soutade
/
gPass
1
0
Fork 0
Code Issues Pull Requests Packages Releases 2 Activity

Update server: 

* Check that $db variable is OK before processing database requests
	* Don't close $db before calling lastErrorMsg()
	* Add support for user & url parameters from gPass popup
This commit is contained in:
Gregory Soutade 2020-02-26 16:00:24 +01:00
parent 6f1e2a814d
commit 9d528aeaa0
4 changed files with 38 additions and 34 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

39
server/_user
View File

@ -1,6 +1,6 @@
<?php <?php
/* /*
Copyright (C) 2013-2015 Grégory Soutadé Copyright (C) 2013-2020 Grégory Soutadé
This file is part of gPass. This file is part of gPass.
@ -63,30 +63,31 @@ $PROTOCOL_VERSION = 4;
$db = load_database(); $db = load_database();
$res = "";
$statement = $db->prepare("SELECT password FROM gpass WHERE login=:login");
echo "protocol=gpass-$PROTOCOL_VERSION\n"; echo "protocol=gpass-$PROTOCOL_VERSION\n";
if ($PBKDF2_LEVEL != 1000) if ($PBKDF2_LEVEL != 1000)
echo "pbkdf2_level=$PBKDF2_LEVEL\n"; echo "pbkdf2_level=$PBKDF2_LEVEL\n";
for ($i=0; $i<$MAX_PASSWORDS_PER_REQUEST && isset($_POST["k$i"]); $i++) if ($db)
{ {
$statement->bindValue(":login", addslashes($_POST["k$i"])); $statement = $db->prepare("SELECT password FROM gpass WHERE login=:login");
$result = $statement->execute();
$row = $result->fetchArray(SQLITE3_ASSOC);
$result->finalize();
if (isset($row["password"]))
{
echo "matched_key=" . $i . "\n";
echo "pass=" . $row["password"] . "\n";
break;
}
}
$statement->close(); for ($i=0; $i<$MAX_PASSWORDS_PER_REQUEST && isset($_POST["k$i"]); $i++)
{
$statement->bindValue(":login", addslashes($_POST["k$i"]));
$result = $statement->execute();
$row = $result->fetchArray(SQLITE3_ASSOC);
$result->finalize();
if (isset($row["password"]))
{
echo "matched_key=" . $i . "\n";
echo "pass=" . $row["password"] . "\n";
break;
}
}
$statement->close();
}
echo "<end>"; echo "<end>";
?> ?>

13
server/functions.php
View File

@ -1,6 +1,6 @@
<?php <?php
/* /*
Copyright (C) 2013-2017 Grégory Soutadé Copyright (C) 2013-2019 Grégory Soutadé
This file is part of gPass. This file is part of gPass.
@ -241,18 +241,21 @@ function delete_entry($user, $login, $access_token)
} }
$result = $db->exec("DELETE FROM gpass WHERE login='" . $login . "'"); $result = $db->exec("DELETE FROM gpass WHERE login='" . $login . "'");
$db->close();
if (!$result) if (!$result)
{ {
echo "Error " . $db->lastErrorMsg(); echo "Error " . $db->lastErrorMsg();
return false; $ret = false;
} }
else else
{ {
echo "OK"; echo "OK";
return true; $ret = true;
} }
$db->close();
return $ret;
} }
function update_entry($user, $mkey, $old_login, $url, $login, $password, $shadow_login, $salt, $old_access_token, $new_access_token) function update_entry($user, $mkey, $old_login, $url, $login, $password, $shadow_login, $salt, $old_access_token, $new_access_token)
@ -329,4 +332,4 @@ function get_secure_entries($user, $access_tokens)
$db->close(); $db->close();
} }
?> ?>

