Limit length of user inputs

s-gv · Nov 8, 2017 · 379125c · egorsmkv · Nov 9, 2017 · 379125c
1 parent 9094a2c
commit 379125c
Show file tree

Hide file tree

Showing 7 changed files with 93 additions and 12 deletions.
diff --git a/templates/profile.go b/templates/profile.go
@@ -26,6 +26,12 @@ const profileSrc = `
 		<th><label for="email">Email (private):</label></th>
 		<td><input type="email" name="email" id="email" value={{ .Email }}></td>
 	</tr>
+	{{ if .Common.Msg }}
+	<tr>
+		<th></th>
+		<td><span class="alert">{{ .Common.Msg }}</span></td>
+	</tr>
+	{{ end }}
 	<tr>
 		<th></th>
 		<td><input type="submit" name="action" value="Update"></td>

diff --git a/views/auth.go b/views/auth.go
@@ -15,6 +15,7 @@ import (
 	"html/template"
 	"github.com/s-gv/orangeforum/models/db"
 	"time"
+	"fmt"
 )
 
 var LoginHandler = UA(func(w http.ResponseWriter, r *http.Request, sess Session) {
@@ -30,6 +31,10 @@ var LoginHandler = UA(func(w http.ResponseWriter, r *http.Request, sess Session)
 	if r.Method == "POST" {
 		userName := r.PostFormValue("username")
 		passwd := r.PostFormValue("passwd")
+		if len(userName) > 200 || len(passwd) > 200 {
+			fmt.Fprint(w, "username / password too long.")
+			return
+		}
 		if err = sess.Authenticate(userName, passwd); err == nil {
 			http.Redirect(w, r, redirectURL, http.StatusSeeOther)
 			return
@@ -66,8 +71,8 @@ var SignupHandler = UA(func(w http.ResponseWriter, r *http.Request, sess Session
 		passwd := r.PostFormValue("passwd")
 		passwdConfirm := r.PostFormValue("confirm")
 		email := r.PostFormValue("email")
-		if len(userName) == 0 {
-			sess.SetFlashMsg("Username cannot be blank.")
+		if len(userName) < 2 || len(userName) > 32 {
+			sess.SetFlashMsg("Username should have 2-32 characters.")
 			http.Redirect(w, r, "/signup", http.StatusSeeOther)
 			return
 		}
@@ -92,6 +97,11 @@ var SignupHandler = UA(func(w http.ResponseWriter, r *http.Request, sess Session
 			http.Redirect(w, r, "/signup", http.StatusSeeOther)
 			return
 		}
+		if len(email) > 64 {
+			sess.SetFlashMsg("Email should have fewer than 64 characters.")
+			http.Redirect(w, r, "/signup", http.StatusSeeOther)
+			return
+		}
 		models.CreateUser(userName, passwd, email)
 		sess.Authenticate(userName, passwd)
 		http.Redirect(w, r, redirectURL, http.StatusSeeOther)
@@ -138,7 +148,7 @@ var ChangePasswdHandler = UA(func(w http.ResponseWriter, r *http.Request, sess S
 var ForgotPasswdHandler = UA(func(w http.ResponseWriter, r *http.Request, sess Session) {
 	if r.Method == "POST" {
 		userName := r.PostFormValue("username")
-		if userName == "" || !models.ProbeUser(userName) {
+		if userName == "" || len(userName) > 200 || !models.ProbeUser(userName) {
 			sess.SetFlashMsg("Username doesn't exist.")
 			http.Redirect(w, r, "/forgotpass", http.StatusSeeOther)
 			return

diff --git a/views/comments.go b/views/comments.go
@@ -96,8 +96,9 @@ var CommentCreateHandler = A(func(w http.ResponseWriter, r *http.Request, sess S
 			imageName = saveImage(r)
 		}
 
