More code clean up and input validation.
This commit is contained in:
parent
2c466a39e5
commit
779540b42a
|
@ -516,7 +516,7 @@ module.exports.pluginHandler = function (parent) {
|
|||
};
|
||||
|
||||
obj.handleAdminReq = function (req, res, user, serv) {
|
||||
if (obj.common.isAlphaNumeric(req.query.pin) !== true) { res.sendStatus(401); return; }
|
||||
if ((req.query.pin == null) || (obj.common.isAlphaNumeric(req.query.pin) !== true)) { res.sendStatus(401); return; }
|
||||
var path = obj.path.join(obj.pluginPath, req.query.pin, 'views');
|
||||
if (obj.common.IsFilenameValid(path) !== true) { res.sendStatus(401); return; }
|
||||
serv.app.set('views', path);
|
||||
|
@ -528,7 +528,7 @@ module.exports.pluginHandler = function (parent) {
|
|||
}
|
||||
|
||||
obj.handleAdminPostReq = function (req, res, user, serv) {
|
||||
if (obj.common.isAlphaNumeric(req.query.pin) !== true) { res.sendStatus(401); return; }
|
||||
if ((req.query.pin == null) || (obj.common.isAlphaNumeric(req.query.pin) !== true)) { res.sendStatus(401); return; }
|
||||
var path = obj.path.join(obj.pluginPath, req.query.pin, 'views');
|
||||
if (obj.common.IsFilenameValid(path) !== true) { res.sendStatus(401); return; }
|
||||
serv.app.set('views', path);
|
||||
|
|
|
@ -327,7 +327,7 @@
|
|||
|
||||
// Display the right server message
|
||||
var messageid = parseInt('{{{messageid}}}');
|
||||
var okmessages = ['', "Hold on, reset mail sent.", "Email sent.", "Email verification required, check your mailbox and click the confirmation link.", "SMS sent."];
|
||||
var okmessages = ['', "If valid, reset mail sent.", "Email sent.", "Email verification required, check your mailbox and click the confirmation link.", "SMS sent."];
|
||||
var failmessages = ["Unable to create account.", "Account limit reached.", "Existing account with this email address.", "Invalid account creation token.", "Username already exists.", "Password rejected, use a different one.", "Invalid email.", "Account not found.", "Invalid token, try again.", "Unable to sent email.", "Account locked.", "Access denied.", "Login failed, check username and password.", "Password change requested.", "IP address blocked, try again later."];
|
||||
if (messageid > 0) {
|
||||
var msg = '';
|
||||
|
|
|
@ -320,7 +320,7 @@
|
|||
// Display the right server message
|
||||
var i;
|
||||
var messageid = parseInt('{{{messageid}}}');
|
||||
var okmessages = ['', "Hold on, reset mail sent.", "Email sent.", "Email verification required, check your mailbox and click the confirmation link.", "SMS sent."];
|
||||
var okmessages = ['', "If valid, reset mail sent.", "Email sent.", "Email verification required, check your mailbox and click the confirmation link.", "SMS sent."];
|
||||
var failmessages = ["Unable to create account.", "Account limit reached.", "Existing account with this email address.", "Invalid account creation token.", "Username already exists.", "Password rejected, use a different one.", "Invalid email.", "Account not found.", "Invalid token, try again.", "Unable to sent email.", "Account locked.", "Access denied.", "Login failed, check username and password.", "Password change requested.", "IP address blocked, try again later."];
|
||||
if (messageid > 0) {
|
||||
var msg = '';
|
||||
|
|
10
webserver.js
10
webserver.js
|
@ -1357,7 +1357,7 @@ module.exports.CreateWebServer = function (parent, db, args, certificates) {
|
|||
if ((err != null) || (docs.length == 0)) {
|
||||
parent.debug('web', 'handleResetAccountRequest: Account not found');
|
||||
req.session.loginmode = '3';
|
||||
req.session.messageid = 107; // Account not found.
|
||||
req.session.messageid = 1; // If valid, reset mail sent. Instead of "Account not found" (107), we send this hold on message so users can't know if this account exists or not.
|
||||
if (direct === true) { handleRootRequestEx(req, res, domain); } else { res.redirect(domain.url + getQueryPortion(req)); }
|
||||
} else {
|
||||
// If many accounts have the same validated e-mail, we are going to use the first one for display, but sent a reset email for all accounts.
|
||||
|
@ -1388,7 +1388,7 @@ module.exports.CreateWebServer = function (parent, db, args, certificates) {
|
|||
if (i == 0) {
|
||||
parent.debug('web', 'handleResetAccountRequest: Hold on, reset mail sent.');
|
||||
req.session.loginmode = '1';
|
||||
req.session.messageid = 1; // Hold on, reset mail sent.
|
||||
req.session.messageid = 1; // If valid, reset mail sent.
|
||||
if (direct === true) { handleRootRequestEx(req, res, domain); } else { res.redirect(domain.url + getQueryPortion(req)); }
|
||||
}
|
||||
} else {
|
||||
|
@ -1408,7 +1408,7 @@ module.exports.CreateWebServer = function (parent, db, args, certificates) {
|
|||
if (i == 0) {
|
||||
parent.debug('web', 'handleResetAccountRequest: Hold on, reset mail sent.');
|
||||
req.session.loginmode = '1';
|
||||
req.session.messageid = 1; // Hold on, reset mail sent.
|
||||
req.session.messageid = 1; // If valid, reset mail sent.
|
||||
if (direct === true) { handleRootRequestEx(req, res, domain); } else { res.redirect(domain.url + getQueryPortion(req)); }
|
||||
}
|
||||
} else {
|
||||
|
@ -2828,7 +2828,7 @@ module.exports.CreateWebServer = function (parent, db, args, certificates) {
|
|||
if (domain == null) return;
|
||||
|
||||
// Check the query
|
||||
if ((req.query.file == null) || (obj.common.IsFilenameValid(req.query.file) !== true)) { res.sendStatus(401); return; }
|
||||
if ((domain.sessionrecording == null) || (req.query.file == null) || (obj.common.IsFilenameValid(req.query.file) !== true)) { res.sendStatus(401); return; }
|
||||
|
||||
// Get the recording path
|
||||
var recordingsPath = null;
|
||||
|
@ -2923,7 +2923,7 @@ module.exports.CreateWebServer = function (parent, db, args, certificates) {
|
|||
} catch (ex) {
|
||||
res.set({ 'Cache-Control': 'no-cache, no-store, must-revalidate', 'Pragma': 'no-cache', 'Expires': '0', 'Content-Type': 'application/octet-stream', 'Content-Disposition': 'attachment; filename=\"file.bin\"' });
|
||||
}
|
||||
try { res.sendFile(file.fullpath); } catch (e) { res.sendStatus(404); }
|
||||
obj.fs.exists(file.fullpath, function (exists) { if (exists == true) { res.sendFile(file.fullpath); } else { res.sendStatus(404); } });
|
||||
}
|
||||
|
||||
// Upload a MeshCore.js file to the server
|
||||
|
|
Loading…
Reference in New Issue