From 2670cf604ea1409d6dd802e86d20e3f9508d339a Mon Sep 17 00:00:00 2001 From: Anonymous Contributor Date: Wed, 23 Aug 2023 18:16:36 +0200 Subject: [PATCH] Change validation regexes to be more strict --- index.php | 2 +- pages/friends.php | 2 +- pages/groups.php | 2 +- pages/identities.php | 4 ++-- pages/login.php | 6 +++--- pages/profile.php | 10 +++++----- pages/register.php | 8 ++++---- pages/users.php | 2 +- 8 files changed, 18 insertions(+), 18 deletions(-) diff --git a/index.php b/index.php index ff0fdfe..4c2fbda 100644 --- a/index.php +++ b/index.php @@ -23,7 +23,7 @@ include_once("app/utils.php"); include_once("app/HTML.php"); function isValidEndpoint(string $pageName, string $dirPrefix) { - return preg_match("/[a-zA-Z0-9\.]{1,100}/", $pageName) && file_exists("./".$dirPrefix."/".$pageName.".php"); + return preg_match('/^[a-zA-Z0-9\.]{1,100}$/', $pageName) && file_exists("./".$dirPrefix."/".$pageName.".php"); } //TODO: add API keys and/or rate limiting diff --git a/pages/friends.php b/pages/friends.php index 1db1ed7..da98e0b 100644 --- a/pages/friends.php +++ b/pages/friends.php @@ -4,7 +4,7 @@ if(isset($_POST['remove'])) { include 'app/FormValidator.php'; $validator = new FormValidator(array( - 'uuid' => array('required' => true, 'regex' => '/[a-f0-9]{8}-[a-f0-9]{4}-[a-f0-9]{4}-[a-f0-9]{4}-[a-f0-9]{12}/') + 'uuid' => array('required' => true, 'regex' => '/^[a-f0-9]{8}-[a-f0-9]{4}-[a-f0-9]{4}-[a-f0-9]{4}-[a-f0-9]{12}$/') )); if($validator->isValid($_POST)) { diff --git a/pages/groups.php b/pages/groups.php index 1be9789..23a6518 100644 --- a/pages/groups.php +++ b/pages/groups.php @@ -4,7 +4,7 @@ if(isset($_POST['leave'])) { include 'app/FormValidator.php'; $validator = new FormValidator(array( - 'group' => array('required' => true, 'regex' => '/[a-f0-9]{8}-[a-f0-9]{4}-[a-f0-9]{4}-[a-f0-9]{4}-[a-f0-9]{12}/') + 'group' => array('required' => true, 'regex' => '/^[a-f0-9]{8}-[a-f0-9]{4}-[a-f0-9]{4}-[a-f0-9]{4}-[a-f0-9]{12}$/') )); if($validator->isValid($_POST)) { diff --git a/pages/identities.php b/pages/identities.php index 8df562e..979c592 100644 --- a/pages/identities.php +++ b/pages/identities.php @@ -6,7 +6,7 @@ include 'app/FormValidator.php'; if(isset($_POST['enableIdent'])) { $validator = new FormValidator(array( - 'newuuid' => array('required' => true, 'regex' => '/[a-f0-9]{8}-[a-f0-9]{4}-[a-f0-9]{4}-[a-f0-9]{4}-[a-f0-9]{12}/') + 'newuuid' => array('required' => true, 'regex' => '/^[a-f0-9]{8}-[a-f0-9]{4}-[a-f0-9]{4}-[a-f0-9]{4}-[a-f0-9]{12}$/') )); if($validator->isValid($_POST)) { @@ -57,7 +57,7 @@ } else if(isset($_POST['createIdent'])) { $validator = new FormValidator(array( - 'newName' => array('required' => true, 'regex' => '/[^\\/<>\s]{1,64} [^\\/<>\s]{1,64}/') + 'newName' => array('required' => true, 'regex' => '/^[^\\/<>\s]{1,64} [^\\/<>\s]{1,64}$/') )); if($validator->isValid($_POST)) { diff --git a/pages/login.php b/pages/login.php index 704515c..8ec6011 100644 --- a/pages/login.php +++ b/pages/login.php @@ -7,8 +7,8 @@ { include_once 'app/FormValidator.php'; $validator = new FormValidator(array( - 'username' => array('required' => true, 'regex' => '/[^\\/<>\s]{1,64} [^\\/<>\s]{1,64}/'), - 'password' => array('required' => true, 'regex' => '/.{1,1000}/') + 'username' => array('required' => true, 'regex' => '/^[^\\/<>\s]{1,64} [^\\/<>\s]{1,64}$/'), + 'password' => array('required' => true, 'regex' => '/^.