From 745de7de1f5cb051de8e54cb0ab78bb4b9abf7bf Mon Sep 17 00:00:00 2001 From: zefie Date: Sat, 22 Oct 2022 18:15:15 -0400 Subject: [PATCH] fix issue where users could bypass username sanity checks with direct urls --- .../wtv-register/ValidateReviewAccountInfo.js | 62 ++++++++++++------- .../wtv-setup/validate-add-user-done.js | 7 +++ zefie_wtvp_minisrv/includes/WTVRegister.js | 1 - 3 files changed, 45 insertions(+), 25 deletions(-) diff --git a/zefie_wtvp_minisrv/ServiceVault/wtv-register/ValidateReviewAccountInfo.js b/zefie_wtvp_minisrv/ServiceVault/wtv-register/ValidateReviewAccountInfo.js index bbb94b33..3eb76532 100644 --- a/zefie_wtvp_minisrv/ServiceVault/wtv-register/ValidateReviewAccountInfo.js +++ b/zefie_wtvp_minisrv/ServiceVault/wtv-register/ValidateReviewAccountInfo.js @@ -1,5 +1,6 @@ var minisrv_service_file = true; + if (!request_headers.query.registering || !request_headers.query.subscriber_name || !request_headers.query.subscriber_username || @@ -8,40 +9,52 @@ if (!request_headers.query.registering || !session_data.session_store || !session_data || !socket.ssid - ) { +) { var errpage = wtvshared.doErrorPage(400); headers = errpage[0]; data = errpage[1]; } else { - session_data.setSessionData("subscriber_name", request_headers.query.subscriber_name); - session_data.setSessionData("subscriber_username", request_headers.query.subscriber_username); - session_data.setSessionData("subscriber_contact", request_headers.query.subscriber_contact); - session_data.setSessionData("subscriber_contact_method", request_headers.query.subscriber_contact_method); - session_data.setSessionData("subscriber_userid", 0); - session_data.setSessionData("registered", true); - var mailstore_exists = session_data.mailstore.mailstoreExists(); - var mailbox_exists = false; - if (!mailstore_exists) mailstore_exists = session_data.mailstore.createMailstore(); - if (mailstore_exists) { - if (!session_data.mailstore.mailboxExists(0)) { - // mailbox does not yet exist, create it - mailbox_exists = session_data.mailstore.createMailbox(0); - } - if (mailbox_exists) { - // Just created Inbox for the first time, so create the welcome message - session_data.mailstore.createWelcomeMessage(); - } - } - if (!session_data.saveSessionData(true, true)) { - var errpage = wtvshared.doErrorPage(400); + var errpage = null; + const WTVRegister = require(classPath + "/WTVRegister.js") + var wtvr = new WTVRegister(minisrv_config, SessionStore); + if (!request_headers.query.subscriber_username) errpage = wtvshared.doErrorPage(400, "Please enter a username."); + else if (request_headers.query.subscriber_username.length < minisrv_config.config.user_accounts.min_username_length) errpage = wtvshared.doErrorPage(400, "Please choose a username with " + minisrv_config.config.user_accounts.min_username_length + " or more characters."); + else if (request_headers.query.subscriber_username.length > minisrv_config.config.user_accounts.max_username_length) errpage = wtvshared.doErrorPage(400, "Please choose a username with " + minisrv_config.config.user_accounts.max_username_length + " or less characters."); + else if (!wtvr.checkUsernameSanity(request_headers.query.subscriber_username)) errpage = wtvshared.doErrorPage(400, "The username you have chosen contains invalid characters. Please choose a username with only letters, numbers, _ or -. Also, please be sure your username begins with a letter."); + else if (!wtvr.checkUsernameAvailable(request_headers.query.subscriber_username)) errpage = wtvshared.doErrorPage(400, "The username you have selected is already in use. Please select another username."); + if (errpage) { headers = errpage[0]; data = errpage[1]; } else { + session_data.setSessionData("subscriber_name", request_headers.query.subscriber_name); + session_data.setSessionData("subscriber_username", request_headers.query.subscriber_username); + session_data.setSessionData("subscriber_contact", request_headers.query.subscriber_contact); + session_data.setSessionData("subscriber_contact_method", request_headers.query.subscriber_contact_method); + session_data.setSessionData("subscriber_userid", 0); + session_data.setSessionData("registered", true); + var mailstore_exists = session_data.mailstore.mailstoreExists(); + var mailbox_exists = false; + if (!mailstore_exists) mailstore_exists = session_data.mailstore.createMailstore(); + if (mailstore_exists) { + if (!session_data.mailstore.mailboxExists(0)) { + // mailbox does not yet exist, create it + mailbox_exists = session_data.mailstore.createMailbox(0); + } + if (mailbox_exists) { + // Just created Inbox for the first time, so create the welcome message + session_data.mailstore.createWelcomeMessage(); + } + } + if (!session_data.saveSessionData(true, true)) { + var errpage = wtvshared.doErrorPage(400); + headers = errpage[0]; + data = errpage[1]; + } else { - headers = `200 OK + headers = `200 OK Content-Type: text/html`; - data = ` + data = ` Finished signing up @@ -110,5 +123,6 @@ connect to the Internet by choosing </body> </html> `; + } } } \ No newline at end of file diff --git a/zefie_wtvp_minisrv/ServiceVault/wtv-setup/validate-add-user-done.js b/zefie_wtvp_minisrv/ServiceVault/wtv-setup/validate-add-user-done.js index 62bf5571..3d497352 100644 --- a/zefie_wtvp_minisrv/ServiceVault/wtv-setup/validate-add-user-done.js +++ b/zefie_wtvp_minisrv/ServiceVault/wtv-setup/validate-add-user-done.js @@ -17,8 +17,15 @@ if (!errpage) { if (!errpage) { if (session_data.getNumberOfUserAccounts() > minisrv_config.config.user_accounts.max_users_per_account) errpage = wtvshared.doErrorPage(400, "You are not authorized to add more than " + minisrv_config.config.user_accounts.max_users_per_account + ` account${minisrv_config.config.user_accounts.max_users_per_account > 1 ? 's' : ''}.`); + + if (!request_headers.query.user_name) errpage = wtvshared.doErrorPage(400, "Please enter a username."); + else if (request_headers.query.user_name.length < minisrv_config.config.user_accounts.min_username_length) errpage = wtvshared.doErrorPage(400, "Please choose a username with <b>" + minisrv_config.config.user_accounts.min_username_length + "</b> or more characters."); + else if (request_headers.query.user_name.length > minisrv_config.config.user_accounts.max_username_length) errpage = wtvshared.doErrorPage(400, "Please choose a username with <b>" + minisrv_config.config.user_accounts.max_username_length + "</b> or less characters."); + else if (!wtvr.checkUsernameSanity(request_headers.query.user_name)) errpage = wtvshared.doErrorPage(400, "The username you have chosen contains invalid characters. Please choose a username with only <b>letters</b>, <b>numbers</b>, <b>_</b> or <b>-</b>. Also, please be sure your username begins with a letter."); + else if (!wtvr.checkUsernameAvailable(request_headers.query.user_name)) errpage = wtvshared.doErrorPage(400, "The username you have selected is already in use. Please select another username."); } + if (errpage) { headers = errpage[0]; data = errpage[1]; diff --git a/zefie_wtvp_minisrv/includes/WTVRegister.js b/zefie_wtvp_minisrv/includes/WTVRegister.js index 8900931b..6ad617e4 100644 --- a/zefie_wtvp_minisrv/includes/WTVRegister.js +++ b/zefie_wtvp_minisrv/includes/WTVRegister.js @@ -37,7 +37,6 @@ class WTVRegister { if (this.minisrv_config.config.user_accounts.reserved_names) { Object.keys(this.minisrv_config.config.user_accounts.reserved_names).forEach((k) => { if (self.minisrv_config.config.user_accounts.reserved_names[k].toLowerCase() == username.toLowerCase()) return_val = true; - console.log(self.minisrv_config.config.user_accounts.reserved_names[k].toLowerCase(), username.toLowerCase(), return_val) }) }