control.ashx now behind 3FA

This commit is contained in:
Ylian Saint-Hilaire 2020-09-18 00:57:36 -07:00
parent 194f863bd2
commit 25e30814be
7 changed files with 13 additions and 7 deletions

File diff suppressed because one or more lines are too long

View File

@ -1 +1 @@
function Q(n){return document.getElementById(n)}function QS(n){try{return Q(n).style}catch(n){}}function QE(n,t){try{Q(n).disabled=!t}catch(n){}}function QV(n,t){try{QS(n).display=t?"":"none"}catch(n){}}function QA(n,t){Q(n).innerHTML+=t}function QH(n,t){Q(n).innerHTML=t}function QC(n){try{return Q(n).classList}catch(n){}}function inputBoxFocus(n){Q(n).focus();var t=Q(n).value;Q(n).value="",Q(n).value=t}function ReadShort(n,t){return(n.charCodeAt(t)<<8)+n.charCodeAt(t+1)}function ReadShortX(n,t){return(n.charCodeAt(t+1)<<8)+n.charCodeAt(t)}function ReadInt(n,t){return 16777216*n.charCodeAt(t)+(n.charCodeAt(t+1)<<16)+(n.charCodeAt(t+2)<<8)+n.charCodeAt(t+3)}function ReadSInt(n,t){return(n.charCodeAt(t)<<24)+(n.charCodeAt(t+1)<<16)+(n.charCodeAt(t+2)<<8)+n.charCodeAt(t+3)}function ReadIntX(n,t){return 16777216*n.charCodeAt(t+3)+(n.charCodeAt(t+2)<<16)+(n.charCodeAt(t+1)<<8)+n.charCodeAt(t)}function ShortToStr(n){return String.fromCharCode(n>>8&255,255&n)}function ShortToStrX(n){return String.fromCharCode(255&n,n>>8&255)}function IntToStr(n){return String.fromCharCode(n>>24&255,n>>16&255,n>>8&255,255&n)}function IntToStrX(n){return String.fromCharCode(255&n,n>>8&255,n>>16&255,n>>24&255)}function MakeToArray(n){return n&&null!=n&&"object"!=typeof n?[n]:n}function SplitArray(n){return n.split(",")}function Clone(n){return JSON.parse(JSON.stringify(n))}function EscapeHtml(n){return"string"==typeof n?n.replace(/&/g,"&amp;").replace(/>/g,"&gt;").replace(/</g,"&lt;").replace(/"/g,"&quot;").replace(/'/g,"&apos;"):"boolean"==typeof n?n:"number"==typeof n?n:void 0}function EscapeHtmlBreaks(n){return"string"==typeof n?n.replace(/&/g,"&amp;").replace(/>/g,"&gt;").replace(/</g,"&lt;").replace(/"/g,"&quot;").replace(/'/g,"&apos;").replace(/\r/g,"<br />").replace(/\n/g,"").replace(/\t/g,"&nbsp;&nbsp;"):"boolean"==typeof n?n:"number"==typeof n?n:void 0}function ArrayElementMove(n,t,e){n.splice(e,0,n.splice(t,1)[0])}function ObjectToStringEx(n,t){var e="";if(0!=n&&(!n||null==n))return"(Null)";if(n instanceof Array)for(var r in n)e+="<br />"+gap(t)+"Item #"+r+": "+ObjectToStringEx(n[r],t+1);else if(n instanceof Object)for(var r in n)e+="<br />"+gap(t)+r+" = "+ObjectToStringEx(n[r],t+1);else e+=EscapeHtml(n);return e}function ObjectToStringEx2(n,t){var e="";if(0!=n&&(!n||null==n))return"(Null)";if(n instanceof Array)for(var r in n)e+="\r\n"+gap2(t)+"Item #"+r+": "+ObjectToStringEx2(n[r],t+1);else if(n instanceof Object)for(var r in n)e+="\r\n"+gap2(t)+r+" = "+ObjectToStringEx2(n[r],t+1);else e+=EscapeHtml(n);return e}function gap(n){for(var t="",e=0;e<4*n;e++)t+="&nbsp;";return t}function gap2(n){for(var t="",e=0;e<4*n;e++)t+=" ";return t}function ObjectToString(n){return ObjectToStringEx(n,0)}function ObjectToString2(n){return ObjectToStringEx2(n,0)}function hex2rstr(n){if("string"!