Update server:

* Check that $db variable is OK before processing database requests * Don't close $db before calling lastErrorMsg() * Add support for user & url parameters from gPass popup
2020-02-26 16:00:24 +01:00 · 2020-02-26 16:00:24 +01:00 · 9d528aeaa0
commit 9d528aeaa0
parent 6f1e2a814d
4 changed files with 38 additions and 34 deletions
--- a/server/_user
+++ b/server/_user
@ -1,6 +1,6 @@
 <?php
 /*
-  Copyright (C) 2013-2015 Grégory Soutadé
+  Copyright (C) 2013-2020 Grégory Soutadé
  
  This file is part of gPass.
  
@ -63,29 +63,30 @@ $PROTOCOL_VERSION = 4;

 $db = load_database();

-$res = "";
-
-$statement = $db->prepare("SELECT password FROM gpass WHERE login=:login");
-
 echo "protocol=gpass-$PROTOCOL_VERSION\n";
 if ($PBKDF2_LEVEL != 1000)
    echo "pbkdf2_level=$PBKDF2_LEVEL\n";

-for ($i=0; $i<$MAX_PASSWORDS_PER_REQUEST && isset($_POST["k$i"]); $i++)
+if ($db)
 {
-    $statement->bindValue(":login", addslashes($_POST["k$i"]));
-    $result = $statement->execute();
-    $row = $result->fetchArray(SQLITE3_ASSOC);
-    $result->finalize();
-    if (isset($row["password"]))
-    {
-        echo "matched_key=" . $i . "\n";
-        echo "pass=" . $row["password"] . "\n";
-        break;
-    }
-}
+    $statement = $db->prepare("SELECT password FROM gpass WHERE login=:login");

-$statement->close();
+    for ($i=0; $i<$MAX_PASSWORDS_PER_REQUEST && isset($_POST["k$i"]); $i++)
+    {
+        $statement->bindValue(":login", addslashes($_POST["k$i"]));
+        $result = $statement->execute();
+        $row = $result->fetchArray(SQLITE3_ASSOC);
+        $result->finalize();
+        if (isset($row["password"]))
+        {
+            echo "matched_key=" . $i . "\n";
+            echo "pass=" . $row["password"] . "\n";
+            break;
+        }
+    }
+
+    $statement->close();
+}

 echo "<end>";

--- a/server/functions.php
+++ b/server/functions.php
@ -1,6 +1,6 @@
 <?php
 /*
-  Copyright (C) 2013-2017 Grégory Soutadé
+  Copyright (C) 2013-2019 Grégory Soutadé
  
  This file is part of gPass.
  
@ -241,18 +241,21 @@ function delete_entry($user, $login, $access_token)
    }

    $result = $db->exec("DELETE FROM gpass WHERE login='" . $login . "'");
-    $db->close();

    if (!$result)
    {
        echo "Error " . $db->lastErrorMsg();
-        return false;
+        $ret = false;
    }
    else
    {
        echo "OK";
-        return true;
+        $ret = true;
    }
+
+    
+    $db->close();
+    return $ret;
 }

 function update_entry($user, $mkey, $old_login, $url, $login, $password, $shadow_login, $salt, $old_access_token, $new_access_token)
--- a/server/index.php
+++ b/server/index.php
@ -158,8 +158,8 @@ if ($user != "")
 {
    echo "<b>Add a new password</b><br/>\n";

-    echo 'URL <input type="text" name="url"/>';
-    echo 'login <input type="text" name="login" />';
+    echo 'URL <input type="text" name="url" value="' . (filter_input(INPUT_GET, "url", FILTER_SANITIZE_SPECIAL_CHARS) ?: "") . '"/>';
+    echo 'login <input type="text" name="login" value="' . (filter_input(INPUT_GET, "user", FILTER_SANITIZE_SPECIAL_CHARS) ?: "") . '"/>';
    echo 'password <input id="new_password" type="text" name="password"/>';
    echo 'master key <input type="text" name="mkey" onkeypress="if (event.keyCode == 13) add_password();" onkeyup="chkPass(this.value);"/>';
    echo '<input type="button" value="Generate password" onClick="generate_password();"/>';
--- a/server/resources/gpass.js
+++ b/server/resources/gpass.js
@ -145,7 +145,7 @@ var current_user = "";
 var current_mkey = "";
 var clearTimer = null;
 var global_iv = null;
-var server_url = document.documentURI;
+var server_url = window.location.href.split('?')[0];

 function PasswordEntry (ciphered_login, ciphered_password, salt, shadow_login) {
    this.ciphered_login = ciphered_login;