-		if content == "" && imageName == "" {
-			http.Redirect(w, r, "/topics?id="+topicID+"#comment-last", http.StatusSeeOther)
+		if (len(content) < 2 && imageName == "") || len(content) > 5000 {
+			sess.SetFlashMsg("Comment should have 2-5000 characters.")
+			http.Redirect(w, r, "/comments/new?tid="+topicID, http.StatusSeeOther)
 			return
 		}
 
@@ -198,6 +199,11 @@ var CommentUpdateHandler = A(func(w http.ResponseWriter, r *http.Request, sess S
 	if r.Method == "POST" {
 		action := r.PostFormValue("action")
 		if action == "Update" {
+			if len(content) < 2 || len(content) > 5000 {
+				sess.SetFlashMsg("Comment should have 2-5000 characters.")
+				http.Redirect(w, r, "/comments/edit?id="+commentID, http.StatusSeeOther)
+				return
+			}
 			if content == "" {
 				http.Redirect(w, r, "/comments/edit?id="+commentID, http.StatusSeeOther)
 				return

diff --git a/views/groups.go b/views/groups.go
@@ -127,11 +127,31 @@ var GroupEditHandler = A(func(w http.ResponseWriter, r *http.Request, sess Sessi
 
 	if r.Method == "POST" {
 		if action == "Create" {
+			if len(name) < 3 || len(name) > 40 {
+				sess.SetFlashMsg("Group name should have 3-40 characters.")
+				http.Redirect(w, r, "/groups/edit", http.StatusSeeOther)
+				return
+			}
+			if len(desc) > 160 {
+				sess.SetFlashMsg("Group description should have less than 160 characters.")
+				http.Redirect(w, r, "/groups/edit", http.StatusSeeOther)
+				return
+			}
+			if len(headerMsg) > 160 {
+				sess.SetFlashMsg("Announcement should have less than 160 characters.")
+				http.Redirect(w, r, "/groups/edit", http.StatusSeeOther)
+				return
+			}
 			if err := validateName(name); err != nil {
 				sess.SetFlashMsg(err.Error())
 				http.Redirect(w, r, "/groups/edit", http.StatusSeeOther)
 				return
 			}
+			if len(admins) > 32 || len(mods) > 32 {
+				sess.SetFlashMsg("Number of admins/mods should no more than 32.")
+				http.Redirect(w, r, "/groups/edit", http.StatusSeeOther)
+				return
+			}
 			db.Exec(`INSERT INTO groups(name, description, header_msg, is_sticky, is_private, created_date, updated_date) VALUES(?, ?, ?, ?, ?, ?, ?);`, name, desc, headerMsg, isSticky, isPrivate, time.Now().Unix(), time.Now().Unix())
 			groupID := models.ReadGroupIDByName(name)
 			for _, mod := range mods {
@@ -146,11 +166,31 @@ var GroupEditHandler = A(func(w http.ResponseWriter, r *http.Request, sess Sessi
 			}
 			http.Redirect(w, r, "/groups?name="+name, http.StatusSeeOther)
 		} else if action == "Update" {
+			if len(name) < 3 || len(name) > 40 {
+				sess.SetFlashMsg("Group name should have 3-40 characters.")
+				http.Redirect(w, r, "/groups/edit?id="+groupID, http.StatusSeeOther)
+				return
+			}
+			if len(desc) > 160 {
+				sess.SetFlashMsg("Group description should have less than 160 characters.")
+				http.Redirect(w, r, "/groups/edit?id="+groupID, http.StatusSeeOther)
+				return
+			}
+			if len(headerMsg) > 160 {
+				sess.SetFlashMsg("Announcement should have less than 160 characters.")
+				http.Redirect(w, r, "/groups/edit?id="+groupID, http.StatusSeeOther)
+				return
+			}
 			if err := validateName(name); err != nil {
 				sess.SetFlashMsg(err.Error())
 				http.Redirect(w, r, "/groups/edit?id="+groupID, http.StatusSeeOther)
 				return
 			}
+			if len(admins) > 32 || len(mods) > 32 {
+				sess.SetFlashMsg("Number of admins/mods should no more than 32.")
+				http.Redirect(w, r, "/groups/edit?id="+groupID, http.StatusSeeOther)
+				return
+			}
 			isUserSuperAdmin := false
 			db.QueryRow(`SELECT is_superadmin FROM users WHERE id=?;`, sess.UserID).Scan(&isUserSuperAdmin)
 			if !isUserSuperAdmin {

