Switch to Session::Token to generate random names

Fix #85
master
Daniel Berteaud 10 years ago
parent 146d1b7881
commit e09c70e62c
  1. 2
      signalmaster/server.js
  2. 13
      vroom.pl

@ -74,7 +74,7 @@ io.configure(function(){
room = tab[1], room = tab[1],
token = tab[2]; token = tab[2];
// sanitize user input, we don't want to pass random junk to MySQL do we ? // sanitize user input, we don't want to pass random junk to MySQL do we ?
if (!user.match(/^[\w\@\.\-]{1,40}$/i) || !room.match(/^[\w\-]{1,50}$/) || !token.match(/^[a-zA-Z0-9]{50}$/)){ if (!user.match(/^[\w\@\.\-]{1,60}$/i) || !room.match(/^[\w\-]{1,50}$/) || !token.match(/^[a-zA-Z0-9]{30,60}$/)){
console.log('Forbidden chars found in either participant session, room name or token, sorry, cannot allow this'); console.log('Forbidden chars found in either participant session, room name or token, sorry, cannot allow this');
accept('Forbidden characters found', false); accept('Forbidden characters found', false);
} }

@ -14,6 +14,7 @@ use MIME::Base64;
use File::stat; use File::stat;
use File::Basename; use File::Basename;
use Etherpad::API; use Etherpad::API;
use Session::Token;
# List The different components we rely on. # List The different components we rely on.
# Used to generate thanks on the about template # Used to generate thanks on the about template
@ -226,7 +227,7 @@ helper db => sub {
helper login => sub { helper login => sub {
my $self = shift; my $self = shift;
return if $self->session('name'); return if $self->session('name');
my $login = $ENV{'REMOTE_USER'} || lc $self->get_random(29); my $login = $ENV{'REMOTE_USER'} || lc $self->get_random(256);
$self->session( $self->session(
name => $login, name => $login,
ip => $self->tx->remote_address ip => $self->tx->remote_address
@ -258,7 +259,7 @@ helper create_room => sub {
$self->db->prepare("INSERT INTO `rooms` (`name`,`create_timestamp`,`activity_timestamp`,`owner`,`token`,`realm`) VALUES (?,?,?,?,?,?);") $self->db->prepare("INSERT INTO `rooms` (`name`,`create_timestamp`,`activity_timestamp`,`owner`,`token`,`realm`) VALUES (?,?,?,?,?,?);")
} || return undef; } || return undef;
# Gen a random token. Will be used as a turnPassword # Gen a random token. Will be used as a turnPassword
my $tp = $self->get_random(49); my $tp = $self->get_random(256);
$sth->execute($name,time(),time(),$owner,$tp,$config->{realm}) || return undef; $sth->execute($name,time(),time(),$owner,$tp,$config->{realm}) || return undef;
$self->app->log->info("Room $name created by " . $self->session('name')); $self->app->log->info("Room $name created by " . $self->session('name'));
# Etherpad integration ? # Etherpad integration ?
@ -548,14 +549,14 @@ helper valid_room_name => sub {
# Generate a random token # Generate a random token
helper get_random => sub { helper get_random => sub {
my $self = shift; my $self = shift;
my ($size) = @_; my ($entropy) = @_;
return join '' => map{('a'..'z','A'..'Z','0'..'9','0'..'9')[rand 72]} 0..$size; return Session::Token->new(entropy => $entropy)->get;
}; };
# Generate a random name # Generate a random name
helper get_random_name => sub { helper get_random_name => sub {
my $self = shift; my $self = shift;
my $name = lc $self->get_random(9); my $name = lc $self->get_random(64);
# Get another one if already taken # Get another one if already taken
while ($self->get_room($name)){ while ($self->get_room($name)){
$name = $self->get_random_name(); $name = $self->get_random_name();
@ -718,7 +719,7 @@ helper add_invitation => sub {
my ($room,$email) = @_; my ($room,$email) = @_;
my $from = $self->session('name') || return undef; my $from = $self->session('name') || return undef;
my $data = $self->get_room($room); my $data = $self->get_room($room);
my $id = $self->get_random(30); my $id = $self->get_random(256);
return undef unless ($data); return undef unless ($data);
my $sth = eval { my $sth = eval {
$self->db->prepare("INSERT INTO `invitations` (`id`,`from`,`token`,`email`,`timestamp`) VALUES (?,?,?,?,?)") $self->db->prepare("INSERT INTO `invitations` (`id`,`from`,`token`,`email`,`timestamp`) VALUES (?,?,?,?,?)")

Loading…
Cancel
Save