{1,1000}$/') )); if(!$validator->isValid($_POST)) { @@ -70,7 +70,7 @@ } } - if(isset($_REQUEST['page']) && preg_match('/[0-9a-zA-Z]{1-100}/', $_REQUEST['page']) && file_exists("./pages/".$_REQUEST['page'].".php")) + if(isset($_REQUEST['page']) && preg_match('/^[0-9a-zA-Z]{1-100}$/', $_REQUEST['page']) && file_exists("./pages/".$_REQUEST['page'].".php")) $HTML->ReplaceLayoutInhalt("%%PAGENAME%%", urlencode($_REQUEST['page'])); $HTML->ReplaceLayoutInhalt("%%LOGINMESSAGE%%", ""); diff --git a/pages/profile.php b/pages/profile.php index 3c81ab7..5c2e149 100644 --- a/pages/profile.php +++ b/pages/profile.php @@ -124,16 +124,16 @@ } else if(isset($_POST['savePassword'])) { $validator = new FormValidator(array( - 'oldPassword' => array('required' => true, 'regex' => '/.{1,1000}/'), - 'newPassword' => array('required' => true, 'regex' => '/.{1,1000}/'), - 'newPasswordRepeat' => array('required' => true, 'regex' => '/.{1,1000}/') + 'oldPassword' => array('required' => true, 'regex' => '/^.{1,1000}$/'), + 'newPassword' => array('required' => true, 'regex' => '/^.{1,1000}$/'), + 'newPasswordRepeat' => array('required' => true, 'regex' => '/^.{1,1000}$/') )); - + if($validator->isValid($_POST)) { if($_POST['newPasswordRepeat'] == $_POST['newPassword']) { if(strlen(trim($_POST['newPassword'])) >= $RUNTIME['PASSWORD_MIN_LENGTH']) { if(password_verify($_POST['oldPassword'], $_SESSION['PASSWORD'])) { - $hash = password_hash($NewPassword, PASSWORD_ARGON2ID); + $hash = password_hash($_POST['newPassword'], PASSWORD_ARGON2ID); $statement = $RUNTIME['PDO']->prepare('UPDATE auth SET passwordHash = :PasswordHash WHERE UUID = :PrincipalID'); $statement->execute(['PasswordHash' => $hash, 'PrincipalID' => $_SESSION['UUID']]); $_SESSION['PASSWORD'] = $hash; diff --git a/pages/register.php b/pages/register.php index 4d4a019..2d377b4 100644 --- a/pages/register.php +++ b/pages/register.php @@ -18,7 +18,7 @@ if(!isset($_REQUEST['code'])) die("MISSING INVITE CODE!"); - if(strlen($_REQUEST['code']) != 32 || !preg_match('/[a-f0-9]+/', $_REQUEST['code'])) { + if(strlen($_REQUEST['code']) != 32 || !preg_match('/^[a-f0-9]+$/', $_REQUEST['code'])) { die("INVALID INVITE CODE!"); } @@ -37,9 +37,9 @@ $validator = new FormValidator(array( 'tos' => array('required' => true, 'equals' => 'on'), - 'username' => array('required' => true, 'regex' => '/[^\\/<>\s]{1,64}( [^\\/<>\s]{1,64})?/'), - 'password' => array('required' => true, 'regex' => '/.{1,1000}/'), - 'email' => array('required' => true, 'regex' => '/\S{1,64}@\S{1,250}.\S{2,64}/'), + 'username' => array('required' => true, 'regex' => '/^[^\\/<>\s]{1,64}( [^\\/<>\s]{1,64})?$/'), + 'password' => array('required' => true, 'regex' => '/^.{1,1000}$/'), + 'email' => array('required' => true, 'regex' => '/^\S{1,64}@\S{1,250}.\S{2,64}$/'), 'avatar' => array('required' => true) )); diff --git a/pages/users.php b/pages/users.php index 1c26e7d..2ae7366 100644 --- a/pages/users.php +++ b/pages/users.php @@ -18,7 +18,7 @@ include 'app/FormValidator.php'; if(isset($_POST['genpw'])) { $validator = new FormValidator(array( - 'userid' => array('required' => true, 'regex' => '/[a-f0-9]{8}-[a-f0-9]{4}-[a-f0-9]{4}-[a-f0-9]{4}-[a-f0-9]{12}/') + 'userid' => array('required' => true, 'regex' => '/^[a-f0-9]{8}-[a-f0-9]{4}-[a-f0-9]{4}-[a-f0-9]{4}-[a-f0-9]{12}$/') )); if($validator->isValid($_POST)) {