Website
/
Manager
1
0
Fork 0
Code Releases 11 Activity

Change validation regexes to be more strict

master
Anonymous Contributor 2023-08-23 18:16:36 +02:00
parent 879b1d8e3f
commit 2670cf604e
8 changed files with 18 additions and 18 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
index.php
View File

@ -23,7 +23,7 @@ include_once("app/utils.php");
include_once("app/HTML.php"); include_once("app/HTML.php");
function isValidEndpoint(string $pageName, string $dirPrefix) { function isValidEndpoint(string $pageName, string $dirPrefix) {
return preg_match("/[a-zA-Z0-9\.]{1,100}/", $pageName) && file_exists("./".$dirPrefix."/".$pageName.".php"); return preg_match('/^[a-zA-Z0-9\.]{1,100}$/', $pageName) && file_exists("./".$dirPrefix."/".$pageName.".php");
} }
//TODO: add API keys and/or rate limiting //TODO: add API keys and/or rate limiting

2
pages/friends.php
View File

@ -4,7 +4,7 @@
if(isset($_POST['remove'])) { if(isset($_POST['remove'])) {
include 'app/FormValidator.php'; include 'app/FormValidator.php';
$validator = new FormValidator(array( $validator = new FormValidator(array(
'uuid' => array('required' => true, 'regex' => '/[a-f0-9]{8}-[a-f0-9]{4}-[a-f0-9]{4}-[a-f0-9]{4}-[a-f0-9]{12}/') 'uuid' => array('required' => true, 'regex' => '/^[a-f0-9]{8}-[a-f0-9]{4}-[a-f0-9]{4}-[a-f0-9]{4}-[a-f0-9]{12}$/')
)); ));
if($validator->isValid($_POST)) { if($validator->isValid($_POST)) {

2
pages/groups.php
View File

@ -4,7 +4,7 @@
if(isset($_POST['leave'])) { if(isset($_POST['leave'])) {
include 'app/FormValidator.php'; include 'app/FormValidator.php';
$validator = new FormValidator(array( $validator = new FormValidator(array(
'group' => array('required' => true, 'regex' => '/[a-f0-9]{8}-[a-f0-9]{4}-[a-f0-9]{4}-[a-f0-9]{4}-[a-f0-9]{12}/') 'group' => array('required' => true, 'regex' => '/^[a-f0-9]{8}-[a-f0-9]{4}-[a-f0-9]{4}-[a-f0-9]{4}-[a-f0-9]{12}$/')
)); ));
if($validator->isValid($_POST)) { if($validator->isValid($_POST)) {

4
pages/identities.php
View File

@ -6,7 +6,7 @@
include 'app/FormValidator.php'; include 'app/FormValidator.php';
if(isset($_POST['enableIdent'])) { if(isset($_POST['enableIdent'])) {
$validator = new FormValidator(array( $validator = new FormValidator(array(
'newuuid' => array('required' => true, 'regex' => '/[a-f0-9]{8}-[a-f0-9]{4}-[a-f0-9]{4}-[a-f0-9]{4}-[a-f0-9]{12}/') 'newuuid' => array('required' => true, 'regex' => '/^[a-f0-9]{8}-[a-f0-9]{4}-[a-f0-9]{4}-[a-f0-9]{4}-[a-f0-9]{12}$/')
)); ));
if($validator->isValid($_POST)) { if($validator->isValid($_POST)) {
@ -57,7 +57,7 @@
} }
else if(isset($_POST['createIdent'])) { else if(isset($_POST['createIdent'])) {
$validator = new FormValidator(array( $validator = new FormValidator(array(
'newName' => array('required' => true, 'regex' => '/[^\\/<>\s]{1,64} [^\\/<>\s]{1,64}/') 'newName' => array('required' => true, 'regex' => '/^[^\\/<>\s]{1,64} [^\\/<>\s]{1,64}$/')
)); ));
if($validator->isValid($_POST)) { if($validator->isValid($_POST)) {

6
pages/login.php
View File

@ -7,8 +7,8 @@
{ {
include_once 'app/FormValidator.php'; include_once 'app/FormValidator.php';
$validator = new FormValidator(array( $validator = new FormValidator(array(
'username' => array('required' => true, 'regex' => '/[^\\/<>\s]{1,64} [^\\/<>\s]{1,64}/'), 'username' => array('required' => true, 'regex' => '/^[^\\/<>\s]{1,64} [^\\/<>\s]{1,64}$/'),
'password' => array('required' => true, 'regex' => '/.{1,1000}/') 'password' => array('required' => true, 'regex' => '/^.{1,1000}$/')
)); ));
if(!$validator->isValid($_POST)) { if(!$validator->isValid($_POST)) {
@ -70,7 +70,7 @@
} }
} }
if(isset($_REQUEST['page']) && preg_match('/[0-9a-zA-Z]{1-100}/', $_REQUEST['page']) && file_exists("./pages/".$_REQUEST['page'].".php")) if(isset($_REQUEST['page']) && preg_match('/^[0-9a-zA-Z]{1-100}$/', $_REQUEST['page']) && file_exists("./pages/".$_REQUEST['page'].".php"))
$HTML->ReplaceLayoutInhalt("%%PAGENAME%%", urlencode($_REQUEST['page'])); $HTML->ReplaceLayoutInhalt("%%PAGENAME%%", urlencode($_REQUEST['page']));
$HTML->ReplaceLayoutInhalt("%%LOGINMESSAGE%%", ""); $HTML->ReplaceLayoutInhalt("%%LOGINMESSAGE%%", "");

