Security fixes.

meshuser.js

@@ -2815,6 +2815,8 @@ module.exports.CreateMeshUser = function (parent, db, ws, req, args, domain, use
                 if (command.meshid.split('/').length == 1) { command.meshid = 'mesh/' + domain.id + '/' + command.meshid; }
                 var smesh = command.meshid.split('/');
                 if ((smesh.length != 3) || (smesh[0] != 'mesh') || (smesh[1] != domain.id)) { err = 'Invalid group id'; }
+                var serverName = parent.getWebServerName(domain);
+                if (parent.args.lanonly == true) { err = 'Server has not fixed IP or DNS name.'; }
 
                 // Handle any errors
                 if (err != null) {
@@ -2831,7 +2833,7 @@ module.exports.CreateMeshUser = function (parent, db, ws, req, args, domain, use
                 var httpsPort = ((args.aliasport == null) ? args.port : args.aliasport); // Use HTTPS alias port is specified
                 var xdomain = (domain.dns == null) ? domain.id : '';
                 if (xdomain != '') xdomain += "/";
-                var url = "http" + (args.notls ? '' : 's') + "://" + parent.getWebServerName(domain) + ":" + httpsPort + "/" + xdomain + "agentinvite?c=" + inviteCookie;
+                var url = "http" + (args.notls ? '' : 's') + "://" + serverName + ":" + httpsPort + "/" + xdomain + "agentinvite?c=" + inviteCookie;
 
                 ws.send(JSON.stringify({ action: 'createInviteLink', meshid: command.meshid, url: url, expire: command.expire, cookie: inviteCookie, responseid: command.responseid, tag: command.tag }));
                 break;

package.json

@@ -1,6 +1,6 @@
 {
   "name": "meshcentral",
-  "version": "0.4.1-f",
+  "version": "0.4.1-g",
   "keywords": [
     "Remote Management",
     "Intel AMT",

views/default.handlebars

@@ -2848,7 +2848,7 @@
             }
             if (mesh.mtype == 2) {
                 r += ' <a href=# style=cursor:pointer;font-size:10px title="Add a new computer to this mesh by installing the mesh agent." onclick=\'return addAgentToMesh(\"' + mesh._id + '\")\'>Add Agent</a>';
-                r += ' <a href=# style=cursor:pointer;font-size:10px title="Invite someone to install the mesh agent on this mesh." onclick=\'return inviteAgentToMesh(\"' + mesh._id + '\")\'>Invite</a>';
+                if ((features & 2) == 0) { r += ' <a href=# style=cursor:pointer;font-size:10px title="Invite someone to install the mesh agent on this mesh." onclick=\'return inviteAgentToMesh(\"' + mesh._id + '\")\'>Invite</a>'; }
             }
             return r;
         }
@@ -7168,10 +7168,13 @@
 
         function p20validateAddMeshUserDialog() {
             var meshrights = currentMesh.links[userinfo._id].rights;
-            var ok = true, xusers = null;
+            var ok = true;
             if (Q('dp20username')) {
-                Q('dp20username').value.split(',');
+                var xusers = Q('dp20username').value.split(',');
-                for (var i in xusers) { var xuser = xusers[i] = xusers[i].trim(); if (xuser.length == 0) { ok = false; } else if (xuser.indexOf('"') >= 0) { ok = false; } }
+                for (var i in xusers) {
+                    var xuser = xusers[i] = xusers[i].trim();
+                    if (xuser.length == 0) { ok = false; } else if (xuser.indexOf('"') >= 0) { ok = false; }
+                }
 
                 // Fill the suggestion box
                 var showsuggestbox = false, exactMatch = false;

webserver.js

@@ -3180,7 +3180,7 @@ module.exports.CreateWebServer = function (parent, db, args, certificates) {
                     "Referrer-Policy": "no-referrer",
                     "X-XSS-Protection": "1; mode=block",
                     "X-Content-Type-Options": "nosniff",
-                    "Content-Security-Policy": "default-src 'none'; script-src 'self' 'unsafe-inline'; connect-src 'self'; img-src 'self' data:; style-src 'self' 'unsafe-inline'; frame-src 'self'; media-src 'self'"
+                    "Content-Security-Policy": "default-src 'none'; script-src 'self' 'unsafe-inline'; connect-src 'self' ws" + ((args.notls !== true)?'s':'') + "://" + req.headers.host + "; img-src 'self' data:; style-src 'self' 'unsafe-inline'; frame-src 'self'; media-src 'self'"
                 });
             }