diff --git a/views/profile.go b/views/profile.go
@@ -34,6 +34,16 @@ var UserProfileHandler = UA(func(w http.ResponseWriter, r *http.Request, sess Se
 			if isSuperAdmin || userID == sess.UserID.Int64 {
 				email := r.FormValue("email")
 				about := r.FormValue("about")
+				if len(email) > 64 {
+					sess.SetFlashMsg("Email should have fewer than 64 characters.")
+					http.Redirect(w, r, "/users?u="+userName, http.StatusSeeOther)
+					return
+				}
+				if len(about) > 1024 {
+					sess.SetFlashMsg("About should have fewer than 1024 characters.")
+					http.Redirect(w, r, "/users?u="+userName, http.StatusSeeOther)
+					return
+				}
 				db.Exec(`UPDATE users SET email=?, about=? WHERE id=?;`, email, about, userID)
 			} else {
 				ErrForbiddenHandler(w, r)

diff --git a/views/topics.go b/views/topics.go
@@ -131,8 +131,13 @@ var TopicCreateHandler = A(func(w http.ResponseWriter, r *http.Request, sess Ses
 		title := r.PostFormValue("title")
 		content := r.PostFormValue("content")
 		isSticky := r.PostFormValue("is_sticky") != ""
-		if len(title) < 1 || len(title) > 150 {
-			sess.SetFlashMsg("Invalid number of characters in the title. Valid range: 1-150.")
+		if len(title) < 8 || len(title) > 80 {
+			sess.SetFlashMsg("Title should have 8-80 characters.")
+			http.Redirect(w, r, "/topics/new?gid="+groupID, http.StatusSeeOther)
+			return
+		}
+		if len(content) > 5000 {
+			sess.SetFlashMsg("Content should have less than 5000 characters.")
 			http.Redirect(w, r, "/topics/new?gid="+groupID, http.StatusSeeOther)
 			return
 		}
@@ -214,12 +219,16 @@ var TopicUpdateHandler = A(func(w http.ResponseWriter, r *http.Request, sess Ses
 	}
 
 	if r.Method == "POST" {
-		if len(title) < 1 || len(title) > 150 {
-			sess.SetFlashMsg("Invalid number of characters in the title. Valid range: 1-150.")
+		if len(title) < 8 || len(title) > 80 {
+			sess.SetFlashMsg("Title should have 8-80 characters.")
+			http.Redirect(w, r, "/topics/edit?id="+topicID, http.StatusSeeOther)
+			return
+		}
+		if len(content) > 5000 {
+			sess.SetFlashMsg("Content should have less than 5000 characters.")
 			http.Redirect(w, r, "/topics/edit?id="+topicID, http.StatusSeeOther)
 			return
 		}
-
 		if action == "Update" {
 			db.Exec(`UPDATE topics SET title=?, content=?, is_sticky=?, updated_date=? WHERE id=?;`, title, content, isSticky, int(time.Now().Unix()), topicID)
 		} else if action == "Close" && (isMod || isAdmin || isSuperAdmin) {

diff --git a/views/utils.go b/views/utils.go
@@ -190,8 +190,8 @@ func saveImage(r *http.Request) string {
 }
 
 func validatePasswd(passwd string, passwdConfirm string) error {
-	if len(passwd) < 8 {
-		return errors.New("Password should have at least 8 characters.")
+	if len(passwd) < 8 || len(passwd) > 40 {
+		return errors.New("Password should have 8-40 characters.")
 	}
 	if passwd != passwdConfirm {
 		return errors.New("Passwords don't match.")