10
pages/profile.php
View File

@ -124,16 +124,16 @@
} }
else if(isset($_POST['savePassword'])) { else if(isset($_POST['savePassword'])) {
$validator = new FormValidator(array( $validator = new FormValidator(array(
'oldPassword' => array('required' => true, 'regex' => '/.{1,1000}/'), 'oldPassword' => array('required' => true, 'regex' => '/^.{1,1000}$/'),
'newPassword' => array('required' => true, 'regex' => '/.{1,1000}/'), 'newPassword' => array('required' => true, 'regex' => '/^.{1,1000}$/'),
'newPasswordRepeat' => array('required' => true, 'regex' => '/.{1,1000}/') 'newPasswordRepeat' => array('required' => true, 'regex' => '/^.{1,1000}$/')
)); ));
if($validator->isValid($_POST)) { if($validator->isValid($_POST)) {
if($_POST['newPasswordRepeat'] == $_POST['newPassword']) { if($_POST['newPasswordRepeat'] == $_POST['newPassword']) {
if(strlen(trim($_POST['newPassword'])) >= $RUNTIME['PASSWORD_MIN_LENGTH']) { if(strlen(trim($_POST['newPassword'])) >= $RUNTIME['PASSWORD_MIN_LENGTH']) {
if(password_verify($_POST['oldPassword'], $_SESSION['PASSWORD'])) { if(password_verify($_POST['oldPassword'], $_SESSION['PASSWORD'])) {
$hash = password_hash($NewPassword, PASSWORD_ARGON2ID); $hash = password_hash($_POST['newPassword'], PASSWORD_ARGON2ID);
$statement = $RUNTIME['PDO']->prepare('UPDATE auth SET passwordHash = :PasswordHash WHERE UUID = :PrincipalID'); $statement = $RUNTIME['PDO']->prepare('UPDATE auth SET passwordHash = :PasswordHash WHERE UUID = :PrincipalID');
$statement->execute(['PasswordHash' => $hash, 'PrincipalID' => $_SESSION['UUID']]); $statement->execute(['PasswordHash' => $hash, 'PrincipalID' => $_SESSION['UUID']]);
$_SESSION['PASSWORD'] = $hash; $_SESSION['PASSWORD'] = $hash;

8
pages/register.php
View File

@ -18,7 +18,7 @@
if(!isset($_REQUEST['code'])) if(!isset($_REQUEST['code']))
die("MISSING INVITE CODE!"); die("MISSING INVITE CODE!");
if(strlen($_REQUEST['code']) != 32 || !preg_match('/[a-f0-9]+/', $_REQUEST['code'])) { if(strlen($_REQUEST['code']) != 32 || !preg_match('/^[a-f0-9]+$/', $_REQUEST['code'])) {
die("INVALID INVITE CODE!"); die("INVALID INVITE CODE!");
} }
@ -37,9 +37,9 @@
$validator = new FormValidator(array( $validator = new FormValidator(array(
'tos' => array('required' => true, 'equals' => 'on'), 'tos' => array('required' => true, 'equals' => 'on'),
'username' => array('required' => true, 'regex' => '/[^\\/<>\s]{1,64}( [^\\/<>\s]{1,64})?/'), 'username' => array('required' => true, 'regex' => '/^[^\\/<>\s]{1,64}( [^\\/<>\s]{1,64})?$/'),
'password' => array('required' => true, 'regex' => '/.{1,1000}/'), 'password' => array('required' => true, 'regex' => '/^.{1,1000}$/'),
'email' => array('required' => true, 'regex' => '/\S{1,64}@\S{1,250}.\S{2,64}/'), 'email' => array('required' => true, 'regex' => '/^\S{1,64}@\S{1,250}.\S{2,64}$/'),
'avatar' => array('required' => true) 'avatar' => array('required' => true)
)); ));

2
pages/users.php
View File

@ -18,7 +18,7 @@
include 'app/FormValidator.php'; include 'app/FormValidator.php';
if(isset($_POST['genpw'])) { if(isset($_POST['genpw'])) {
$validator = new FormValidator(array( $validator = new FormValidator(array(
'userid' => array('required' => true, 'regex' => '/[a-f0-9]{8}-[a-f0-9]{4}-[a-f0-9]{4}-[a-f0-9]{4}-[a-f0-9]{12}/') 'userid' => array('required' => true, 'regex' => '/^[a-f0-9]{8}-[a-f0-9]{4}-[a-f0-9]{4}-[a-f0-9]{4}-[a-f0-9]{12}$/')
)); ));
if($validator->isValid($_POST)) { if($validator->isValid($_POST)) {