Change validation regexes to be more strict
parent
879b1d8e3f
commit
2670cf604e
|
@ -23,7 +23,7 @@ include_once("app/utils.php");
|
||||||
include_once("app/HTML.php");
|
include_once("app/HTML.php");
|
||||||
|
|
||||||
function isValidEndpoint(string $pageName, string $dirPrefix) {
|
function isValidEndpoint(string $pageName, string $dirPrefix) {
|
||||||
return preg_match("/[a-zA-Z0-9\.]{1,100}/", $pageName) && file_exists("./".$dirPrefix."/".$pageName.".php");
|
return preg_match('/^[a-zA-Z0-9\.]{1,100}$/', $pageName) && file_exists("./".$dirPrefix."/".$pageName.".php");
|
||||||
}
|
}
|
||||||
|
|
||||||
//TODO: add API keys and/or rate limiting
|
//TODO: add API keys and/or rate limiting
|
||||||
|
|
|
@ -4,7 +4,7 @@
|
||||||
if(isset($_POST['remove'])) {
|
if(isset($_POST['remove'])) {
|
||||||
include 'app/FormValidator.php';
|
include 'app/FormValidator.php';
|
||||||
$validator = new FormValidator(array(
|
$validator = new FormValidator(array(
|
||||||
'uuid' => array('required' => true, 'regex' => '/[a-f0-9]{8}-[a-f0-9]{4}-[a-f0-9]{4}-[a-f0-9]{4}-[a-f0-9]{12}/')
|
'uuid' => array('required' => true, 'regex' => '/^[a-f0-9]{8}-[a-f0-9]{4}-[a-f0-9]{4}-[a-f0-9]{4}-[a-f0-9]{12}$/')
|
||||||
));
|
));
|
||||||
|
|
||||||
if($validator->isValid($_POST)) {
|
if($validator->isValid($_POST)) {
|
||||||
|
|
|
@ -4,7 +4,7 @@
|
||||||
if(isset($_POST['leave'])) {
|
if(isset($_POST['leave'])) {
|
||||||
include 'app/FormValidator.php';
|
include 'app/FormValidator.php';
|
||||||
$validator = new FormValidator(array(
|
$validator = new FormValidator(array(
|
||||||
'group' => array('required' => true, 'regex' => '/[a-f0-9]{8}-[a-f0-9]{4}-[a-f0-9]{4}-[a-f0-9]{4}-[a-f0-9]{12}/')
|
'group' => array('required' => true, 'regex' => '/^[a-f0-9]{8}-[a-f0-9]{4}-[a-f0-9]{4}-[a-f0-9]{4}-[a-f0-9]{12}$/')
|
||||||
));
|
));
|
||||||
|
|
||||||
if($validator->isValid($_POST)) {
|
if($validator->isValid($_POST)) {
|
||||||
|
|
|
@ -6,7 +6,7 @@
|
||||||
include 'app/FormValidator.php';
|
include 'app/FormValidator.php';
|
||||||
if(isset($_POST['enableIdent'])) {
|
if(isset($_POST['enableIdent'])) {
|
||||||
$validator = new FormValidator(array(
|
$validator = new FormValidator(array(
|
||||||
'newuuid' => array('required' => true, 'regex' => '/[a-f0-9]{8}-[a-f0-9]{4}-[a-f0-9]{4}-[a-f0-9]{4}-[a-f0-9]{12}/')
|
'newuuid' => array('required' => true, 'regex' => '/^[a-f0-9]{8}-[a-f0-9]{4}-[a-f0-9]{4}-[a-f0-9]{4}-[a-f0-9]{12}$/')
|
||||||
));
|
));
|
||||||
|
|
||||||
if($validator->isValid($_POST)) {
|
if($validator->isValid($_POST)) {
|
||||||
|
@ -57,7 +57,7 @@
|
||||||
}
|
}
|
||||||
else if(isset($_POST['createIdent'])) {
|
else if(isset($_POST['createIdent'])) {
|
||||||
$validator = new FormValidator(array(
|