18
server/index.php
View File

@ -1,19 +1,19 @@
<?php <?php
/* /*
Copyright (C) 2013-2017 Grégory Soutadé Copyright (C) 2013-2017 Grégory Soutadé
This file is part of gPass. This file is part of gPass.
gPass is free software: you can redistribute it and/or modify gPass is free software: you can redistribute it and/or modify
it under the terms of the GNU General Public License as published by it under the terms of the GNU General Public License as published by
the Free Software Foundation, either version 3 of the License, or the Free Software Foundation, either version 3 of the License, or
(at your option) any later version. (at your option) any later version.
gPass is distributed in the hope that it will be useful, gPass is distributed in the hope that it will be useful,
but WITHOUT ANY WARRANTY; without even the implied warranty of but WITHOUT ANY WARRANTY; without even the implied warranty of
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
GNU General Public License for more details. GNU General Public License for more details.
You should have received a copy of the GNU General Public License You should have received a copy of the GNU General Public License
along with gPass. If not, see <http://www.gnu.org/licenses/>. along with gPass. If not, see <http://www.gnu.org/licenses/>.
*/ */
@ -50,7 +50,7 @@ else
if (isset($_POST['get_passwords']) && isset($_POST['user'])) if (isset($_POST['get_passwords']) && isset($_POST['user']))
return list_entries($user); return list_entries($user);
if (isset($_POST['add_entry']) && isset($_POST['user']) && if (isset($_POST['add_entry']) && isset($_POST['user']) &&
isset($_POST['login']) && isset($_POST['password']) && isset($_POST['login']) && isset($_POST['password']) &&
isset($_POST['shadow_login']) && isset($_POST['salt']) && isset($_POST['shadow_login']) && isset($_POST['salt']) &&
isset($_POST['access_token']) ) isset($_POST['access_token']) )
@ -61,7 +61,7 @@ else
$salt, $salt,
$access_token); $access_token);
if (isset($_POST['delete_entry']) && isset($_POST['user']) && if (isset($_POST['delete_entry']) && isset($_POST['user']) &&
isset($_POST['login']) && isset($_POST['access_token'])) isset($_POST['login']) && isset($_POST['access_token']))
return delete_entry($user, return delete_entry($user,
$login, $login,
@ -69,7 +69,7 @@ else
} }
?> ?>
<!DOCTYPE html> <!DOCTYPE html>
<html> <html>
<head> <head>
<meta http-equiv="Content-Type" content="text/html;charset=utf-8" > <meta http-equiv="Content-Type" content="text/html;charset=utf-8" >
@ -158,8 +158,8 @@ if ($user != "")
{ {
echo "<b>Add a new password</b><br/>\n"; echo "<b>Add a new password</b><br/>\n";
echo 'URL <input type="text" name="url"/>'; echo 'URL <input type="text" name="url" value="' . (filter_input(INPUT_GET, "url", FILTER_SANITIZE_SPECIAL_CHARS) ?: "") . '"/>';
echo 'login <input type="text" name="login" />'; echo 'login <input type="text" name="login" value="' . (filter_input(INPUT_GET, "user", FILTER_SANITIZE_SPECIAL_CHARS) ?: "") . '"/>';
echo 'password <input id="new_password" type="text" name="password"/>'; echo 'password <input id="new_password" type="text" name="password"/>';
echo 'master key <input type="text" name="mkey" onkeypress="if (event.keyCode == 13) add_password();" onkeyup="chkPass(this.value);"/>'; echo 'master key <input type="text" name="mkey" onkeypress="if (event.keyCode == 13) add_password();" onkeyup="chkPass(this.value);"/>';
echo '<input type="button" value="Generate password" onClick="generate_password();"/>'; echo '<input type="button" value="Generate password" onClick="generate_password();"/>';

2
server/resources/gpass.js
View File

@ -145,7 +145,7 @@ var current_user = "";
var current_mkey = ""; var current_mkey = "";
var clearTimer = null; var clearTimer = null;
var global_iv = null; var global_iv = null;
var server_url = document.documentURI; var server_url = window.location.href.split('?')[0];
function PasswordEntry (ciphered_login, ciphered_password, salt, shadow_login) { function PasswordEntry (ciphered_login, ciphered_password, salt, shadow_login) {
this.ciphered_login = ciphered_login; this.ciphered_login = ciphered_login;