From 0cff80010d1ba88b0e575c970d16b9eac014ce0e Mon Sep 17 00:00:00 2001
From: Simon Rettberg
Date: Tue, 28 Nov 2023 15:21:09 +0100
Subject: Check server's security hash, check username and password format

---
 src/webview.cpp | 17 +++++++++++++++--
 1 file changed, 15 insertions(+), 2 deletions(-)

diff --git a/src/webview.cpp b/src/webview.cpp
index 09bf427..e0b47f3 100644
--- a/src/webview.cpp
+++ b/src/webview.cpp
@@ -13,6 +13,9 @@
 #include <QWebPage>
 #include <QNetworkAccessManager>
 
+static QRegularExpression R_USER("^[a-z_A-Z][a-zA-Z0-9_@.-]{1,32}$");
+static QRegularExpression R_PASS("^[a-z0-9]{1,32}$");
+
 // Override user-agent to make it appear mobile
 class UaWebPage : public QWebPage
 {
@@ -139,8 +142,18 @@ void WebView::onLoadFinished(bool ok)
 	auto user = this->page()->mainFrame()->documentElement().findFirst("#bwlp-username");
 	auto pass = this->page()->mainFrame()->documentElement().findFirst("#bwlp-password");
 	auto err = this->page()->mainFrame()->documentElement().findFirst("#bwlp-error");
-	if (!user.isNull() && !pass.isNull()) {
-		emit startAuthentication(user.toPlainText(), "shib=" + _token + pass.toPlainText());
+	auto hash = this->page()->mainFrame()->documentElement().findFirst("#bwlp-hash");
+	if (!user.isNull() && !pass.isNull() && !hash.isNull()) {
+		if (hash.toPlainText() != QCryptographicHash::hash(_token.toLatin1(), QCryptographicHash::Md5).toHex()) {
+			qDebug() << " *** Invalid security hash ***";
+			emit triggerReset("Invalid Hash");
+			return;
+		}
+		auto ustr = user.toPlainText();
+		auto upass = pass.toPlainText();
+		if (ustr.contains('@') && R_USER.match(ustr).hasMatch() && R_PASS.match(upass).hasMatch()) {
+			emit startAuthentication(ustr, "shib=" + _token + upass);
+		}
 	} else if (!err.isNull()) {
 		this->stop();
 		this->page()->mainFrame()->setContent("");
-- 
cgit v1.2.3-55-g7522