input validation, db schema

2016-08-25 21:36:27 +01:00 · 2016-08-25 21:36:27 +01:00 · 61de0371b1
parent f17e930ab4
commit 61de0371b1
6 changed files with 43 additions and 7 deletions
--- a/README.md
+++ b/README.md
@ -6,8 +6,11 @@ chown www:www /var/www/run
 install -o www -g www -m 0400 httpd.conf /etc/
 echo "permit nopass root as www" >> /etc/doas.conf
 curl -L https://cpanmin.us | perl - App::cpanminus
-cpanm -l /var/www/perl5 FCGI Switch Template::Simple File::Slurp
+cpanm -l /var/www/perl5 FCGI Switch Template::Simple File::Slurp Email::Valid
 install -o www -g www -m 0500 tormon/* /var/www/tormon/
+cat db.sql | sqlite3 /var/www/tormon.db
+chown www:www /var/www/tormon.db
+chmod 0600 /var/www/tormon.db
 echo 'echo "Starting tormon" && doas -u www /var/www/tormon/tormon.fcgi &' >> /etc/rc.local
 sh /etc/rc.local # assuming tormon is the only thing in rc.local
 rcctl enable httpd
--- a/db.sql
+++ b/db.sql
@ -0,0 +1,6 @@
+create table users (
+  id int primary key not null,
+  email text not null,
+  confirmed int not null,
+  subscriptions text
+);
--- a/tormon/e_email.tt
+++ b/tormon/e_email.tt
@ -0,0 +1,2 @@
+<h1>Error</h1>
+The email address you entered does not appear to be valid. Please go back and try again.
--- a/tormon/e_fingerprint.tt
+++ b/tormon/e_fingerprint.tt
@ -0,0 +1,2 @@
+<h1>Error</h1>
+The fingerprint you entered does not appear to be valid. Please go back and try again.
--- a/tormon/e_security.tt
+++ b/tormon/e_security.tt
@ -0,0 +1,2 @@
+<h1>Error</h1>
+You did not answer the security question correctly. Please go back and try again.
--- a/tormon/tormon.fcgi
+++ b/tormon/tormon.fcgi
@ -6,6 +6,7 @@ use FCGI;
 use Switch;
 use File::Slurp;
 use Template::Simple;
+use Email::Valid;
 use FindBin qw($Bin);

 my $VERSION = "1.0";
@ -34,17 +35,37 @@ while ($request->Accept() <= 0) {
  my $code;

  switch ($ENV{"REQUEST_URI"}) {
-    case "/debug" {
-      # TODO - remove this, it's a security vulnerability
-      use Data::Dumper;
-      $content = "<textarea>" . Dumper(\%ENV) . "</textarea>";
-      $code = "\n"; # 200 OK
-    }
    case "/" {
      my $tt = read_file("$Bin/index.tt");
      $content = ${ $tmpl->render($tt, {version => $VERSION}) };
      $code = "\n"; # 200 OK
    }
+    case "/subscribe" {
+      read STDIN, my $buf, $ENV{"CONTENT_LENGTH"};
+      my @pairs = split /&/, $buf;
+      my %input;
+      for (@pairs) {
+        $_ =~ s/\+/ /g;
+        $_ =~ s/%([a-fA-F0-9][a-fA-F0-9])/pack("C", hex($1))/eg;
+        my ($a, $b) = split '=', $_;
+        $input{$a} = $b;
+      }
+
+      if (!($input{"spam"} =~ m/London/i)) {
+        $content = read_file("$Bin/e_security.tt");
+        last;
+      }
+      if (!($input{"fp"} =~ m/^[A-F0-9]{40}$/)) {
+        $content = read_file("$Bin/e_fingerprint.tt");
+        last;
+      }
+      if (!Email::Valid->address($input{"email"})) {
+        $content = read_file("$Bin/e_email.tt");
+        last;
+      }
+
+      # Add the email to database
+    }
    else {
      my $tt = read_file("$Bin/error.tt");
      $content = ${ $tmpl->render($tt, {err => 404}) };