fix issue where users could bypass username sanity checks with direct urls
This commit is contained in:
zefie
@@ -1,5 +1,6 @@
|
||||
var minisrv_service_file = true;
|
||||
|
||||
|
||||
if (!request_headers.query.registering ||
|
||||
!request_headers.query.subscriber_name ||
|
||||
!request_headers.query.subscriber_username ||
|
||||
@@ -8,40 +9,52 @@ if (!request_headers.query.registering ||
|
||||
!session_data.session_store ||
|
||||
!session_data ||
|
||||
!socket.ssid
|
||||
) {
|
||||
) {
|
||||
var errpage = wtvshared.doErrorPage(400);
|
||||
headers = errpage[0];
|
||||
data = errpage[1];
|
||||
} else {
|
||||
session_data.setSessionData("subscriber_name", request_headers.query.subscriber_name);
|
||||
session_data.setSessionData("subscriber_username", request_headers.query.subscriber_username);
|
||||
session_data.setSessionData("subscriber_contact", request_headers.query.subscriber_contact);
|
||||
session_data.setSessionData("subscriber_contact_method", request_headers.query.subscriber_contact_method);
|
||||
session_data.setSessionData("subscriber_userid", 0);
|
||||
session_data.setSessionData("registered", true);
|
||||
var mailstore_exists = session_data.mailstore.mailstoreExists();
|
||||
var mailbox_exists = false;
|
||||
if (!mailstore_exists) mailstore_exists = session_data.mailstore.createMailstore();
|
||||
if (mailstore_exists) {
|
||||
if (!session_data.mailstore.mailboxExists(0)) {
|
||||
// mailbox does not yet exist, create it
|
||||
mailbox_exists = session_data.mailstore.createMailbox(0);
|
||||
}
|
||||
if (mailbox_exists) {
|
||||
// Just created Inbox for the first time, so create the welcome message
|
||||
session_data.mailstore.createWelcomeMessage();
|
||||
}
|
||||
}
|
||||
if (!session_data.saveSessionData(true, true)) {
|
||||
var errpage = wtvshared.doErrorPage(400);
|
||||
var errpage = null;
|
||||
const WTVRegister = require(classPath + "/WTVRegister.js")
|
||||
var wtvr = new WTVRegister(minisrv_config, SessionStore);
|
||||
if (!request_headers.query.subscriber_username) errpage = wtvshared.doErrorPage(400, "Please enter a username.");
|
||||
else if (request_headers.query.subscriber_username.length < minisrv_config.config.user_accounts.min_username_length) errpage = wtvshared.doErrorPage(400, "Please choose a username with <b>" + minisrv_config.config.user_accounts.min_username_length + "</b> or more characters.");
|
||||
else if (request_headers.query.subscriber_username.length > minisrv_config.config.user_accounts.max_username_length) errpage = wtvshared.doErrorPage(400, "Please choose a username with <b>" + minisrv_config.config.user_accounts.max_username_length + "</b> or less characters.");
|
||||
else if (!wtvr.checkUsernameSanity(request_headers.query.subscriber_username)) errpage = wtvshared.doErrorPage(400, "The username you have chosen contains invalid characters. Please choose a username with only <b>letters</b>, <b>numbers</b>, <b>_</b> or <b>-</b>. Also, please be sure your username begins with a letter.");
|
||||
else if (!wtvr.checkUsernameAvailable(request_headers.query.subscriber_username)) errpage = wtvshared.doErrorPage(400, "The username you have selected is already in use. Please select another username.");
|
||||
if (errpage) {
|
||||
headers = errpage[0];
|
||||
data = errpage[1];
|
||||
} else {
|
||||
session_data.setSessionData("subscriber_name", request_headers.query.subscriber_name);
|
||||
session_data.setSessionData("subscriber_username", request_headers.query.subscriber_username);
|
||||
session_data.setSessionData("subscriber_contact", request_headers.query.subscriber_contact);
