From 779540b42a01d595b18d4e0888bba0dd56c341b9 Mon Sep 17 00:00:00 2001 From: Ylian Saint-Hilaire Date: Mon, 6 Jul 2020 15:04:22 -0700 Subject: [PATCH] More code clean up and input validation. --- pluginHandler.js | 4 ++-- views/login-mobile.handlebars | 2 +- views/login.handlebars | 2 +- webserver.js | 10 +++++----- 4 files changed, 9 insertions(+), 9 deletions(-) diff --git a/pluginHandler.js b/pluginHandler.js index 89245d15..19f20172 100644 --- a/pluginHandler.js +++ b/pluginHandler.js @@ -516,7 +516,7 @@ module.exports.pluginHandler = function (parent) { }; obj.handleAdminReq = function (req, res, user, serv) { - if (obj.common.isAlphaNumeric(req.query.pin) !== true) { res.sendStatus(401); return; } + if ((req.query.pin == null) || (obj.common.isAlphaNumeric(req.query.pin) !== true)) { res.sendStatus(401); return; } var path = obj.path.join(obj.pluginPath, req.query.pin, 'views'); if (obj.common.IsFilenameValid(path) !== true) { res.sendStatus(401); return; } serv.app.set('views', path); @@ -528,7 +528,7 @@ module.exports.pluginHandler = function (parent) { } obj.handleAdminPostReq = function (req, res, user, serv) { - if (obj.common.isAlphaNumeric(req.query.pin) !== true) { res.sendStatus(401); return; } + if ((req.query.pin == null) || (obj.common.isAlphaNumeric(req.query.pin) !== true)) { res.sendStatus(401); return; } var path = obj.path.join(obj.pluginPath, req.query.pin, 'views'); if (obj.common.IsFilenameValid(path) !== true) { res.sendStatus(401); return; } serv.app.set('views', path); diff --git a/views/login-mobile.handlebars b/views/login-mobile.handlebars index eb17394f..7aad7e5f 100644 --- a/views/login-mobile.handlebars +++ b/views/login-mobile.handlebars @@ -327,7 +327,7 @@ // Display the right server message var messageid = parseInt('{{{messageid}}}'); - var okmessages = ['', "Hold on, reset mail sent.", "Email sent.", "Email verification required, check your mailbox and click the confirmation link.", "SMS sent."]; + var okmessages = ['', "If valid, reset mail sent.", "Email sent.", "Email verification required, check your mailbox and click the confirmation link.", "SMS sent."]; var failmessages = ["Unable to create account.", "Account limit reached.", "Existing account with this email address.", "Invalid account creation token.", "Username already exists.", "Password rejected, use a different one.", "Invalid email.", "Account not found.", "Invalid token, try again.", "Unable to sent email.", "Account locked.", "Access denied.", "Login failed, check username and password.", "Password change requested.", "IP address blocked, try again later."]; if (messageid > 0) { var msg = ''; diff --git a/views/login.handlebars b/views/login.handlebars index 8d66a0f4..16ca7e3d 100644 --- a/views/login.handlebars +++ b/views/login.handlebars @@ -320,7 +320,7 @@ // Display the right server message var i; var messageid = parseInt('{{{messageid}}}'); - var okmessages = ['', "Hold on, reset mail sent.", "Email sent.", "Email verification required, check your mailbox and click the confirmation link.", "SMS sent."]; + var okmessages = ['', "If valid, reset mail sent.", "Email sent.", "Email verification required, check your mailbox and click the confirmation link.", "SMS sent."]; var failmessages = ["Unable to create account.", "Account limit reached.", "Existing account with this email address.", "Invalid account creation token.", "Username already exists.", "Password rejected, use a different one.", "Invalid email.", "Account not found.", "Invalid token, try again.", "Unable to sent email.", "Account locked.", "Access denied.", "Login failed, check username and password.", "Password change requested.", "IP address blocked, try again later."]; if (messageid > 0) { var msg = ''; diff --git a/webserver.js b/webserver.js index 17184596..c4cb7ac7 100644 --- a/webserver.js +++ b/webserver.js @@ -1357,7 +1357,7 @@ module.exports.CreateWebServer = function (parent, db, args, certificates) { if ((err != null) || (docs.length == 0)) { parent.debug('web', 'handleResetAccountRequest: Account not found'); req.session.loginmode = '3'; - req.session.messageid = 107; // Account not found. + req.session.messageid = 1; // If valid, reset mail sent. Instead of "Account not found" (107), we send this hold on message so users can't know if this account exists or not. if (direct === true) { handleRootRequestEx(req, res, domain); } else { res.redirect(domain.url + getQueryPortion(req)); } } else { // If many accounts have the same validated e-mail, we are going to use the first one for display, but sent a reset email for all accounts. @@ -1388,7 +1388,7 @@ module.exports.CreateWebServer = function (parent, db, args, certificates) { if (i == 0) { parent.debug('web', 'handleResetAccountRequest: Hold on, reset mail sent.'); req.session.loginmode = '1'; - req.session.messageid = 1; // Hold on, reset mail sent. + req.session.messageid = 1; // If valid, reset mail sent. if (direct === true) { handleRootRequestEx(req, res, domain); } else { res.redirect(domain.url + getQueryPortion(req)); } } } else { @@ -1408,7 +1408,7 @@ module.exports.CreateWebServer = function (parent, db, args, certificates) { if (i == 0) { parent.debug('web', 'handleResetAccountRequest: Hold on, reset mail sent.'); req.session.loginmode = '1'; - req.session.messageid = 1; // Hold on, reset mail sent. + req.session.messageid = 1; // If valid, reset mail sent. if (direct === true) { handleRootRequestEx(req, res, domain); } else { res.redirect(domain.url + getQueryPortion(req)); } } } else { @@ -2828,7 +2828,7 @@ module.exports.CreateWebServer = function (parent, db, args, certificates) { if (domain == null) return; // Check the query - if ((req.query.file == null) || (obj.common.IsFilenameValid(req.query.file) !== true)) { res.sendStatus(401); return; } + if ((domain.sessionrecording == null) || (req.query.file == null) || (obj.common.IsFilenameValid(req.query.file) !== true)) { res.sendStatus(401); return; } // Get the recording path var recordingsPath = null; @@ -2923,7 +2923,7 @@ module.exports.CreateWebServer = function (parent, db, args, certificates) { } catch (ex) { res.set({ 'Cache-Control': 'no-cache, no-store, must-revalidate', 'Pragma': 'no-cache', 'Expires': '0', 'Content-Type': 'application/octet-stream', 'Content-Disposition': 'attachment; filename=\"file.bin\"' }); } - try { res.sendFile(file.fullpath); } catch (e) { res.sendStatus(404); } + obj.fs.exists(file.fullpath, function (exists) { if (exists == true) { res.sendFile(file.fullpath); } else { res.sendStatus(404); } }); } // Upload a MeshCore.js file to the server