Website
/
Manager
1
0
Fork 0
Code Releases 11 Activity

Change validation regexes to be more strict

master
Anonymous Contributor 2023-08-23 18:16:36 +02:00
parent 879b1d8e3f
commit 2670cf604e
8 changed files with 18 additions and 18 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
index.php
View File

@ -23,7 +23,7 @@ include_once("app/utils.php");
include_once("app/HTML.php");
function isValidEndpoint(string $pageName, string $dirPrefix) {
return preg_match("/[a-zA-Z0-9\.]{1,100}/", $pageName) && file_exists("./".$dirPrefix."/".$pageName.".php");
return preg_match('/^[a-zA-Z0-9\.]{1,100}$/', $pageName) && file_exists("./".$dirPrefix."/".$pageName.".php");
}
//TODO: add API keys and/or rate limiting

2
pages/friends.php
View File

@ -4,7 +4,7 @@
if(isset($_POST['remove'])) {
include 'app/FormValidator.php';
$validator = new FormValidator(array(
'uuid' => array('required' => true, 'regex' => '/[a-f0-9]{8}-[a-f0-9]{4}-[a-f0-9]{4}-[a-f0-9]{4}-[a-f0-9]{12}/')
'uuid' => array('required' => true, 'regex' => '/^[a-f0-9]{8}-[a-f0-9]{4}-[a-f0-9]{4}-[a-f0-9]{4}-[a-f0-9]{12}$/')
));
if($validator->isValid($_POST)) {

2
pages/groups.php
View File

@ -4,7 +4,7 @@
if(isset($_POST['leave'])) {
include 'app/FormValidator.php';
$validator = new FormValidator(array(
'group' => array('required' => true, 'regex' => '/[a-f0-9]{8}-[a-f0-9]{4}-[a-f0-9]{4}-[a-f0-9]{4}-[a-f0-9]{12}/')
'group' => array('required' => true, 'regex' => '/^[a-f0-9]{8}-[a-f0-9]{4}-[a-f0-9]{4}-[a-f0-9]{4}-[a-f0-9]{12}$/')
));
if($validator->isValid($_POST)) {

4
pages/identities.php
View File

@ -6,7 +6,7 @@
include 'app/FormValidator.php';
if(isset($_POST['enableIdent'])) {
$validator = new FormValidator(array(
'newuuid' => array('required' => true, 'regex' => '/[a-f0-9]{8}-[a-f0-9]{4}-[a-f0-9]{4}-[a-f0-9]{4}-[a-f0-9]{12}/')
'newuuid' => array('required' => true, 'regex' => '/^[a-f0-9]{8}-[a-f0-9]{4}-[a-f0-9]{4}-[a-f0-9]{4}-[a-f0-9]{12}$/')
));
if($validator->isValid($_POST)) {
@ -57,7 +57,7 @@
}
else if(isset($_POST['createIdent'])) {
$validator = new FormValidator(array(
'newName' => array('required' => true, 'regex' => '/[^\\/<>\s]{1,64} [^\\/<>\s]{1,64}/')
'newName' => array('required' => true, 'regex' => '/^[^\\/<>\s]{1,64} [^\\/<>\s]{1,64}$/')
));
if($validator->isValid($_POST)) {

6
pages/login.php
View File

@ -7,8 +7,8 @@
{
include_once 'app/FormValidator.php';
$validator = new FormValidator(array(
'username' => array('required' => true, 'regex' => '/[^\\/<>\s]{1,64} [^\\/<>\s]{1,64}/'),
'password' => array('required' => true, 'regex' => '/.{1,1000}/')
'username' => array('required' => true, 'regex' => '/^[^\\/<>\s]{1,64} [^\\/<>\s]{1,64}$/'),
'password' => array('required' => true, 'regex' => '/^.{1,1000}$/')
));
if(!$validator->isValid($_POST)) {
@ -70,7 +70,7 @@
}
}
if(isset($_REQUEST['page']) && preg_match('/[0-9a-zA-Z]{1-100}/', $_REQUEST['page']) && file_exists("./pages/".$_REQUEST['page'].".php"))
if(isset($_REQUEST['page']) && preg_match('/^[0-9a-zA-Z]{1-100}$/', $_REQUEST['page']) && file_exists("./pages/".$_REQUEST['page'].".php"))
$HTML->ReplaceLayoutInhalt("%%PAGENAME%%", urlencode($_REQUEST['page']));
$HTML->ReplaceLayoutInhalt("%%LOGINMESSAGE%%", "");