$validator = new FormValidator(array(
|
||||||
'newName' => array('required' => true, 'regex' => '/[^\\/<>\s]{1,64} [^\\/<>\s]{1,64}/')
|
'newName' => array('required' => true, 'regex' => '/^[^\\/<>\s]{1,64} [^\\/<>\s]{1,64}$/')
|
||||||
));
|
));
|
||||||
|
|
||||||
if($validator->isValid($_POST)) {
|
if($validator->isValid($_POST)) {
|
||||||
|
|
|
@ -7,8 +7,8 @@
|
||||||
{
|
{
|
||||||
include_once 'app/FormValidator.php';
|
include_once 'app/FormValidator.php';
|
||||||
$validator = new FormValidator(array(
|
$validator = new FormValidator(array(
|
||||||
'username' => array('required' => true, 'regex' => '/[^\\/<>\s]{1,64} [^\\/<>\s]{1,64}/'),
|
'username' => array('required' => true, 'regex' => '/^[^\\/<>\s]{1,64} [^\\/<>\s]{1,64}$/'),
|
||||||
'password' => array('required' => true, 'regex' => '/.{1,1000}/')
|
'password' => array('required' => true, 'regex' => '/^.{1,1000}$/')
|
||||||
));
|
));
|
||||||
|
|
||||||
if(!$validator->isValid($_POST)) {
|
if(!$validator->isValid($_POST)) {
|
||||||
|
@ -70,7 +70,7 @@
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
if(isset($_REQUEST['page']) && preg_match('/[0-9a-zA-Z]{1-100}/', $_REQUEST['page']) && file_exists("./pages/".$_REQUEST['page'].".php"))
|
if(isset($_REQUEST['page']) && preg_match('/^[0-9a-zA-Z]{1-100}$/', $_REQUEST['page']) && file_exists("./pages/".$_REQUEST['page'].".php"))
|
||||||
$HTML->ReplaceLayoutInhalt("%%PAGENAME%%", urlencode($_REQUEST['page']));
|
$HTML->ReplaceLayoutInhalt("%%PAGENAME%%", urlencode($_REQUEST['page']));
|
||||||
|
|
||||||
$HTML->ReplaceLayoutInhalt("%%LOGINMESSAGE%%", "");
|
$HTML->ReplaceLayoutInhalt("%%LOGINMESSAGE%%", "");
|
||||||
|
|
|
@ -124,16 +124,16 @@
|
||||||
}
|
}
|
||||||
else if(isset($_POST['savePassword'])) {
|
else if(isset($_POST['savePassword'])) {
|
||||||
$validator = new FormValidator(array(
|
$validator = new FormValidator(array(
|
||||||
'oldPassword' => array('required' => true, 'regex' => '/.{1,1000}/'),
|
'oldPassword' => array('required' => true, 'regex' => '/^.{1,1000}$/'),
|
||||||
'newPassword' => array('required' => true, 'regex' => '/.{1,1000}/'),
|
'newPassword' => array('required' => true, 'regex' => '/^.{1,1000}$/'),
|
||||||
'newPasswordRepeat' => array('required' => true, 'regex' => '/.{1,1000}/')
|
'newPasswordRepeat' => array('required' => true, 'regex' => '/^.{1,1000}$/')
|
||||||
));
|
));
|
||||||
|
|
||||||
if($validator->isValid($_POST)) {
|
if($validator->isValid($_POST)) {
|
||||||
if($_POST['newPasswordRepeat'] == $_POST['newPassword']) {
|
if($_POST['newPasswordRepeat'] == $_POST['newPassword']) {
|
||||||
if(strlen(trim($_POST['newPassword'])) >= $RUNTIME['PASSWORD_MIN_LENGTH']) {
|
if(strlen(trim($_POST['newPassword'])) >= $RUNTIME['PASSWORD_MIN_LENGTH']) {
|
||||||