=typeof n||0==n.length)return"";for(var t,e="",r=(""+n).match(/../g);t=r.shift();)e+=String.fromCharCode("0x"+t);return e}function char2hex(n){return(n+256).toString(16).substr(-2).toUpperCase()}function rstr2hex(n){var t,e="";for(t=0;t<n.length;t++)e+=char2hex(n.charCodeAt(t));return e}function encode_utf8(n){return unescape(encodeURIComponent(n))}function decode_utf8(n){return decodeURIComponent(escape(n))}function data2blob(n){for(var t=new Array(n.length),e=0;e<n.length;e++)t[e]=n.charCodeAt(e);return new Blob([new Uint8Array(t)])}function utf2blob(n){for(var t=[],e=unescape(encodeURIComponent(n)),r=0;r<e.length;r++)t.push(e.charCodeAt(r));return new Blob([new Uint8Array(t)])}function random(n){return Math.floor(Math.random()*n)}function trademarks(n){return n.replace(/\(R\)/g,"&reg;").replace(/\(TM\)/g,"&trade;")}function zeroPad(n,t){null==t&&(t=2);var e="00000000"+n;return e.substr(e.length-t)}function isAlphaNumeric(n){return null!=n.match(/^[A-Za-z0-9]+$/)}function isSafeString(n){return"string"==typeof n&&-1==n.indexOf("<")&&-1==n.indexOf(">")&&-1==n.indexOf("&")&&-1==n.indexOf('"')&&-1==n.indexOf("'")&&-1==n.indexOf("+")&&-1==n.indexOf("(")&&-1==n.indexOf(")")&&-1==n.indexOf("#")&&-1==n.indexOf("%")&&-1==n.indexOf(":")}function isSafeString2(n){return"string"==typeof n&&-1==n.indexOf("<")&&-1==n.indexOf(">")&&-1==n.indexOf("&")&&-1==n.indexOf('"')&&-1==n.indexOf("'")&&-1==n.indexOf("+")&&-1==n.indexOf("(")&&-1==n.indexOf(")")&&-1==n.indexOf("#")&&-1==n.indexOf("%")}function parseUriArgs(){var n=window.document.location.href;n.endsWith("#")&&(n=n.substring(0,n.length-1));var t,e={},r=n.split(/[\?&|\=]/);for(o in r.splice(0,1),r)switch(o%2){case 0:t=decodeURIComponent(r[o]);break;case 1:if(e[t]=decodeURIComponent(r[o]),isSafeString2(e[t])){var o=parseInt(e[t]);o==e[t]&&(e[t]=o)}else delete e[t]}return e}String.prototype.startsWith||(String.prototype.startsWith=function(n){return 0===this.lastIndexOf(n,0)}),String.prototype.endsWith||(String.prototype.endsWith=function(n){return-1!==this.indexOf(n,this.length-n.length)})
function Q(n){return document.getElementById(n)}function QS(n){try{return Q(n).style}catch(n){}}function QE(n,t){try{Q(n).disabled=!t}catch(n){}}function QV(n,t){try{QS(n).display=t?"":"none"}catch(n){}}function QA(n,t){Q(n).innerHTML+=t}function QH(n,t){Q(n).innerHTML=t}function QC(n){try{return Q(n).classList}catch(n){}}function inputBoxFocus(n){Q(n).focus();var t=Q(n).value;Q(n).value="",Q(n).value=t}function ReadShort(n,t){return(n.charCodeAt(t)<<8)+n.charCodeAt(t+1)}function ReadShortX(n,t){return(n.charCodeAt(t+1)<<8)+n.charCodeAt(t)}function ReadInt(n,t){return 16777216*n.charCodeAt(t)+(n.charCodeAt(t+1)<<16)+(n.charCodeAt(t+2)<<8)+n.charCodeAt(t+3)}function ReadSInt(n,t){return(n.charCodeAt(t)<<24)+(n.charCodeAt(t+1)<<16)+(n.charCodeAt(t+2)<<8)+n.charCodeAt(t+3)}function ReadIntX(n,t){return 16777216*n.charCodeAt(t+3)+(n.charCodeAt(t+2)<<16)+(n.charCodeAt(t+1)<<8)+n.charCodeAt(t)}function ShortToStr(n){return String.fromCharCode(n>>8&255,255&n)}function ShortToStrX(n){return String.fromCharCode(255&n,n>>8&255)}function IntToStr(n){return String.fromCharCode(n>>24&255,n>>16&255,n>>8&255,255&n)}function IntToStrX(n){return String.fromCharCode(255&n,n>>8&255,n>>16&255,n>>24&255)}function MakeToArray(n){return n&&null!=n&&"object"!=typeof n?