From 1da508d0d691ec0c5972eadbe4f997996b07286c Mon Sep 17 00:00:00 2001
From: fram3d <fram3d@dmz.rs>
Date: Thu, 4 Jan 2024 08:22:17 +0100
Subject: [PATCH] add integrity checks for user input

---
 build-deb/Makefile             |  1 +
 build-deb/luser/DEBIAN/control |  2 +-
 build-deb/luser/DEBIAN/prerm   |  2 +-
 luser/models.py                |  4 ++--
 luser/routes.py                | 10 +++++++++-
 5 files changed, 14 insertions(+), 5 deletions(-)

diff --git a/build-deb/Makefile b/build-deb/Makefile
index 0a5614c..3f871b6 100644
--- a/build-deb/Makefile
+++ b/build-deb/Makefile
@@ -11,6 +11,7 @@ deb: man ../requirments.txt ../run.py ../luser ../LICENSE
 	chmod -w luser/DEBIAN/*
 	chmod +w luser/DEBIAN/control
 	dpkg-deb --build luser
+	chmod +w luser/DEBIAN/*
 clean:
 	rm -f luser.deb
 	rm -f man/luser.1
diff --git a/build-deb/luser/DEBIAN/control b/build-deb/luser/DEBIAN/control
index 4772ada..40eeb82 100644
--- a/build-deb/luser/DEBIAN/control
+++ b/build-deb/luser/DEBIAN/control
@@ -8,4 +8,4 @@ Depends: python3-flask, python3-ldap3, gunicorn, imagemagick, python3-passlib
 Homepage: https://gitea.dmz.rs/fram3d/luser
 Maintainer: fram3d <fram3d@dmz.rs>
 Description: Web app that allows users to add,remove and change passwords in LDAP system
-Version: 1.0.4
+Version: 1.0.7
diff --git a/build-deb/luser/DEBIAN/prerm b/build-deb/luser/DEBIAN/prerm
index ffac95f..0cb0fb5 100755
--- a/build-deb/luser/DEBIAN/prerm
+++ b/build-deb/luser/DEBIAN/prerm
@@ -1,6 +1,6 @@
 #!/bin/bash
 /sbin/service luser stop
-/usr/bin/systemdctl disable luser.service
+/usr/bin/systemctl disable luser.service
 if [ -f /var/luser/luser/config.ini ] ; then
 	cp /var/luser/luser/config.ini /tmp/oldluserconfig.ini
 fi
diff --git a/luser/models.py b/luser/models.py
index 4be8f93..a2869eb 100644
--- a/luser/models.py
+++ b/luser/models.py
@@ -25,8 +25,8 @@ class LUSER():
 
         for i in alluids:
             i_uid = i['attributes']['uidNumber']
-            if i_uid > max:
-                max = i_uid
+            if int(i_uid) > max:
+                max = int(i_uid)
 
         return max
 
diff --git a/luser/routes.py b/luser/routes.py
index c456aca..1f87279 100644
--- a/luser/routes.py
+++ b/luser/routes.py
@@ -118,7 +118,7 @@ def register():
         if len(password) < 8:
             return 'Error: password is too short'
 
-        # Check lenght of password
+        # Check if passwords matches
         if password != confirmpassword:
             return 'Error: passwords do not match'
 
@@ -126,6 +126,14 @@ def register():
         if username.islower() == False:
             return 'Error: uppercase characters in username are not allowed'
 
+        # Check lenght of username
+        if len(username) < 1:
+            return 'Error: username is too short'
+
+        # Check if username is alphanumeric
+        if not username.isalnum():
+            return 'Error: username can only contain letters and numbers'
+
         # Create a LUSER connection
         luser = LUSER(LDAPHOST,LDAPADMINNAME,LDAPPASS,USERBASE,ALTUSERBASE)
         # Try to add user