Sanitize base64 in URLs
This commit is contained in:
parent
007adaeaa8
commit
350142abea
|
@ -33,7 +33,6 @@ package config
|
||||||
|
|
||||||
import (
|
import (
|
||||||
"encoding/base64"
|
"encoding/base64"
|
||||||
"net/url"
|
|
||||||
|
|
||||||
"git.happydns.org/happydomain/model"
|
"git.happydns.org/happydomain/model"
|
||||||
)
|
)
|
||||||
|
@ -41,11 +40,11 @@ import (
|
||||||
// GetAccountRecoveryURL returns the absolute URL corresponding to the recovery
|
// GetAccountRecoveryURL returns the absolute URL corresponding to the recovery
|
||||||
// URL of the given account.
|
// URL of the given account.
|
||||||
func (o *Options) GetAccountRecoveryURL(u *happydns.UserAuth) string {
|
func (o *Options) GetAccountRecoveryURL(u *happydns.UserAuth) string {
|
||||||
return o.BuildURL_noescape("/forgotten-password?u=%s&k=%s", base64.RawURLEncoding.EncodeToString(u.Id), url.QueryEscape(u.GenAccountRecoveryHash(false)))
|
return o.BuildURL_noescape("/forgotten-password?u=%s&k=%s", base64.RawURLEncoding.EncodeToString(u.Id), u.GenAccountRecoveryHash(false))
|
||||||
}
|
}
|
||||||
|
|
||||||
// GetRegistrationURL returns the absolute URL corresponding to the e-mail
|
// GetRegistrationURL returns the absolute URL corresponding to the e-mail
|
||||||
// validation page of the given account.
|
// validation page of the given account.
|
||||||
func (o *Options) GetRegistrationURL(u *happydns.UserAuth) string {
|
func (o *Options) GetRegistrationURL(u *happydns.UserAuth) string {
|
||||||
return o.BuildURL_noescape("/email-validation?u=%s&k=%s", base64.RawURLEncoding.EncodeToString(u.Id), url.QueryEscape(u.GenRegistrationHash(false)))
|
return o.BuildURL_noescape("/email-validation?u=%s&k=%s", base64.RawURLEncoding.EncodeToString(u.Id), u.GenRegistrationHash(false))
|
||||||
}
|
}
|
||||||
|
|
|
@ -144,7 +144,7 @@ func (u *UserAuth) GenRegistrationHash(previous bool) string {
|
||||||
[]byte(u.CreatedAt.Format(time.RFC3339Nano)),
|
[]byte(u.CreatedAt.Format(time.RFC3339Nano)),
|
||||||
)
|
)
|
||||||
h.Write(date.AppendFormat([]byte{}, time.RFC3339))
|
h.Write(date.AppendFormat([]byte{}, time.RFC3339))
|
||||||
return base64.StdEncoding.EncodeToString(h.Sum(nil))
|
return base64.RawURLEncoding.EncodeToString(h.Sum(nil))
|
||||||
}
|
}
|
||||||
|
|
||||||
// ValidateEmail tries to validate the email address by comparing the given key to the expected one.
|
// ValidateEmail tries to validate the email address by comparing the given key to the expected one.
|
||||||
|
@ -186,7 +186,7 @@ func (u *UserAuth) GenAccountRecoveryHash(previous bool) string {
|
||||||
u.PasswordRecoveryKey,
|
u.PasswordRecoveryKey,
|
||||||
)
|
)
|
||||||
h.Write(date.AppendFormat([]byte{}, time.RFC3339))
|
h.Write(date.AppendFormat([]byte{}, time.RFC3339))
|
||||||
return base64.StdEncoding.EncodeToString(h.Sum(nil))
|
return base64.RawURLEncoding.EncodeToString(h.Sum(nil))
|
||||||
}
|
}
|
||||||
|
|
||||||
// CanRecoverAccount checks if the given key is a valid recovery hash.
|
// CanRecoverAccount checks if the given key is a valid recovery hash.
|
||||||
|
|
Loading…
Reference in New Issue