happyDomain/happyDomain
happyDomain
/
happyDomain
1
0
Fork 0
Code Issues 1 Pull Requests 8 Releases Activity

Sanitize base64 in URLs

This commit is contained in:
nemunaire 2022-11-27 15:10:15 +01:00
parent 007adaeaa8
commit 350142abea
2 changed files with 4 additions and 5 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

5
config/user.go
View File

@ -33,7 +33,6 @@ package config
import ( import (
"encoding/base64" "encoding/base64"
"net/url"
"git.happydns.org/happydomain/model" "git.happydns.org/happydomain/model"
) )
@ -41,11 +40,11 @@ import (
// GetAccountRecoveryURL returns the absolute URL corresponding to the recovery // GetAccountRecoveryURL returns the absolute URL corresponding to the recovery
// URL of the given account. // URL of the given account.
func (o *Options) GetAccountRecoveryURL(u *happydns.UserAuth) string { func (o *Options) GetAccountRecoveryURL(u *happydns.UserAuth) string {
return o.BuildURL_noescape("/forgotten-password?u=%s&k=%s", base64.RawURLEncoding.EncodeToString(u.Id), url.QueryEscape(u.GenAccountRecoveryHash(false))) return o.BuildURL_noescape("/forgotten-password?u=%s&k=%s", base64.RawURLEncoding.EncodeToString(u.Id), u.GenAccountRecoveryHash(false))
} }
// GetRegistrationURL returns the absolute URL corresponding to the e-mail // GetRegistrationURL returns the absolute URL corresponding to the e-mail
// validation page of the given account. // validation page of the given account.
func (o *Options) GetRegistrationURL(u *happydns.UserAuth) string { func (o *Options) GetRegistrationURL(u *happydns.UserAuth) string {
return o.BuildURL_noescape("/email-validation?u=%s&k=%s", base64.RawURLEncoding.EncodeToString(u.Id), url.QueryEscape(u.GenRegistrationHash(false))) return o.BuildURL_noescape("/email-validation?u=%s&k=%s", base64.RawURLEncoding.EncodeToString(u.Id), u.GenRegistrationHash(false))
} }

4
model/userauth.go
View File

@ -144,7 +144,7 @@ func (u *UserAuth) GenRegistrationHash(previous bool) string {
[]byte(u.CreatedAt.Format(time.RFC3339Nano)), []byte(u.CreatedAt.Format(time.RFC3339Nano)),
) )
h.Write(date.AppendFormat([]byte{}, time.RFC3339)) h.Write(date.AppendFormat([]byte{}, time.RFC3339))
return base64.StdEncoding.EncodeToString(h.Sum(nil)) return base64.RawURLEncoding.EncodeToString(h.Sum(nil))
} }
// ValidateEmail tries to validate the email address by comparing the given key to the expected one. // ValidateEmail tries to validate the email address by comparing the given key to the expected one.
@ -186,7 +186,7 @@ func (u *UserAuth) GenAccountRecoveryHash(previous bool) string {
u.PasswordRecoveryKey, u.PasswordRecoveryKey,
) )
h.Write(date.AppendFormat([]byte{}, time.RFC3339)) h.Write(date.AppendFormat([]byte{}, time.RFC3339))
return base64.StdEncoding.EncodeToString(h.Sum(nil)) return base64.RawURLEncoding.EncodeToString(h.Sum(nil))
} }
// CanRecoverAccount checks if the given key is a valid recovery hash. // CanRecoverAccount checks if the given key is a valid recovery hash.