp_minisrv.njsproj
index 631311da..4a99e229 100644
--- a/zefie_wtvp_minisrv/zefie_wtvp_minisrv.njsproj
+++ b/zefie_wtvp_minisrv/zefie_wtvp_minisrv.njsproj
@@ -50,6 +50,9 @@
+
+ Code
+