Fix URI encoding on register/login, also fix database escape bug

This commit is contained in:
calzoneman 2013-07-27 10:11:31 -04:00
parent c7aac027dd
commit b9e465b714
6 changed files with 40 additions and 26 deletions

11
api.js
View file

@ -235,7 +235,7 @@ module.exports = function (Server) {
handlePasswordReset: function (params, req, res) {
var name = params.name || "";
var email = unescape(params.email || "");
var email = params.email || "";
var ip = getIP(req);
var hash = false;
@ -353,8 +353,11 @@ module.exports = function (Server) {
var name = params.name || "";
var pw = params.pw || "";
var session = params.session || "";
var img = unescape(params.profile_image || "");
var text = unescape(params.profile_text || "");
var img = params.profile_image || "";
var text = params.profile_text || "";
console.log(name);
console.log(img);
console.log(text);
var row = Auth.login(name, pw, session);
if(!row) {
@ -394,7 +397,7 @@ module.exports = function (Server) {
handleEmailChange: function (params, req, res) {
var name = params.name || "";
var pw = params.pw || "";
var email = unescape(params.email) || "";
var email = params.email || "";
// perhaps my email regex isn't perfect, but there's no freaking way
// I'm implementing this monstrosity:
// <http://www.ex-parrot.com/pdw/Mail-RFC822-Address.html>

View file

@ -86,6 +86,11 @@ function createQuery(template, args) {
var idx = template.indexOf("?", last);
var arg = args.shift();
arg = sqlEscape(arg);
// Stupid workaround because even if I call replace() with a string
// and not a regex, '$' still holds special meaning
// this actually replaces '$' with '$$'
// What the hell, Javascript?
arg = arg.replace(/\$/g, "$$$$");
var first = template.substring(0, idx);
template = first + template.substring(idx).replace("?", arg);
last = idx + arg.length;

View file

@ -15,7 +15,8 @@ var api = WEB_URL + "/api/json/";
var loggedin = false;
if(uname && session) {
var loginstr = "name=" + uname + "&session=" + session;
var loginstr = "name=" + encodeURIComponent(uname)
+ "&session=" + session;
var url = api + "login?" + loginstr + "&callback=?";
$.getJSON(url, function(data) {
if(data.success) {
@ -56,7 +57,7 @@ $("#email").click(makeTabCallback("#email", "#changeemailpane"));
$("#profile").click(makeTabCallback("#profile", "#profilepane"));
$("#profile").click(function() {
if(uname != "") {
$.getJSON(api + "getprofile?name=" + uname + "&callback=?", function(data) {
$.getJSON(api + "getprofile?name=" + encodeURIComponent(uname) + "&callback=?", function(data) {
if(data.success) {
$("#profiletext").val(data.profile_text);
$("#profileimg").val(data.profile_image);
@ -107,8 +108,8 @@ $("#registerbtn").click(function() {
// Input valid, try registering
var url = api + "register?" + [
"name=" + name,
"pw=" + pw
"name=" + encodeURIComponent(name),
"pw=" + encodeURIComponent(pw)
].join("&") + "&callback=?";
$.getJSON(url, function(data) {
@ -142,7 +143,8 @@ $("#loginbtn").click(function() {
return;
}
uname = $("#loginusername").val();
var loginstr = "name=" + uname + "&pw=" + $("#loginpw").val();
var loginstr = "name=" + encodeURIComponent(uname)
+ "&pw=" + encodeURIComponent($("#loginpw").val());
var url = api + "login?" + loginstr + "&callback=?";
$.getJSON(url, function(data) {
if(data.success) {
@ -202,9 +204,9 @@ $("#cpwbtn").click(function() {
// Input valid, try changing password
var url = api + "changepass?" + [
"name=" + name,
"oldpw=" + oldpw,
"newpw=" + newpw
"name=" + encodeURIComponent(name),
"oldpw=" + encodeURIComponent(oldpw),
"newpw=" + encodeURIComponent(newpw)
].join("&") + "&callback=?";
$.getJSON(url, function(data) {
if(data.success) {
@ -253,11 +255,10 @@ $("#cebtn").click(function() {
return;
}
email = escape(email);
var url = api + "setemail?" + [
"name=" + name,
"pw=" + pw,
"email=" + email
"name=" + encodeURIComponent(name),
"pw=" + encodeURIComponent(pw),
"email=" + encodeURIComponent(email)
].join("&") + "&callback=?";
$.getJSON(url, function(data) {
if(data.success) {
@ -284,10 +285,9 @@ $("#rpbtn").click(function() {
var name = $("#rpusername").val();
var email = $("#rpemail").val();
email = escape(email);
var url = api + "resetpass?" + [
"name=" + name,
"email=" + email
"name=" + encodeURIComponent(name),
"email=" + encodeURIComponent(email)
].join("&") + "&callback=?";
$.getJSON(url, function(data) {
$("#rpbtn").text("Send Reset");
@ -309,15 +309,17 @@ $("#profilesave").click(function() {
$("#profilepane").find(".alert-error").remove();
$("#profilepane").find(".alert-success").remove();
var img = $("#profileimg").val();
/*
img = escape(img).replace(/\//g, "%2F")
.replace(/&/g, "%26")
.replace(/=/g, "%3D")
.replace(/\?/g, "%3F");
*/
var url = api + "setprofile?" + [
"name=" + uname,
"name=" + encodeURIComponent(uname),
"session=" + session,
"profile_image=" + img,
"profile_text=" + escape($("#profiletext").val())
"profile_image=" + encodeURIComponent(img),
"profile_text=" + encodeURIComponent($("#profiletext").val())
].join("&") + "&callback=?";
$.getJSON(url, function(data) {

View file

@ -332,7 +332,8 @@ function setupCallbacks() {
CLIENT.logged_in = true;
socket.emit("acp-init");
if(SESSION) {
AUTH = "name=" + CLIENT.name + "&session=" + SESSION;
AUTH = "name=" + encodeURIComponent(CLIENT.name)
+ "&session=" + SESSION;
createCookie("cytube_uname", CLIENT.name, 7);
createCookie("cytube_session", SESSION, 7);
}

View file

@ -49,7 +49,7 @@
var uname = readCookie("cytube_uname") || "";
var p = "";
if(uname && session) {
$.getJSON(WEB_URL+"/api/json/login?name="+uname+"&session="+session+"&callback=?", function(data) {
$.getJSON(WEB_URL+"/api/json/login?name="+encodeURIComponent(uname)+"&session="+session+"&callback=?", function(data) {
if(data.success) {
$(".loginform").remove();
createCookie("cytube_uname", uname, 7);
@ -63,7 +63,8 @@
var q = "";
$("#login").click(function() {
uname = $("#name").val();
q = "name=" + $("#name").val() + "&pw=" + $("#pw").val();
q = "name=" + encodeURIComponent($("#name").val())
+ "&pw=" + encodeURIComponent($("#pw").val());
$.getJSON(WEB_URL+"/api/json/login?"+q+"&callback=?", function(data) {
if(data.success) {
$(".loginform").remove();

View file

@ -66,7 +66,9 @@
window.addEventListener("message", respond, false);
$("#login").click(function() {
$.getJSON(WEB_URL+"/api/json/login?name="+$("#username").val()+"&pw="+$("#pw").val()+"&callback=?", function(data) {
var u = encodeURIComponent($("#username").val());
var p = encodeURIComponent($("#pw").val());
$.getJSON(WEB_URL+"/api/json/login?name="+u+"&pw="+p+"&callback=?", function(data) {
data.uname = $("#username").val();
source.postMessage("cytube-login:"+JSON.stringify(data), document.location);
});