summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorSimon Rettberg2023-11-28 15:21:09 +0100
committerSimon Rettberg2023-11-28 15:21:09 +0100
commit0cff80010d1ba88b0e575c970d16b9eac014ce0e (patch)
treea24fd679cb9f776822e87b2b6a5861f9be37a2ab
parentDisable HTTP/2 as it's buggy; fix wiping history on reset (diff)
downloadslxgreeter-0cff80010d1ba88b0e575c970d16b9eac014ce0e.tar.gz
slxgreeter-0cff80010d1ba88b0e575c970d16b9eac014ce0e.tar.xz
slxgreeter-0cff80010d1ba88b0e575c970d16b9eac014ce0e.zip
Check server's security hash, check username and password format
-rw-r--r--src/webview.cpp17
1 files changed, 15 insertions, 2 deletions
diff --git a/src/webview.cpp b/src/webview.cpp
index 09bf427..e0b47f3 100644
--- a/src/webview.cpp
+++ b/src/webview.cpp
@@ -13,6 +13,9 @@
#include <QWebPage>
#include <QNetworkAccessManager>
+static QRegularExpression R_USER("^[a-z_A-Z][a-zA-Z0-9_@.-]{1,32}$");
+static QRegularExpression R_PASS("^[a-z0-9]{1,32}$");
+
// Override user-agent to make it appear mobile
class UaWebPage : public QWebPage
{
@@ -139,8 +142,18 @@ void WebView::onLoadFinished(bool ok)
auto user = this->page()->mainFrame()->documentElement().findFirst("#bwlp-username");
auto pass = this->page()->mainFrame()->documentElement().findFirst("#bwlp-password");
auto err = this->page()->mainFrame()->documentElement().findFirst("#bwlp-error");
- if (!user.isNull() && !pass.isNull()) {
- emit startAuthentication(user.toPlainText(), "shib=" + _token + pass.toPlainText());
+ auto hash = this->page()->mainFrame()->documentElement().findFirst("#bwlp-hash");
+ if (!user.isNull() && !pass.isNull() && !hash.isNull()) {
+ if (hash.toPlainText() != QCryptographicHash::hash(_token.toLatin1(), QCryptographicHash::Md5).toHex()) {
+ qDebug() << " *** Invalid security hash ***";
+ emit triggerReset("Invalid Hash");
+ return;
+ }
+ auto ustr = user.toPlainText();
+ auto upass = pass.toPlainText();
+ if (ustr.contains('@') && R_USER.match(ustr).hasMatch() && R_PASS.match(upass).hasMatch()) {
+ emit startAuthentication(ustr, "shib=" + _token + upass);
+ }
} else if (!err.isNull()) {
this->stop();
this->page()->mainFrame()->setContent("");