[n]:n}function SplitArray(n){return n.split(",")}function Clone(n){return JSON.parse(JSON.stringify(n))}function EscapeHtml(n){return"string"==typeof n?n.replace(/&/g,"&amp;").replace(/>/g,"&gt;").replace(/</g,"&lt;").replace(/"/g,"&quot;").replace(/'/g,"&apos;"):"boolean"==typeof n?n:"number"==typeof n?n:void 0}function EscapeHtmlBreaks(n){return"string"==typeof n?n.replace(/&/g,"&amp;").replace(/>/g,"&gt;").replace(/</g,"&lt;").replace(/"/g,"&quot;").replace(/'/g,"&apos;").replace(/\r/g,"<br />").replace(/\n/g,"").replace(/\t/g,"&nbsp;&nbsp;"):"boolean"==typeof n?n:"number"==typeof n?n:void 0}function ArrayElementMove(n,t,e){n.splice(e,0,n.splice(t,1)[0])}function ObjectToStringEx(n,t){var e="";if(0!=n&&(!n||null==n))return"(Null)";if(n instanceof Array)for(var r in n)e+="<br />"+gap(t)+"Item #"+r+": "+ObjectToStringEx(n[r],t+1);else if(n instanceof Object)for(var r in n)e+="<br />"+gap(t)+r+" = "+ObjectToStringEx(n[r],t+1);else e+=EscapeHtml(n);return e}function ObjectToStringEx2(n,t){var e="";if(0!=n&&(!n||null==n))return"(Null)";if(n instanceof Array)for(var r in n)e+="\r\n"+gap2(t)+"Item #"+r+": "+ObjectToStringEx2(n[r],t+1);else if(n instanceof Object)for(var r in n)e+="\r\n"+gap2(t)+r+" = "+ObjectToStringEx2(n[r],t+1);else e+=EscapeHtml(n);return e}function gap(n){for(var t="",e=0;e<4*n;e++)t+="&nbsp;";return t}function gap2(n){for(var t="",e=0;e<4*n;e++)t+=" ";return t}function ObjectToString(n){return ObjectToStringEx(n,0)}function ObjectToString2(n){return ObjectToStringEx2(n,0)}function hex2rstr(n){if("string"!=typeof n||0==n.length)return"";for(var t,e="",r=(""+n).match(/../g);t=r.shift();)e+=String.fromCharCode("0x"+t);return e}function char2hex(n){return(n+256).toString(16).substr(-2).toUpperCase()}function rstr2hex(n){var t,e="";for(t=0;t<n.length;t++)e+=char2hex(n.charCodeAt(t));return e}function encode_utf8(n){return unescape(encodeURIComponent(n))}function decode_utf8(n){return decodeURIComponent(escape(n))}function data2blob(n){for(var t=new Array(n.length),e=0;e<n.length;e++)t[e]=n.charCodeAt(e);return new Blob([new Uint8Array(t)])}function utf2blob(n){for(var t=[],e=unescape(encodeURIComponent(n)),r=0;r<e.length;r++)t.push(e.charCodeAt(r));return new Blob([new Uint8Array(t)])}function random(n){return Math.floor(Math.random()*n)}function trademarks(n){return n.replace(/\(R\)/g,"&reg;").replace(/\(TM\)/g,"&trade;")}function zeroPad(n,t){null==t&&(t=2);var e="00000000"+n;return e.substr(e.length-t)}function isAlphaNumeric(n){return"number"==typeof n||null!=n.match(/^[A-Za-z0-9]+$/)}function isSafeString(n){return"string"==typeof n&&-1==n.indexOf("<")&&-1==n.indexOf(">")&&-1==n.indexOf("&")&&-1==n.indexOf('"')&&-1==n.indexOf("'")&&-1==n.indexOf("+")&&-1==n.indexOf("(")&&-1==n.indexOf(")")&&-1==n.indexOf("#")&&-1==n.indexOf("%")&&-1==n.indexOf(":")}function isSafeString2(n){return"string"==typeof n&&-1==n.indexOf("<")&&-1==n.indexOf(">")&&-1==n.indexOf("&")&&-1==n.indexOf('"')&&-1==n.indexOf("'")&&-1==n.indexOf("+")&&-1==n.indexOf("(")&&-1==n.indexOf(")")&&-1==n.indexOf("#")&&-1==n.indexOf("%")}function parseUriArgs(){var n=window.document.location.href;n.endsWith("#")&&(n=n.substring(0,n.length-1));var t,e={},r=n.split(/[\?&|\=]/);for(o in r.splice(0,1),r)switch(o%2){case 0:t=decodeURIComponent(r[o]);break;case 1:if(e[t]=decodeURIComponent(r[o]),isSafeString2(e[t])){var o=parseInt(e[t]);o==e[t]&&(e[t]=o)}else delete e[t]}return e}String.prototype.startsWith||(String.prototype.startsWith=function(n){return 0===this.lastIndexOf(n,0)}),String.prototype.endsWith||(String.prototype.endsWith=function(n){return-1!==this.indexOf(n,this.length-n.length)})

