From 098c66509f34c503474ea8a9c75b99c15030dcd4 Mon Sep 17 00:00:00 2001
From: Dario <dario.rekowski@gmx.de>
Date: Thu, 24 Oct 2019 12:57:57 +0200
Subject: [PATCH] change name validation to blacklisting <> and &

---
 src/cpp/HTTPInterface/LoginPage.cpp                 | 2 ++
 src/cpp/HTTPInterface/PageRequestHandlerFactory.cpp | 8 ++++----
 src/cpp/SingletonManager/SessionManager.cpp         | 2 +-
 src/cpp/model/Session.cpp                           | 4 ++--
 src/cpsp/login.cpsp                                 | 2 ++
 5 files changed, 11 insertions(+), 7 deletions(-)

diff --git a/src/cpp/HTTPInterface/LoginPage.cpp b/src/cpp/HTTPInterface/LoginPage.cpp
index 9a068c60d..654a9e2f9 100644
--- a/src/cpp/HTTPInterface/LoginPage.cpp
+++ b/src/cpp/HTTPInterface/LoginPage.cpp
@@ -37,6 +37,8 @@ void LoginPage::handleRequest(Poco::Net::HTTPServerRequest& request, Poco::Net::
 			if(!session) {
 				session = sm->getNewSession();		
 				auto user_host = request.clientAddress().host();
+				auto client_ip = request.clientAddress();
+				printf("client ip: %s\n", client_ip.toString().data());
 				session->setClientIp(user_host);
 				response.addCookie(session->getLoginCookie());
 			}
diff --git a/src/cpp/HTTPInterface/PageRequestHandlerFactory.cpp b/src/cpp/HTTPInterface/PageRequestHandlerFactory.cpp
index c49462732..ddc240e91 100644
--- a/src/cpp/HTTPInterface/PageRequestHandlerFactory.cpp
+++ b/src/cpp/HTTPInterface/PageRequestHandlerFactory.cpp
@@ -80,7 +80,9 @@ Poco::Net::HTTPRequestHandler* PageRequestHandlerFactory::createRequestHandler(c
 			return handleCheckEmail(s, uri, request);
 		}
 	}
-	
+	if (url_first_part == "/register") {
+		return new RegisterPage;
+	}
 	if (s) {
 		auto user = s->getUser();
 		if (s->errorCount() || (!user.isNull() && user->errorCount())) {
@@ -115,6 +117,7 @@ Poco::Net::HTTPRequestHandler* PageRequestHandlerFactory::createRequestHandler(c
 			//printf("[PageRequestHandlerFactory] go to dashboard page with user\n");
 			return new DashboardPage(s);
 		}
+		
 	} else {
 
 		if (url_first_part == "/config") {
@@ -123,9 +126,6 @@ Poco::Net::HTTPRequestHandler* PageRequestHandlerFactory::createRequestHandler(c
 		else if (url_first_part == "/login") {
 			return new LoginPage;
 		}
-		else if (url_first_part == "/register") {
-			return new RegisterPage;
-		}
 	}
 	return new LoginPage;
 	//return new HandleFileRequest;
diff --git a/src/cpp/SingletonManager/SessionManager.cpp b/src/cpp/SingletonManager/SessionManager.cpp
index 0edbe5ada..2175cfc85 100644
--- a/src/cpp/SingletonManager/SessionManager.cpp
+++ b/src/cpp/SingletonManager/SessionManager.cpp
@@ -34,7 +34,7 @@ bool SessionManager::init()
 	for (i = 0; i < VALIDATE_MAX; i++) {
 		switch (i) {
 		//case VALIDATE_NAME: mValidations[i] = new Poco::RegularExpression("/^[a-zA-Z_ -]{3,}$/"); break;
-		case VALIDATE_NAME: mValidations[i] = new Poco::RegularExpression("^[a-zA-Z]{3,}$"); break;
+		case VALIDATE_NAME: mValidations[i] = new Poco::RegularExpression("^[^<>&;]{3,}$"); break;
 		case VALIDATE_EMAIL: mValidations[i] = new Poco::RegularExpression("^[a-zA-Z0-9.!#$%&’*+/=?^_`{|}~-]+@[a-zA-Z0-9-]+(?:\.[a-zA-Z0-9-]+)*$"); break;
 		case VALIDATE_PASSWORD: mValidations[i] = new Poco::RegularExpression("^(?=.*[a-z])(?=.*[A-Z])(?=.*[0-9])(?=.*[@$!%*?&+-])[A-Za-z0-9@$!%*?&+-]{8,}$"); break;
 		case VALIDATE_PASSPHRASE: mValidations[i] = new Poco::RegularExpression("^(?:[a-z]* ){23}[a-z]*\s*$"); break;
diff --git a/src/cpp/model/Session.cpp b/src/cpp/model/Session.cpp
index 694850fef..4edbe043d 100644
--- a/src/cpp/model/Session.cpp
+++ b/src/cpp/model/Session.cpp
@@ -124,11 +124,11 @@ bool Session::createUser(const std::string& first_name, const std::string& last_
 	Profiler usedTime;
 	auto sm = SessionManager::getInstance();
 	if (!sm->isValid(first_name, VALIDATE_NAME)) {
-		addError(new Error("Vorname", "Bitte gebe einen Namen an. Mindestens 3 Zeichen, keine Sonderzeichen oder Zahlen."));
+		addError(new Error("Vorname", "Bitte gebe einen Namen an. Mindestens 3 Zeichen, keines folgender Zeichen <>&;"));
 		return false;
 	}
 	if (!sm->isValid(last_name, VALIDATE_NAME)) {
-		addError(new Error("Nachname", "Bitte gebe einen Namen an. Mindestens 3 Zeichen, keine Sonderzeichen oder Zahlen."));
+		addError(new Error("Nachname", "Bitte gebe einen Namen an. Mindestens 3 Zeichen, keines folgender Zeichen <>&;"));
 		return false;
 	}
 	if (!sm->isValid(email, VALIDATE_EMAIL)) {
diff --git a/src/cpsp/login.cpsp b/src/cpsp/login.cpsp
index d7fca3b36..7a6d78a8b 100644
--- a/src/cpsp/login.cpsp
+++ b/src/cpsp/login.cpsp
@@ -23,6 +23,8 @@
 			auto session = sm->getSession(request);
 			if(!session) {
 				session = sm->getNewSession();		
+				auto client_ip = request.clientAddress();
+				printf("client ip: %s\n", client_ip.toString());
 				auto user_host = request.clientAddress().host();
 				session->setClientIp(user_host);
 				response.addCookie(session->getLoginCookie());