|
||||
session_data.setSessionData("subscriber_contact_method", request_headers.query.subscriber_contact_method);
|
||||
session_data.setSessionData("subscriber_userid", 0);
|
||||
session_data.setSessionData("registered", true);
|
||||
var mailstore_exists = session_data.mailstore.mailstoreExists();
|
||||
var mailbox_exists = false;
|
||||
if (!mailstore_exists) mailstore_exists = session_data.mailstore.createMailstore();
|
||||
if (mailstore_exists) {
|
||||
if (!session_data.mailstore.mailboxExists(0)) {
|
||||
// mailbox does not yet exist, create it
|
||||
mailbox_exists = session_data.mailstore.createMailbox(0);
|
||||
}
|
||||
if (mailbox_exists) {
|
||||
// Just created Inbox for the first time, so create the welcome message
|
||||
session_data.mailstore.createWelcomeMessage();
|
||||
}
|
||||
}
|
||||
if (!session_data.saveSessionData(true, true)) {
|
||||
var errpage = wtvshared.doErrorPage(400);
|
||||
headers = errpage[0];
|
||||
data = errpage[1];
|
||||
} else {
|
||||
|
||||
headers = `200 OK
|
||||
headers = `200 OK
|
||||
Content-Type: text/html`;
|
||||
|
||||
data = `<html>
|
||||
data = `<html>
|
||||
<head>
|
||||
<title>
|
||||
Finished signing up
|
||||
@@ -110,5 +123,6 @@ connect to the Internet by choosing
|
||||
</body>
|
||||
</html>
|
||||
`;
|
||||
}
|
||||
}
|
||||
}
|
||||
@@ -17,8 +17,15 @@ if (!errpage) {
|
||||
|
||||
if (!errpage) {
|
||||
if (session_data.getNumberOfUserAccounts() > minisrv_config.config.user_accounts.max_users_per_account) errpage = wtvshared.doErrorPage(400, "You are not authorized to add more than " + minisrv_config.config.user_accounts.max_users_per_account + ` account${minisrv_config.config.user_accounts.max_users_per_account > 1 ? 's' : ''}.`);
|
||||
|
||||
if (!request_headers.query.user_name) errpage = wtvshared.doErrorPage(400, "Please enter a username.");
|
||||
else if (request_headers.query.user_name.length < minisrv_config.config.user_accounts.min_username_length) errpage = wtvshared.doErrorPage(400, "Please choose a username with <b>" + minisrv_config.config.user_accounts.min_username_length + "</b> or more characters.");
|
||||
else if (request_headers.query.user_name.length > minisrv_config.config.user_accounts.max_username_length) errpage = wtvshared.doErrorPage(400, "Please choose a username with <b>" + minisrv_config.config.user_accounts.max_username_length + "</b> or less characters.");
|
||||
else if (!wtvr.checkUsernameSanity(request_headers.query.user_name)) errpage = wtvshared.doErrorPage(400, "The username you have chosen contains invalid characters. Please choose a username with only <b>letters</b>, <b>numbers</b>, <b>_</b> or <b>-</b>. Also, please be sure your username begins with a letter.");
|
||||
else if (!wtvr.checkUsernameAvailable(request_headers.query.user_name)) errpage = wtvshared.doErrorPage(400, "The username you have selected is already in use. Please select another username.");
|
||||
}
|
||||
|
||||
|
||||
if (errpage) {
|
||||
headers = errpage[0];
|
||||
data = errpage[1];
|
||||
|
||||
@@ -37,7 +37,6 @@ class WTVRegister {
|
||||
if (this.minisrv_config.config.user_accounts.reserved_names) {
|
||||
Object.keys(this.minisrv_config.config.user_accounts.reserved_names).forEach((k) => {
|
||||
if (self.minisrv_config.config.user_accounts.reserved_names[k].toLowerCase() == username.toLowerCase()) return_val = true;
|
||||
console.log(self.minisrv_config.config.user_accounts.reserved_names[k].toLowerCase(), username.toLowerCase(), return_val)
|
||||
})
|
||||
}
|
||||
|
||||
|
||||
Reference in New Issue
Block a user