View File

@ -110,7 +110,7 @@ function trademarks(x) { return x.replace(/\(R\)/g, '&reg;').replace(/\(TM\)/g,
function zeroPad(num, c) { if (c == null) { c = 2; } var s = "00000000" + num; return s.substr(s.length - c); }
// String validation
function isAlphaNumeric(str) { return (str.match(/^[A-Za-z0-9]+$/) != null); };
function isAlphaNumeric(str) { if (typeof str == 'number') { return true; } return (str.match(/^[A-Za-z0-9]+$/) != null); };
function isSafeString(str) { return ((typeof str == 'string') && (str.indexOf('<') == -1) && (str.indexOf('>') == -1) && (str.indexOf('&') == -1) && (str.indexOf('"') == -1) && (str.indexOf('\'') == -1) && (str.indexOf('+') == -1) && (str.indexOf('(') == -1) && (str.indexOf(')') == -1) && (str.indexOf('#') == -1) && (str.indexOf('%') == -1) && (str.indexOf(':') == -1)) };
function isSafeString2(str) { return ((typeof str == 'string') && (str.indexOf('<') == -1) && (str.indexOf('>') == -1) && (str.indexOf('&') == -1) && (str.indexOf('"') == -1) && (str.indexOf('\'') == -1) && (str.indexOf('+') == -1) && (str.indexOf('(') == -1) && (str.indexOf(')') == -1) && (str.indexOf('#') == -1) && (str.indexOf('%') == -1)) };