if(password_verify($_POST['oldPassword'], $_SESSION['PASSWORD'])) {
|
if(password_verify($_POST['oldPassword'], $_SESSION['PASSWORD'])) {
|
||||||
$hash = password_hash($NewPassword, PASSWORD_ARGON2ID);
|
$hash = password_hash($_POST['newPassword'], PASSWORD_ARGON2ID);
|
||||||
$statement = $RUNTIME['PDO']->prepare('UPDATE auth SET passwordHash = :PasswordHash WHERE UUID = :PrincipalID');
|
$statement = $RUNTIME['PDO']->prepare('UPDATE auth SET passwordHash = :PasswordHash WHERE UUID = :PrincipalID');
|
||||||
$statement->execute(['PasswordHash' => $hash, 'PrincipalID' => $_SESSION['UUID']]);
|
$statement->execute(['PasswordHash' => $hash, 'PrincipalID' => $_SESSION['UUID']]);
|
||||||
$_SESSION['PASSWORD'] = $hash;
|
$_SESSION['PASSWORD'] = $hash;
|
||||||
|
|
|
@ -18,7 +18,7 @@
|
||||||
if(!isset($_REQUEST['code']))
|
if(!isset($_REQUEST['code']))
|
||||||
die("MISSING INVITE CODE!");
|
die("MISSING INVITE CODE!");
|
||||||
|
|
||||||
if(strlen($_REQUEST['code']) != 32 || !preg_match('/[a-f0-9]+/', $_REQUEST['code'])) {
|
if(strlen($_REQUEST['code']) != 32 || !preg_match('/^[a-f0-9]+$/', $_REQUEST['code'])) {
|
||||||
die("INVALID INVITE CODE!");
|
die("INVALID INVITE CODE!");
|
||||||
}
|
}
|
||||||
|
|
||||||
|
@ -37,9 +37,9 @@
|
||||||
|
|
||||||
$validator = new FormValidator(array(
|
$validator = new FormValidator(array(
|
||||||
'tos' => array('required' => true, 'equals' => 'on'),
|
'tos' => array('required' => true, 'equals' => 'on'),
|
||||||
'username' => array('required' => true, 'regex' => '/[^\\/<>\s]{1,64}( [^\\/<>\s]{1,64})?/'),
|
'username' => array('required' => true, 'regex' => '/^[^\\/<>\s]{1,64}( [^\\/<>\s]{1,64})?$/'),
|
||||||
'password' => array('required' => true, 'regex' => '/.{1,1000}/'),
|
'password' => array('required' => true, 'regex' => '/^.{1,1000}$/'),
|
||||||
'email' => array('required' => true, 'regex' => '/\S{1,64}@\S{1,250}.\S{2,64}/'),
|
'email' => array('required' => true, 'regex' => '/^\S{1,64}@\S{1,250}.\S{2,64}$/'),
|
||||||
'avatar' => array('required' => true)
|
'avatar' => array('required' => true)
|
||||||
));
|
));
|
||||||
|
|
||||||
|
|
|
@ -18,7 +18,7 @@
|
||||||
include 'app/FormValidator.php';
|
include 'app/FormValidator.php';
|
||||||
if(isset($_POST['genpw'])) {
|
if(isset($_POST['genpw'])) {
|
||||||
$validator = new FormValidator(array(
|
$validator = new FormValidator(array(
|
||||||
'userid' => array('required' => true, 'regex' => '/[a-f0-9]{8}-[a-f0-9]{4}-[a-f0-9]{4}-[a-f0-9]{4}-[a-f0-9]{12}/')
|
'userid' => array('required' => true, 'regex' => '/^[a-f0-9]{8}-[a-f0-9]{4}-[a-f0-9]{4}-[a-f0-9]{4}-[a-f0-9]{12}$/')
|
||||||
));
|
));
|
||||||
|
|
||||||
if($validator->isValid($_POST)) {
|
if($validator->isValid($_POST)) {
|
||||||
|
|
Loading…
Reference in New Issue