indymedia
/
epicyon
mirror of https://gitlab.com/bashrc2/epicyon
7
4
Fork 1
Code Issues 14 Releases Wiki Activity

Extra validation on password

merge-requests/30/head
Bob Mottram 2024-07-28 15:45:40 +01:00
parent 509f9fe4ad
commit 4a50de31bf
2 changed files with 13 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

5
httpheaders.py
View File

@ -236,6 +236,9 @@ def contains_suspicious_headers(headers: {}) -> bool:
'think-lang' in headers or \ 'think-lang' in headers or \
'Think-lang' in headers: 'Think-lang' in headers:
return True return True
if '../../' in str(headers): headers_str = str(headers)
if '../../' in headers_str or \
'index.php' in headers_str or \
'passwd' in headers_str:
return True return True
return False return False

9
webapp_login.py
View File

@ -58,8 +58,17 @@ def html_get_login_credentials(login_params: str,
if '@' in nickname: if '@' in nickname:
# the full nickname@domain has been entered # the full nickname@domain has been entered
nickname = nickname.split('@')[0] nickname = nickname.split('@')[0]
# validation on nickname
if 'passwd' in nickname or \
'`' in nickname or \
';' in nickname or \
' ' in nickname:
nickname = None
elif arg.split('=', 1)[0] == 'password': elif arg.split('=', 1)[0] == 'password':
password = arg.split('=', 1)[1] password = arg.split('=', 1)[1]
# validation on password
if '`' in password:
password = None
elif registrations_open and arg.split('=', 1)[0] == 'register': elif registrations_open and arg.split('=', 1)[0] == 'register':
register = True register = True
return nickname, password, register return nickname, password, register