add integrity checks for user input

2024-01-04 08:22:17 +01:00 · 2024-01-04 08:22:17 +01:00 · 1da508d0d6
commit 1da508d0d6
parent 7f1ab45d53
5 changed files with 14 additions and 5 deletions
--- a/build-deb/Makefile
+++ b/build-deb/Makefile
@ -11,6 +11,7 @@ deb: man ../requirments.txt ../run.py ../luser ../LICENSE
 	chmod -w luser/DEBIAN/*
 	chmod +w luser/DEBIAN/control
 	dpkg-deb --build luser
+	chmod +w luser/DEBIAN/*
 clean:
 	rm -f luser.deb
 	rm -f man/luser.1
--- a/build-deb/luser/DEBIAN/control
+++ b/build-deb/luser/DEBIAN/control
@ -8,4 +8,4 @@ Depends: python3-flask, python3-ldap3, gunicorn, imagemagick, python3-passlib
 Homepage: https://gitea.dmz.rs/fram3d/luser
 Maintainer: fram3d <fram3d@dmz.rs>
 Description: Web app that allows users to add,remove and change passwords in LDAP system
-Version: 1.0.4
+Version: 1.0.7
--- a/build-deb/luser/DEBIAN/prerm
+++ b/build-deb/luser/DEBIAN/prerm
@ -1,6 +1,6 @@
 #!/bin/bash
 /sbin/service luser stop
-/usr/bin/systemdctl disable luser.service
+/usr/bin/systemctl disable luser.service
 if [ -f /var/luser/luser/config.ini ] ; then
 	cp /var/luser/luser/config.ini /tmp/oldluserconfig.ini
 fi
--- a/luser/models.py
+++ b/luser/models.py
@ -25,8 +25,8 @@ class LUSER():

        for i in alluids:
            i_uid = i['attributes']['uidNumber']
-            if i_uid > max:
-                max = i_uid
+            if int(i_uid) > max:
+                max = int(i_uid)

        return max

--- a/luser/routes.py
+++ b/luser/routes.py
@ -118,7 +118,7 @@ def register():
        if len(password) < 8:
            return 'Error: password is too short'

-        # Check lenght of password
+        # Check if passwords matches
        if password != confirmpassword:
            return 'Error: passwords do not match'

@ -126,6 +126,14 @@ def register():
        if username.islower() == False:
            return 'Error: uppercase characters in username are not allowed'

+        # Check lenght of username
+        if len(username) < 1:
+            return 'Error: username is too short'
+
+        # Check if username is alphanumeric
+        if not username.isalnum():
+            return 'Error: username can only contain letters and numbers'
+
        # Create a LUSER connection
        luser = LUSER(LDAPHOST,LDAPADMINNAME,LDAPPASS,USERBASE,ALTUSERBASE)
        # Try to add user