new experimental feature: shenanigans
- will allow server operates to intentionally enable bugs/exploits for fun shenanigans
This commit is contained in:
zefie
@@ -2009,6 +2009,10 @@ if (minisrv_config.config.user_accounts.max_users_per_account > 99) {
|
|||||||
minisrv_config.config.user_accounts.max_users_per_account = 99;
|
minisrv_config.config.user_accounts.max_users_per_account = 99;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
// shenanigans
|
||||||
|
if (minisrv_config.config.shenanigans) console.log(" * WARNING: Shenanigans level", minisrv_config.config.shenanigans, "enabled");
|
||||||
|
else console.log(" * Shenanigans disabled");
|
||||||
|
|
||||||
process.on('uncaughtException', function (err) {
|
process.on('uncaughtException', function (err) {
|
||||||
console.error((err && err.stack) ? err.stack : err);
|
console.error((err && err.stack) ? err.stack : err);
|
||||||
});
|
});
|
||||||
|
|||||||
@@ -1,7 +1,7 @@
|
|||||||
var minisrv_service_file = true;
|
var minisrv_service_file = true;
|
||||||
|
|
||||||
|
if (wtvshared.shenanigans.checkShenanigan(wtvshared.shenanigans.shenanigans.ENABLE_TRICKS_URLACCESS)) {
|
||||||
// Allow URL access outside our trusted minisrv
|
// Allow URL access outside our trusted minisrv
|
||||||
|
|
||||||
if (request_headers.query.url) var url = request_headers.query.url;
|
if (request_headers.query.url) var url = request_headers.query.url;
|
||||||
else var url = "client:showalert?message=Please%20provide%20a%20%3Furl%3D%20with%20the%20url%20you%20would%20like%20to%20access.&buttonlabel1=Okay&buttonacction1=client:donothing"
|
else var url = "client:showalert?message=Please%20provide%20a%20%3Furl%3D%20with%20the%20url%20you%20would%20like%20to%20access.&buttonlabel1=Okay&buttonacction1=client:donothing"
|
||||||
|
|
||||||
@@ -9,6 +9,8 @@ headers = `300 OK
|
|||||||
wtv-visit: ${url}
|
wtv-visit: ${url}
|
||||||
Location: ${url}
|
Location: ${url}
|
||||||
Content-type: text/html`
|
Content-type: text/html`
|
||||||
|
} else {
|
||||||
|
var err = wtvshared.doErrorPage(403, "Access Denied");
|
||||||
data = '';
|
headers = err[0];
|
||||||
|
data = err[1];
|
||||||
|
}
|
||||||
@@ -2,6 +2,7 @@
|
|||||||
* Shared functions across all classes and apps
|
* Shared functions across all classes and apps
|
||||||
*/
|
*/
|
||||||
const CryptoJS = require('crypto-js');
|
const CryptoJS = require('crypto-js');
|
||||||
|
const WTVShenanigans = require('./WTVShenanigans.js');
|
||||||
|
|
||||||
class WTVShared {
|
class WTVShared {
|
||||||
|
|
||||||
@@ -15,12 +16,14 @@ class WTVShared {
|
|||||||
parentDirectory = process.cwd()
|
parentDirectory = process.cwd()
|
||||||
extend = require('util')._extend;
|
extend = require('util')._extend;
|
||||||
debug = require('debug')('WTVShared')
|
debug = require('debug')('WTVShared')
|
||||||
|
shenanigans = null;
|
||||||
|
|
||||||
minisrv_config = [];
|
minisrv_config = [];
|
||||||
|
|
||||||
constructor(minisrv_config, quiet = false) {
|
constructor(minisrv_config, quiet = false) {
|
||||||
