Ylianst/MeshCentral
1
0
Fork 0
mirror of https://github.com/Ylianst/MeshCentral.git synced 2024-08-15 19:50:44 +03:00
Code Issues Packages Projects Releases Wiki Activity

More code clean up and input validation.

Browse Source
This commit is contained in:
Ylian Saint-Hilaire 2020-07-06 15:04:22 -07:00
parent bee668d502
commit 984ce8b201
4 changed files with 9 additions and 9 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
pluginHandler.js
View File

@ -516,7 +516,7 @@ module.exports.pluginHandler = function (parent) {
};
obj.handleAdminReq = function (req, res, user, serv) {
if (obj.common.isAlphaNumeric(req.query.pin) !== true) { res.sendStatus(401); return; }
if ((req.query.pin == null) || (obj.common.isAlphaNumeric(req.query.pin) !== true)) { res.sendStatus(401); return; }
var path = obj.path.join(obj.pluginPath, req.query.pin, 'views');
if (obj.common.IsFilenameValid(path) !== true) { res.sendStatus(401); return; }
serv.app.set('views', path);
@ -528,7 +528,7 @@ module.exports.pluginHandler = function (parent) {
}
obj.handleAdminPostReq = function (req, res, user, serv) {
if (obj.common.isAlphaNumeric(req.query.pin) !== true) { res.sendStatus(401); return; }
if ((req.query.pin == null) || (obj.common.isAlphaNumeric(req.query.pin) !== true)) { res.sendStatus(401); return; }
var path = obj.path.join(obj.pluginPath, req.query.pin, 'views');
if (obj.common.IsFilenameValid(path) !== true) { res.sendStatus(401); return; }
serv.app.set('views', path);

2
views/login-mobile.handlebars
View File

@ -327,7 +327,7 @@
// Display the right server message
var messageid = parseInt('{{{messageid}}}');
var okmessages = ['', "Hold on, reset mail sent.", "Email sent.", "Email verification required, check your mailbox and click the confirmation link.", "SMS sent."];
var okmessages = ['', "If valid, reset mail sent.", "Email sent.", "Email verification required, check your mailbox and click the confirmation link.", "SMS sent."];
var failmessages = ["Unable to create account.", "Account limit reached.", "Existing account with this email address.", "Invalid account creation token.", "Username already exists.", "Password rejected, use a different one.", "Invalid email.", "Account not found.", "Invalid token, try again.", "Unable to sent email.", "Account locked.", "Access denied.", "Login failed, check username and password.", "Password change requested.", "IP address blocked, try again later."];
if (messageid > 0) {
var msg = '';

2
views/login.handlebars
View File

@ -320,7 +320,7 @@
// Display the right server message
var i;
var messageid = parseInt('{{{messageid}}}');
var okmessages = ['', "Hold on, reset mail sent.", "Email sent.", "Email verification required, check your mailbox and click the confirmation link.", "SMS sent."];
var okmessages = ['', "If valid, reset mail sent.", "Email sent.", "Email verification required, check your mailbox and click the confirmation link.", "SMS sent."];
var failmessages = ["Unable to create account.", "Account limit reached.", "Existing account with this email address.", "Invalid account creation token.", "Username already exists.", "Password rejected, use a different one.", "Invalid email.", "Account not found.", "Invalid token, try again.", "Unable to sent email.", "Account locked.", "Access denied.", "Login failed, check username and password.", "Password change requested.", "IP address blocked, try again later."];
if (messageid > 0) {
var msg = '';

10
webserver.js
View File

@ -1357,7 +1357,7 @@ module.exports.CreateWebServer = function (parent, db, args, certificates) {
if ((err != null) || (docs.length == 0)) {
parent.debug('web', 'handleResetAccountRequest: Account not found');
req.session.loginmode = '3';
req.session.messageid = 107; // Account not found.
req.session.messageid = 1; // If valid, reset mail sent. Instead of "Account not found" (107), we send this hold on message so users can't know if this account exists or not.
if (direct === true) { handleRootRequestEx(req, res, domain); } else { res.redirect(domain.url + getQueryPortion(req)); }
} else {
// If many accounts have the same validated e-mail, we are going to use the first one for display, but sent a reset email for all accounts.
@ -1388,7 +1388,7 @@ module.exports.CreateWebServer = function (parent, db, args, certificates) {
if (i == 0) {
parent.debug('web', 'handleResetAccountRequest: Hold on, reset mail sent.');
req.session.loginmode = '1';
req.session.messageid = 1; // Hold on, reset mail sent.
req.session.messageid = 1; // If valid, reset mail sent.
if (direct === true) { handleRootRequestEx(req, res, domain); } else { res.redirect(domain.url + getQueryPortion(req)); }
}
} else {
@ -1408,7 +1408,7 @@ module.exports.CreateWebServer = function (parent, db, args, certificates) {
if (i == 0) {
parent.debug('web', 'handleResetAccountRequest: Hold on, reset mail sent.');
req.session.loginmode = '1';
req.session.messageid = 1; // Hold on, reset mail sent.
req.session.messageid = 1; // If valid, reset mail sent.
if (direct === true) { handleRootRequestEx(req, res, domain); } else { res.redirect(domain.url + getQueryPortion(req)); }
}
} else {
@ -2828,7 +2828,7 @@ module.exports.CreateWebServer = function (parent, db, args, certificates) {
if (domain == null) return;
// Check the query
if ((req.query.file == null) || (obj.common.IsFilenameValid(req.query.file) !== true)) { res.sendStatus(401); return; }
if ((domain.sessionrecording == null) || (req.query.file == null) || (obj.common.IsFilenameValid(req.query.file) !== true)) { res.sendStatus(401); return; }
// Get the recording path
var recordingsPath = null;
@ -2923,7 +2923,7 @@ module.exports.CreateWebServer = function (parent, db, args, certificates) {
} catch (ex) {
res.set({ 'Cache-Control': 'no-cache, no-store, must-revalidate', 'Pragma': 'no-cache', 'Expires': '0', 'Content-Type': 'application/octet-stream', 'Content-Disposition': 'attachment; filename=\"file.bin\"' });
}
try { res.sendFile(file.fullpath); } catch (e) { res.sendStatus(404); }
obj.fs.exists(file.fullpath, function (exists) { if (exists == true) { res.sendFile(file.fullpath); } else { res.sendStatus(404); } });
}
// Upload a MeshCore.js file to the server