Sanitize base64 in URLs
This commit is contained in:
parent
007adaeaa8
commit
350142abea
|
@ -33,7 +33,6 @@ package config
|
|||
|
||||
import (
|
||||
"encoding/base64"
|
||||
"net/url"
|
||||
|
||||
"git.happydns.org/happydomain/model"
|
||||
)
|
||||
|
@ -41,11 +40,11 @@ import (
|
|||
// GetAccountRecoveryURL returns the absolute URL corresponding to the recovery
|
||||
// URL of the given account.
|
||||
func (o *Options) GetAccountRecoveryURL(u *happydns.UserAuth) string {
|
||||
return o.BuildURL_noescape("/forgotten-password?u=%s&k=%s", base64.RawURLEncoding.EncodeToString(u.Id), url.QueryEscape(u.GenAccountRecoveryHash(false)))
|
||||
return o.BuildURL_noescape("/forgotten-password?u=%s&k=%s", base64.RawURLEncoding.EncodeToString(u.Id), u.GenAccountRecoveryHash(false))
|
||||
}
|
||||
|
||||
// GetRegistrationURL returns the absolute URL corresponding to the e-mail
|
||||
// validation page of the given account.
|
||||
func (o *Options) GetRegistrationURL(u *happydns.UserAuth) string {
|
||||
return o.BuildURL_noescape("/email-validation?u=%s&k=%s", base64.RawURLEncoding.EncodeToString(u.Id), url.QueryEscape(u.GenRegistrationHash(false)))
|
||||
return o.BuildURL_noescape("/email-validation?u=%s&k=%s", base64.RawURLEncoding.EncodeToString(u.Id), u.GenRegistrationHash(false))
|
||||
}
|
||||
|
|
|
@ -144,7 +144,7 @@ func (u *UserAuth) GenRegistrationHash(previous bool) string {
|
|||
[]byte(u.CreatedAt.Format(time.RFC3339Nano)),
|
||||
)
|
||||
h.Write(date.AppendFormat([]byte{}, time.RFC3339))
|
||||
return base64.StdEncoding.EncodeToString(h.Sum(nil))
|
||||
return base64.RawURLEncoding.EncodeToString(h.Sum(nil))
|
||||
}
|
||||
|
||||
// ValidateEmail tries to validate the email address by comparing the given key to the expected one.
|
||||
|
@ -186,7 +186,7 @@ func (u *UserAuth) GenAccountRecoveryHash(previous bool) string {
|
|||
u.PasswordRecoveryKey,
|
||||
)
|
||||
h.Write(date.AppendFormat([]byte{}, time.RFC3339))
|
||||
return base64.StdEncoding.EncodeToString(h.Sum(nil))
|
||||
return base64.RawURLEncoding.EncodeToString(h.Sum(nil))
|
||||
}
|
||||
|
||||
// CanRecoverAccount checks if the given key is a valid recovery hash.
|
||||
|
|
Loading…
Reference in New Issue