if (minisrv_config == null) this.minisrv_config = this.readMiniSrvConfig(true, !quiet);
|
if (minisrv_config == null) this.minisrv_config = this.readMiniSrvConfig(true, !quiet);
|
||||||
else this.minisrv_config = minisrv_config;
|
else this.minisrv_config = minisrv_config;
|
||||||
|
this.shenanigans = new WTVShenanigans(this.minisrv_config);
|
||||||
|
|
||||||
if (!String.prototype.reverse) {
|
if (!String.prototype.reverse) {
|
||||||
String.prototype.reverse = function () {
|
String.prototype.reverse = function () {
|
||||||
@@ -194,6 +197,11 @@ class WTVShared {
|
|||||||
}
|
}
|
||||||
|
|
||||||
htmlEntitize(string, process_newline = false) {
|
htmlEntitize(string, process_newline = false) {
|
||||||
|
if (this.shenanigans.checkShenanigan(this.shenanigans.shenanigans.DISABLE_HTML_ENTITIZER)) {
|
||||||
|
// shenanigans level matches, don't encode
|
||||||
|
return string;
|
||||||
|
}
|
||||||
|
|
||||||
string = this.html_entities.encode(string).replace(/'/g, "'");
|
string = this.html_entities.encode(string).replace(/'/g, "'");
|
||||||
|
|
||||||
if (process_newline) string = string.replace(/\n/gi, "<br>").replace(/\r/gi, "");
|
if (process_newline) string = string.replace(/\n/gi, "<br>").replace(/\r/gi, "");
|
||||||
@@ -222,6 +230,11 @@ class WTVShared {
|
|||||||
});
|
});
|
||||||
self.debug("sanitizeSignature", "allowed protocols:", allowedProtocols);
|
self.debug("sanitizeSignature", "allowed protocols:", allowedProtocols);
|
||||||
|
|
||||||
|
if (this.shenanigans.checkShenanigan(this.shenanigans.shenanigans.DISABLE_HTML_SANITIZER)) {
|
||||||
|
// shenanigans level matches, don't filter
|
||||||
|
return string;
|
||||||
|
}
|
||||||
|
|
||||||
const clean = this.sanitizeHtml(string, {
|
const clean = this.sanitizeHtml(string, {
|
||||||
allowedTags: ['a', 'audioscope', 'b', 'bgsound', 'big', 'blackface', 'blockquote', 'bq', 'br', 'caption', 'center', 'cite', 'c', 'dd', 'dfn', 'div', 'dl', 'dt', 'em', 'fn', 'font', 'h1', 'h2', 'h3', 'h4', 'h5', 'h6', 'html', 'i', 'img', 'label', 'li', 'listing', 'marquee', 'nobr', 'ol', 'p', 'plaintext', 'pre', 's', 'samp', 'small', 'shadow', 'span', 'strike', 'strong', 'sub', 'sup', 'tbody', 'table', 'td', 'th', 'tr', 'tt', 'u', 'ul'],
|
allowedTags: ['a', 'audioscope', 'b', 'bgsound', 'big', 'blackface', 'blockquote', 'bq', 'br', 'caption', 'center', 'cite', 'c', 'dd', 'dfn', 'div', 'dl', 'dt', 'em', 'fn', 'font', 'h1', 'h2', 'h3', 'h4', 'h5', 'h6', 'html', 'i', 'img', 'label', 'li', 'listing', 'marquee', 'nobr', 'ol', 'p', 'plaintext', 'pre', 's', 'samp', 'small', 'shadow', 'span', 'strike', 'strong', 'sub', 'sup', 'tbody', 'table', 'td', 'th', 'tr', 'tt', 'u', 'ul'],
|
||||||
disallowedTagsMode: 'discard',
|
disallowedTagsMode: 'discard',
|
||||||
|
|||||||
42
zefie_wtvp_minisrv/includes/classes/WTVShenanigans.js
Normal file
42
zefie_wtvp_minisrv/includes/classes/WTVShenanigans.js
Normal file
@@ -0,0 +1,42 @@
|
|||||||
|
class WTVShenanigans {
|
||||||
|
minisrv_config = null;
|
||||||
|
shenanigans = {
|
||||||
|
// PLEASE NOTE: anything that is broken with any shenigan level besides "false" is NOT a bug!!!!