View File

@ -1 +1 @@
var MeshServerCreateControl=function(e,t){var o={State:0,connectstate:0,pingTimer:null};return o.authCookie=t,o.trace=!1,o.xxStateChange=function(t,e){if(o.State!=t){var n=o.State;o.State=t,o.onStateChanged&&o.onStateChanged(o,o.State,n,e)}},o.Start=function(){if(0==o.connectstate){o.connectstate=0;var t=window.location.protocol.replace("http","ws")+"//"+window.location.host+e+"control.ashx";o.authCookie&&""!=o.authCookie&&(t+="?auth="+o.authCookie),o.socket=new WebSocket(t),o.socket.onopen=function(t){o.connectstate=1},o.socket.onmessage=o.xxOnMessage,o.socket.onclose=function(t){o.Stop(t.code)},o.xxStateChange(1,0),null!=o.pingTimer&&clearInterval(o.pingTimer),o.pingTimer=setInterval(function(){o.send({action:"ping"})},29e3)}},o.Stop=function(t){o.connectstate=0,o.socket&&(o.socket.close(),delete o.socket),null!=o.pingTimer&&(clearInterval(o.pingTimer),o.pingTimer=null),o.xxStateChange(0,t)},o.xxOnMessage=function(t){var e;1==o.State&&o.xxStateChange(2);try{e=JSON.parse(t.data)}catch(t){return}if("object"==typeof e&&"pong"!=e.action){if("ping"==e.action&&o.send({action:"pong"}),"close"==e.action)return e.msg&&console.log(e.msg),void o.Stop(e.cause);o.trace&&console.log("RECV",e),o.onMessage&&o.onMessage(o,e)}},o.send=function(t){null!=o.socket&&1==o.connectstate&&(o.trace&&"ping"!=t.action&&console.log("SEND",t),o.socket.send(JSON.stringify(t)))},o}
var MeshServerCreateControl=function(t,e){var o={State:0,connectstate:0,pingTimer:null};return o.authCookie=e,o.trace=!1,o.xxStateChange=function(e,t){if(o.State!=e){var n=o.State;o.State=e,o.onStateChanged&&o.onStateChanged(o,o.State,n,t)}},o.Start=function(){if(0==o.connectstate){o.connectstate=0;var e=window.location.protocol.replace("http","ws")+"//"+window.location.host+t+"control.ashx"+(urlargs.key?"?key="+urlargs.key:"");o.authCookie&&""!=o.authCookie&&(e+="?auth="+o.authCookie),o.socket=new WebSocket(e),o.socket.onopen=function(e){o.connectstate=1},o.socket.onmessage=o.xxOnMessage,o.socket.onclose=function(e){o.Stop(e.code)},o.xxStateChange(1,0),null!=o.pingTimer&&clearInterval(o.pingTimer),o.pingTimer=setInterval(function(){o.send({action:"ping"})},29e3)}},o.Stop=function(e){o.connectstate=0,o.socket&&(o.socket.close(),delete o.socket),null!=o.pingTimer&&(clearInterval(o.pingTimer),o.pingTimer=null),o.xxStateChange(0,e)},o.xxOnMessage=function(e){var t;1==o.State&&o.xxStateChange(2);try{t=JSON.parse(e.data)}catch(e){return}if("object"==typeof t&&"pong"!=t.action){if("ping"==t.action&&o.send({action:"pong"}),"close"==t.action)return t.msg&&console.log(t.msg),void o.Stop(t.cause);o.trace&&console.log("RECV",t),o.onMessage&&o.onMessage(o,t)}},o.send=function(e){null!=o.socket&&1==o.connectstate&&(o.trace&&"ping"!=e.action&&console.log("SEND",e),o.socket.send(JSON.stringify(e)))},o}

View File

@ -22,7 +22,7 @@ var MeshServerCreateControl = function (domain, authCookie) {
obj.Start = function () {
if (obj.connectstate != 0) return;
obj.connectstate = 0;
var url = window.location.protocol.replace("http", "ws") + "//" + window.location.host + domain + "control.ashx";
var url = window.location.protocol.replace('http', 'ws') + '//' + window.location.host + domain + 'control.ashx' + (urlargs.key ? ('?key=' + urlargs.key) : '');
if (obj.authCookie && (obj.authCookie != '')) { url += '?auth=' + obj.authCookie; }
obj.socket = new WebSocket(url);
obj.socket.onopen = function (e) { obj.connectstate = 1; }