10
pages/profile.php
View File

@ -124,16 +124,16 @@
}
else if(isset($_POST['savePassword'])) {
$validator = new FormValidator(array(
'oldPassword' => array('required' => true, 'regex' => '/.{1,1000}/'),
'newPassword' => array('required' => true, 'regex' => '/.{1,1000}/'),
'newPasswordRepeat' => array('required' => true, 'regex' => '/.{1,1000}/')
'oldPassword' => array('required' => true, 'regex' => '/^.{1,1000}$/'),
'newPassword' => array('required' => true, 'regex' => '/^.{1,1000}$/'),
'newPasswordRepeat' => array('required' => true, 'regex' => '/^.{1,1000}$/')
));
if($validator->isValid($_POST)) {
if($_POST['newPasswordRepeat'] == $_POST['newPassword']) {
if(strlen(trim($_POST['newPassword'])) >= $RUNTIME['PASSWORD_MIN_LENGTH']) {
if(password_verify($_POST['oldPassword'], $_SESSION['PASSWORD'])) {
$hash = password_hash($NewPassword, PASSWORD_ARGON2ID);
$hash = password_hash($_POST['newPassword'], PASSWORD_ARGON2ID);
$statement = $RUNTIME['PDO']->prepare('UPDATE auth SET passwordHash = :PasswordHash WHERE UUID = :PrincipalID');
$statement->execute(['PasswordHash' => $hash, 'PrincipalID' => $_SESSION['UUID']]);
$_SESSION['PASSWORD'] = $hash;

8
pages/register.php
View File

@ -18,7 +18,7 @@
if(!isset($_REQUEST['code']))
die("MISSING INVITE CODE!");
if(strlen($_REQUEST['code']) != 32 || !preg_match('/[a-f0-9]+/', $_REQUEST['code'])) {
if(strlen($_REQUEST['code']) != 32 || !preg_match('/^[a-f0-9]+$/', $_REQUEST['code'])) {
die("INVALID INVITE CODE!");
}
@ -37,9 +37,9 @@
$validator = new FormValidator(array(
'tos' => array('required' => true, 'equals' => 'on'),
'username' => array('required' => true, 'regex' => '/[^\\/<>\s]{1,64}( [^\\/<>\s]{1,64})?/'),
'password' => array('required' => true, 'regex' => '/.{1,1000}/'),
'email' => array('required' => true, 'regex' => '/\S{1,64}@\S{1,250}.\S{2,64}/'),
'username' => array('required' => true, 'regex' => '/^[^\\/<>\s]{1,64}( [^\\/<>\s]{1,64})?$/'),
'password' => array('required' => true, 'regex' => '/^.{1,1000}$/'),
'email' => array('required' => true, 'regex' => '/^\S{1,64}@\S{1,250}.\S{2,64}$/'),
'avatar' => array('required' => true)
));

2
pages/users.php
View File

@ -18,7 +18,7 @@
include 'app/FormValidator.php';
if(isset($_POST['genpw'])) {
$validator = new FormValidator(array(
'userid' => array('required' => true, 'regex' => '/[a-f0-9]{8}-[a-f0-9]{4}-[a-f0-9]{4}-[a-f0-9]{4}-[a-f0-9]{12}/')
'userid' => array('required' => true, 'regex' => '/^[a-f0-9]{8}-[a-f0-9]{4}-[a-f0-9]{4}-[a-f0-9]{4}-[a-f0-9]{12}$/')
));
if($validator->isValid($_POST)) {