|
||||||
|
|
||||||
|
"NO_SHENANIGANS": false, // no shenanigans, minisrv as intended, most secure option
|
||||||
|
"ENABLE_TRICKS_URLACCESS": 1, // allows users to use wtv-tricks:/access?url=
|
||||||
|
"DISABLE_HTML_ENTITIZER": 4, // disables HTML Entitizer, allowing things such as HTML in email/usenet subjects
|
||||||
|
"DISABLE_HTML_SANITIZER": 5 // disables HTML Sanitizer, allowing all sorts of chaos in email/usenet posts and signatures
|
||||||
|
}
|
||||||
|
|
||||||
|
constructor(minisrv_config) {
|
||||||
|
this.minisrv_config = minisrv_config;
|
||||||
|
}
|
||||||
|
|
||||||
|
getShenanigansLevel() {
|
||||||
|
return this.minisrv_config.config.shenanigans;
|
||||||
|
}
|
||||||
|
|
||||||
|
checkShenanigan(value) {
|
||||||
|
var level = this.getShenanigansLevel();
|
||||||
|
|
||||||
|
// shenanigans are disabled, don't iterate
|
||||||
|
if (level === false) return false;
|
||||||
|
|
||||||
|
var retval = false;
|
||||||
|
var shenanigans = this.shenanigans;
|
||||||
|
|
||||||
|
// shenanigans are enabled, so check if the requested shenanigan is within the level enabled
|
||||||
|
Object.keys(shenanigans).forEach((k) => {
|
||||||
|
if (shenanigans[k] == value) {
|
||||||
|
if (level >= shenanigans[k]) {
|
||||||
|
retval = true;
|
||||||
|
return false;
|
||||||
|
}
|
||||||
|
}
|
||||||
|
});
|
||||||
|
|
||||||
|
return retval;
|
||||||
|
}
|
||||||
|
}
|
||||||
|
module.exports = WTVShenanigans;
|
||||||
@@ -95,7 +95,12 @@
|
|||||||
"wtv-head-waiter:/images/signin_new_mail.gif",
|
"wtv-head-waiter:/images/signin_new_mail.gif",
|
||||||
"wtv-head-waiter:/images/signin_no_mail.gif",
|
"wtv-head-waiter:/images/signin_no_mail.gif",
|
||||||
"wtv-log:/log"
|
"wtv-log:/log"
|
||||||
]
|
],
|
||||||
|
/* shenanigans: this allows you to intentionally enable old minisrv bugs, as well as official WebTV Networks exploits
|
||||||
|
Each level of shenanigans includes the previous level (eg 5 will also disable filters like 4)
|
||||||
|
See WTVShenanigans.js for more info.
|
||||||
|
*/
|
||||||
|
"shenanigans": false
|
||||||
},
|
},
|
||||||
"services": {
|
"services": {
|
||||||
// service definitions
|
// service definitions
|
||||||
|
|||||||
@@ -50,6 +50,9 @@
|
|||||||
<Content Include="includes\classes\WTVRegister.js" />
|
<Content Include="includes\classes\WTVRegister.js" />
|
||||||
<Content Include="includes\classes\WTVSec.js" />
|
<Content Include="includes\classes\WTVSec.js" />
|
||||||
<Content Include="includes\classes\WTVShared.js" />
|
<Content Include="includes\classes\WTVShared.js" />
|
||||||
|
<Content Include="includes\classes\WTVShenanigans.js">
|
||||||
|
<SubType>Code</SubType>
|
||||||
|
</Content>
|
||||||
<Content Include="includes\ServiceDeps\https\selfsigned_cert.pem" />
|
<Content Include="includes\ServiceDeps\https\selfsigned_cert.pem" />
|
||||||
<Content Include="includes\ServiceDeps\https\selfsigned_key.pem" />
|
<Content Include="includes\ServiceDeps\https\selfsigned_key.pem" />
|
||||||
<Content Include="includes\ServiceDeps\templates\wtv-guide\glossary.json" />
|
<Content Include="includes\ServiceDeps\templates\wtv-guide\glossary.json" />
|
||||||
|
|||||||
Reference in New Issue
Block a user