diff options
author | Simon Rettberg | 2023-11-28 15:21:09 +0100 |
---|---|---|
committer | Simon Rettberg | 2023-11-28 15:21:09 +0100 |
commit | 0cff80010d1ba88b0e575c970d16b9eac014ce0e (patch) | |
tree | a24fd679cb9f776822e87b2b6a5861f9be37a2ab | |
parent | Disable HTTP/2 as it's buggy; fix wiping history on reset (diff) | |
download | slxgreeter-0cff80010d1ba88b0e575c970d16b9eac014ce0e.tar.gz slxgreeter-0cff80010d1ba88b0e575c970d16b9eac014ce0e.tar.xz slxgreeter-0cff80010d1ba88b0e575c970d16b9eac014ce0e.zip |
Check server's security hash, check username and password format
-rw-r--r-- | src/webview.cpp | 17 |
1 files changed, 15 insertions, 2 deletions
diff --git a/src/webview.cpp b/src/webview.cpp index 09bf427..e0b47f3 100644 --- a/src/webview.cpp +++ b/src/webview.cpp @@ -13,6 +13,9 @@ #include <QWebPage> #include <QNetworkAccessManager> +static QRegularExpression R_USER("^[a-z_A-Z][a-zA-Z0-9_@.-]{1,32}$"); +static QRegularExpression R_PASS("^[a-z0-9]{1,32}$"); + // Override user-agent to make it appear mobile class UaWebPage : public QWebPage { @@ -139,8 +142,18 @@ void WebView::onLoadFinished(bool ok) auto user = this->page()->mainFrame()->documentElement().findFirst("#bwlp-username"); auto pass = this->page()->mainFrame()->documentElement().findFirst("#bwlp-password"); auto err = this->page()->mainFrame()->documentElement().findFirst("#bwlp-error"); - if (!user.isNull() && !pass.isNull()) { - emit startAuthentication(user.toPlainText(), "shib=" + _token + pass.toPlainText()); + auto hash = this->page()->mainFrame()->documentElement().findFirst("#bwlp-hash"); + if (!user.isNull() && !pass.isNull() && !hash.isNull()) { + if (hash.toPlainText() != QCryptographicHash::hash(_token.toLatin1(), QCryptographicHash::Md5).toHex()) { + qDebug() << " *** Invalid security hash ***"; + emit triggerReset("Invalid Hash"); + return; + } + auto ustr = user.toPlainText(); + auto upass = pass.toPlainText(); + if (ustr.contains('@') && R_USER.match(ustr).hasMatch() && R_PASS.match(upass).hasMatch()) { + emit startAuthentication(ustr, "shib=" + _token + upass); + } } else if (!err.isNull()) { this->stop(); this->page()->mainFrame()->setContent(""); |