View File

@ -1298,6 +1298,7 @@
// Fetch URL arguments & do sanitation
urlargs = parseUriArgs();
if (urlargs.key != null) { urlargs.key = "" + urlargs.key; }
if (urlargs.key && (isAlphaNumeric(urlargs.key) == false)) { delete urlargs.key; }
if (urlargs.locale && (isAlphaNumeric(urlargs.locale) == false)) { delete urlargs.locale; }
delete urlargs.viewmode;
@ -6366,7 +6367,7 @@
if ((servername.indexOf('.') == -1) || ((features & 2) != 0)) { servername = window.location.hostname; } // If the server name is not set or it's in LAN-only mode, use the URL hostname as server name.
var domainUrlNoSlash = domainUrl.substring(0, domainUrl.length - 1);
var portStr = (serverinfo.port == 443) ? '' : (':' + serverinfo.port);
var url = 'mcrouter://' + servername + portStr + domainUrl + 'control.ashx?c=' + authCookie + '&t=' + serverinfo.tlshash + '&l={{{lang}}}';
var url = 'mcrouter://' + servername + portStr + domainUrl + 'control.ashx?c=' + authCookie + '&t=' + serverinfo.tlshash + '&l={{{lang}}}' + (urlargs.key?('&key=' + urlargs.key):'');
//x += addHtmlValue("Launch", '<a style=cursor:pointer target="mcrouterframe" rel="noreferrer noopener" download href="' + url + '">Start MeshCentral Router</a>');
//x += '<br /><div style=width:100%><a style=cursor:pointer target="mcrouterframe" rel="noreferrer noopener" download href="' + url + '">' + "Start MeshCentral Router" + '</a>' + ", for this link to work you must download MeshCentral Router run it and click the install button." + '</div>';
x += '<br /><div>' + "Run MeshCentral Router and click \"install\" to make it launchable from the browser." + '</div>';

View File

@ -4801,7 +4801,12 @@ module.exports.CreateWebServer = function (parent, db, args, certificates) {
obj.app.get(url + 'health.ashx', function (req, res) { res.send('ok'); }); // TODO: Perform more server checking.
obj.app.ws(url + 'webrelay.ashx', function (ws, req) { PerformWSSessionAuth(ws, req, false, handleRelayWebSocket); });
obj.app.ws(url + 'webider.ashx', function (ws, req) { PerformWSSessionAuth(ws, req, false, function (ws1, req1, domain, user, cookie) { obj.meshIderHandler.CreateAmtIderSession(obj, obj.db, ws1, req1, obj.args, domain, user); }); });
obj.app.ws(url + 'control.ashx', function (ws, req) { PerformWSSessionAuth(ws, req, false, function (ws1, req1, domain, user, cookie) { obj.meshUserHandler.CreateMeshUser(obj, obj.db, ws1, req1, obj.args, domain, user); }); });
obj.app.ws(url + 'control.ashx', function (ws, req) {
PerformWSSessionAuth(ws, req, false, function (ws1, req1, domain, user, cookie) {
if ((domain.loginkey != null) && (domain.loginkey.indexOf(req.query.key) == -1)) { ws.close(); return; } // Check 3FA URL key
obj.meshUserHandler.CreateMeshUser(obj, obj.db, ws1, req1, obj.args, domain, user);
});
});
obj.app.ws(url + 'devicefile.ashx', function (ws, req) { obj.meshDeviceFileHandler.CreateMeshDeviceFile(obj, ws, null, req, domain); });
obj.app.get(url + 'devicefile.ashx', handleDeviceFile);
obj.app.get(url + 'logo.png', handleLogoRequest);