diff --git a/common.js b/common.js
index b1d5d6a6..0d4f0db0 100644
--- a/common.js
+++ b/common.js
@@ -157,10 +157,12 @@ module.exports.unEscapeAllLinksFieldName = function (docs) { for (var i in docs)
module.exports.validateString = function (str, minlen, maxlen) { return ((str != null) && (typeof str == 'string') && ((minlen == null) || (str.length >= minlen)) && ((maxlen == null) || (str.length <= maxlen))); };
module.exports.validateInt = function (int, minval, maxval) { return ((int != null) && (typeof int == 'number') && ((minval == null) || (int >= minval)) && ((maxval == null) || (int <= maxval))); };
module.exports.validateArray = function (array, minlen, maxlen) { return ((array != null) && Array.isArray(array) && ((minlen == null) || (array.length >= minlen)) && ((maxlen == null) || (array.length <= maxlen))); };
-module.exports.validateStrArray = function (array, minlen, maxlen) { if (((array != null) && Array.isArray(array)) == false) return false; for (var i in array) { if ((typeof array[i] != 'string') && ((minlen == null) || (array[i].length >= minlen)) && ((maxlen == null) || (array[i].length <= maxlen))) return false; } return true; };
+module.exports.validateStrArray = function (array, minlen, maxlen) { if (((array != null) && Array.isArray(array)) == false) return false; for (var i in array) { if ( (typeof array[i] != 'string') || ((minlen != null) && (array[i].length < minlen)) || ((maxlen != null) && (array[i].length > maxlen))) return false; } return true; };
module.exports.validateObject = function (obj) { return ((obj != null) && (typeof obj == 'object')); };
module.exports.validateEmail = function (email, minlen, maxlen) { if (module.exports.validateString(email, minlen, maxlen) == false) return false; var emailReg = /^(([^<>()\[\]\\.,;:\s@"]+(\.[^<>()\[\]\\.,;:\s@"]+)*)|(".+"))@((\[[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}])|(([a-zA-Z\-0-9]+\.)+[a-zA-Z]{2,}))$/; return emailReg.test(email); };
module.exports.validateUsername = function (username, minlen, maxlen) { return (module.exports.validateString(username, minlen, maxlen) && (username.indexOf(' ') == -1) && (username.indexOf('"') == -1) && (username.indexOf(',') == -1)); };
+module.exports.isAlphaNumeric = function (str) { return (str.match(/^[A-Za-z0-9]+$/) != null); };
+module.exports.validateAlphaNumericArray = function (array, minlen, maxlen) { if (((array != null) && Array.isArray(array)) == false) return false; for (var i in array) { if ((typeof array[i] != 'string') || (module.exports.isAlphaNumeric(array[i]) == false) || ((minlen != null) && (array[i].length < minlen)) || ((maxlen != null) && (array[i].length > maxlen)) ) return false; } return true; };
// Check password requirements
module.exports.checkPasswordRequirements = function(password, requirements) {
diff --git a/meshcentral.js b/meshcentral.js
index 88233d4e..323d83a2 100644
--- a/meshcentral.js
+++ b/meshcentral.js
@@ -1044,6 +1044,7 @@ function CreateMeshCentralServer(config, args) {
if (obj.config.domains[i].dns == null) { obj.config.domains[i].url = (i == '') ? '/' : ('/' + i + '/'); } else { obj.config.domains[i].url = '/'; }
obj.config.domains[i].id = i;
if (typeof obj.config.domains[i].loginkey == 'string') { obj.config.domains[i].loginkey = [obj.config.domains[i].loginkey]; }
+ if ((obj.config.domains[i].loginkey != null) && (obj.common.validateAlphaNumericArray(obj.config.domains[i].loginkey, 1, 128) == false)) { console.log("ERROR: Invalid login key, must be alpha-numeric string with no spaces."); process.exit(); return; }
