Update server:

* Check that $db variable is OK before processing database requests * Don't close $db before calling lastErrorMsg() * Add support for user & url parameters from gPass popup
2020-02-26 16:00:24 +01:00 · 2020-02-26 16:00:24 +01:00 · 9d528aeaa0
parent 6f1e2a814d
commit 9d528aeaa0
4 changed files with 38 additions and 34 deletions
--- a/server/_user
+++ b/server/_user
@ -1,6 +1,6 @@
 <?php
 /*
-  Copyright (C) 2013-2015 Grégory Soutadé
+  Copyright (C) 2013-2020 Grégory Soutadé
  
  This file is part of gPass.
  
@ -63,30 +63,31 @@ $PROTOCOL_VERSION = 4;

 $db = load_database();

-$res = "";
-
-$statement = $db->prepare("SELECT password FROM gpass WHERE login=:login");
-
 echo "protocol=gpass-$PROTOCOL_VERSION\n";
 if ($PBKDF2_LEVEL != 1000)
    echo "pbkdf2_level=$PBKDF2_LEVEL\n";

-for ($i=0; $i<$MAX_PASSWORDS_PER_REQUEST && isset($_POST["k$i"]); $i++)
+if ($db)
 {
-    $statement->bindValue(":login", addslashes($_POST["k$i"]));
-    $result = $statement->execute();
-    $row = $result->fetchArray(SQLITE3_ASSOC);
-    $result->finalize();
-    if (isset($row["password"]))
-    {
-        echo "matched_key=" . $i . "\n";
-        echo "pass=" . $row["password"] . "\n";
-        break;
-    }
-}
+    $statement = $db->prepare("SELECT password FROM gpass WHERE login=:login");

-$statement->close();
+    for ($i=0; $i<$MAX_PASSWORDS_PER_REQUEST && isset($_POST["k$i"]); $i++)
+    {
+        $statement->bindValue(":login", addslashes($_POST["k$i"]));
+        $result = $statement->execute();
+        $row = $result->fetchArray(SQLITE3_ASSOC);
+        $result->finalize();
+        if (isset($row["password"]))
+        {
+            echo "matched_key=" . $i . "\n";
+            echo "pass=" . $row["password"] . "\n";
+            break;
+        }
+    }
+
+    $statement->close();
+}

 echo "<end>";

-?>
+?>
--- a/server/functions.php
+++ b/server/functions.php
@ -1,6 +1,6 @@
 <?php
 /*
-  Copyright (C) 2013-2017 Grégory Soutadé
+  Copyright (C) 2013-2019 Grégory Soutadé
  
  This file is part of gPass.
  
@ -241,18 +241,21 @@ function delete_entry($user, $login, $access_token)
    }

    $result = $db->exec("DELETE FROM gpass WHERE login='" . $login . "'");
-    $db->close();

    if (!$result)
    {
        echo "Error " . $db->lastErrorMsg();
-        return false;
+        $ret = false;
    }
    else
    {
        echo "OK";
-        return true;
+        $ret = true;
    }
+
+    
+    $db->close();
+    return $ret;
 }

 function update_entry($user, $mkey, $old_login, $url, $login, $password, $shadow_login, $salt, $old_access_token, $new_access_token)
@ -329,4 +332,4 @@ function get_secure_entries($user, $access_tokens)
    $db->close();
 }

-?>
+?>
--- a/server/index.php
+++ b/server/index.php
@ -1,19 +1,19 @@
 <?php
 /*
  Copyright (C) 2013-2017 Grégory Soutadé
-  
+
  This file is part of gPass.
-  
+
  gPass is free software: you can redistribute it and/or modify
  it under the terms of the GNU General Public License as published by
  the Free Software Foundation, either version 3 of the License, or
  (at your option) any later version.
-  
+
  gPass is distributed in the hope that it will be useful,
  but WITHOUT ANY WARRANTY; without even the implied warranty of
  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
  GNU General Public License for more details.
-  
+
  You should have received a copy of the GNU General Public License
  along with gPass.  If not, see <http://www.gnu.org/licenses/>.
 */
@ -50,7 +50,7 @@ else
    if (isset($_POST['get_passwords']) && isset($_POST['user']))
        return list_entries($user);

-    if (isset($_POST['add_entry']) && isset($_POST['user']) && 
+    if (isset($_POST['add_entry']) && isset($_POST['user']) &&
        isset($_POST['login']) && isset($_POST['password']) &&
        isset($_POST['shadow_login']) && isset($_POST['salt']) &&
        isset($_POST['access_token']) )
@ -61,7 +61,7 @@ else
                         $salt,
                         $access_token);

-    if (isset($_POST['delete_entry']) && isset($_POST['user']) && 
+    if (isset($_POST['delete_entry']) && isset($_POST['user']) &&
        isset($_POST['login']) && isset($_POST['access_token']))
        return delete_entry($user,
                            $login,
@ -69,7 +69,7 @@ else
 }

 ?>
-<!DOCTYPE html> 
+<!DOCTYPE html>
 <html>
  <head>
    <meta http-equiv="Content-Type" content="text/html;charset=utf-8" >
@ -158,8 +158,8 @@ if ($user != "")
 {
    echo "<b>Add a new password</b><br/>\n";

-    echo 'URL <input type="text" name="url"/>';
-    echo 'login <input type="text" name="login" />';
+    echo 'URL <input type="text" name="url" value="' . (filter_input(INPUT_GET, "url", FILTER_SANITIZE_SPECIAL_CHARS) ?: "") . '"/>';
+    echo 'login <input type="text" name="login" value="' . (filter_input(INPUT_GET, "user", FILTER_SANITIZE_SPECIAL_CHARS) ?: "") . '"/>';
    echo 'password <input id="new_password" type="text" name="password"/>';
    echo 'master key <input type="text" name="mkey" onkeypress="if (event.keyCode == 13) add_password();" onkeyup="chkPass(this.value);"/>';
    echo '<input type="button" value="Generate password" onClick="generate_password();"/>';
--- a/server/resources/gpass.js
+++ b/server/resources/gpass.js
@ -145,7 +145,7 @@ var current_user = "";
 var current_mkey = "";
 var clearTimer = null;
 var global_iv = null;
-var server_url = document.documentURI;
+var server_url = window.location.href.split('?')[0];

 function PasswordEntry (ciphered_login, ciphered_password, salt, shadow_login) {
    this.ciphered_login = ciphered_login;