if (typeof obj.config.domains[i].userallowedip == 'string') { if (obj.config.domains[i].userallowedip == '') { obj.config.domains[i].userallowedip = null; } else { obj.config.domains[i].userallowedip = obj.config.domains[i].userallowedip.split(','); } }
if (typeof obj.config.domains[i].userblockedip == 'string') { if (obj.config.domains[i].userblockedip == '') { obj.config.domains[i].userblockedip = null; } else { obj.config.domains[i].userblockedip = obj.config.domains[i].userblockedip.split(','); } }
if (typeof obj.config.domains[i].agentallowedip == 'string') { if (obj.config.domains[i].agentallowedip == '') { obj.config.domains[i].agentallowedip = null; } else { obj.config.domains[i].agentallowedip = obj.config.domains[i].agentallowedip.split(','); } }
diff --git a/public/scripts/common-0.0.1.js b/public/scripts/common-0.0.1.js
index b9910de3..7a1e1ea1 100644
--- a/public/scripts/common-0.0.1.js
+++ b/public/scripts/common-0.0.1.js
@@ -107,4 +107,7 @@ function random(max) { return Math.floor(Math.random() * max); }
function trademarks(x) { return x.replace(/\(R\)/g, '®').replace(/\(TM\)/g, '™'); }
// Pad a number with zeros on the left
-function zeroPad(num, c) { if (c == null) { c = 2; } var s = "00000000" + num; return s.substr(s.length - c); }
\ No newline at end of file
+function zeroPad(num, c) { if (c == null) { c = 2; } var s = "00000000" + num; return s.substr(s.length - c); }
+
+// String validation
+function isAlphaNumeric(str) { return (str.match(/^[A-Za-z0-9]+$/) != null); };
\ No newline at end of file
diff --git a/views/default-mobile.handlebars b/views/default-mobile.handlebars
index d49a619b..19ee0347 100644
--- a/views/default-mobile.handlebars
+++ b/views/default-mobile.handlebars
@@ -735,7 +735,10 @@
for (var i in webState) { localStorage.setItem(i, webState[i]); }
if (!webState.loctag) { delete localStorage.removeItem('loctag'); }
- var args = parseUriArgs(), urlargs = args;
+ var urlargs = parseUriArgs();
+ if (urlargs.key && (isAlphaNumeric(urlargs.key) == false)) { delete urlargs.key; }
+ if (urlargs.locale && (isAlphaNumeric(urlargs.locale) == false)) { delete urlargs.locale; }
+ var args = urlargs;
var debugLevel = parseInt('{{{debuglevel}}}');
var features = parseInt('{{{features}}}');
var sessionTime = parseInt('{{{sessiontime}}}');
diff --git a/views/default.handlebars b/views/default.handlebars
index 6f04cd82..5d462c56 100644
--- a/views/default.handlebars
+++ b/views/default.handlebars
@@ -1273,8 +1273,10 @@
if (top != self && (loc == null || top.active == false)) { top.location = self.location; return; }
}
- // Fetch URL arguments
+ // Fetch URL arguments & do sanitation
urlargs = parseUriArgs();
+ if (urlargs.key && (isAlphaNumeric(urlargs.key) == false)) { delete urlargs.key; }
+ if (urlargs.locale && (isAlphaNumeric(urlargs.locale) == false)) { delete urlargs.locale; }
delete urlargs.viewmode;
delete urlargs.gotonode;
delete urlargs.gotomesh;
@@ -1282,12 +1284,13 @@
delete urlargs.gotougrp;
// Fix links if a loginKey is used
- if (urlargs.key) {
- Q('termsLinkFooter').href += '?key=' + urlargs.key;
- }
+ if (urlargs.key) { Q('termsLinkFooter').href += '?key=' + urlargs.key; }
// Check if we are in debug mode
args = parseUriArgs();
+ if (args.key && (isAlphaNumeric(args.key) == false)) { delete args.key; }
+ if (args.locale && (isAlphaNumeric(args.locale) == false)) { delete args.locale; }
+
if (!args.locale) { var x = getstore('loctag', 0); if ((x != null) && (x != '*')) { args.locale = x; } }
debugmode = args.debug;
diff --git a/views/messenger.handlebars b/views/messenger.handlebars
index 33171c4f..362dfe56 100644
--- a/views/messenger.handlebars
+++ b/views/messenger.handlebars
@@ -42,9 +42,11 @@