From a180cb62d728c95520a277bcc0dc6c5b4ca70bc6 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Gr=C3=A9gory=20Soutad=C3=A9?= <soutade@gmail.com>
Date: Mon, 17 Apr 2017 20:37:26 +0200
Subject: [PATCH] Use a variable (server_url) instead of document.documentURI

---
 server/resources/gpass.js | 23 ++++++++++++-----------
 server/resources/misc.js  |  4 +++-
 2 files changed, 15 insertions(+), 12 deletions(-)

diff --git a/server/resources/gpass.js b/server/resources/gpass.js
index 978ee54..e8911d7 100755
--- a/server/resources/gpass.js
+++ b/server/resources/gpass.js
@@ -121,16 +121,17 @@ function a2hex(str) {
 
 async function derive_mkey(user, mkey)
 {
-    url = url_domain(document.URL) + "/" + user;
+    url = url_domain(server_url) + "/" + user;
     global_iv = simple_pbkdf2(url, mkey, pbkdf2_level);
     return crypto_pbkdf2(mkey, url, pbkdf2_level);
 }
 
-var passwords;
+var passwords = null;
 var current_user = "";
 var current_mkey = "";
 var clearTimer = null;
 var global_iv = null;
+var server_url = document.documentURI;
 
 function PasswordEntry (ciphered_login, ciphered_password, salt, shadow_login) {
     this.ciphered_login = ciphered_login;
@@ -185,7 +186,7 @@ function PasswordEntry (ciphered_login, ciphered_password, salt, shadow_login) {
 	this.masterkey = masterkey;
 
 	if (use_shadow_logins)
-	    this.generate_access_token(masterkey);
+	    await this.generate_access_token(masterkey);
     }
 
     this.decrypt = async function(masterkey)
@@ -320,7 +321,7 @@ function list_all_entries(user)
 	}
     }
 			 , false);
-    req.open("POST", document.documentURI, false);
+    req.open("POST", server_url, false);
     req.setRequestHeader('Content-Type', 'application/x-www-form-urlencoded; charset=UTF-8');
     req.send("get_passwords=1&user=" + user);
 }
@@ -410,9 +411,9 @@ async function get_ciphered_credentials(masterkey)
 	    }
 	}
     }, false);
-    req.open("POST", document.documentURI, false);
+    req.open("POST", server_url, false);
     req.setRequestHeader('Content-Type', 'application/x-www-form-urlencoded; charset=UTF-8');
-    req.send("get_secure_passwords=1&user=" + user + "&access_tokens=" + access_tokens);
+    req.send("get_secure_passwords=1&user=" + current_user + "&access_tokens=" + access_tokens);
 }
 
 async function change_master_key(warning_unciphered)
@@ -564,7 +565,7 @@ function update_master_key(warning_unciphered)
 	addon_address = document.getElementById("addon_address");
 	addon_address.removeAllChilds();
 
-	addon_address.appendChild(document.createTextNode("Current addon address is : " + document.documentURI + current_user));
+	addon_address.appendChild(document.createTextNode("Current addon address is : " + server_url + current_user));
 
 	warning_unciphered = false;
     }
@@ -612,7 +613,7 @@ function add_password_server(user, pentry)
 	else
 	    alert(resp);
     }, false);
-    req.open("POST", document.documentURI, false);
+    req.open("POST", server_url, false);
     req.setRequestHeader('Content-Type', 'application/x-www-form-urlencoded; charset=UTF-8');
     req.send("add_entry=1&user=" + user + "&login=" + pentry.ciphered_login + "&password=" + pentry.ciphered_password + "&shadow_login=" + pentry.shadow_login + "&salt=" + pentry.salt + "&access_token=" + pentry.access_token);
 
@@ -648,7 +649,7 @@ async function construct_pentry(user, url, password, login, mkey, derive_masterk
     }
 
     if (derive_masterkey)
-	mkey = derive_mkey(current_user, mkey);
+	mkey = derive_mkey(user, mkey);
 
     for(i=0; i<passwords.length; i++)
     {
@@ -684,7 +685,7 @@ function remove_password_server(user, login, access_token)
 	else
 	    alert(resp);
     }, false);
-    req.open("POST", document.documentURI, false);
+    req.open("POST", server_url, false);
     req.setRequestHeader('Content-Type', 'application/x-www-form-urlencoded; charset=UTF-8');
     req.send("delete_entry=1&user=" + user + "&login=" + login + "&access_token=" + access_token);
 
@@ -951,7 +952,7 @@ function export_database()
 
     if (text_link != null) window.URL.revokeObjectURL(text_link);
 
-    text = "<passwords user=\"" + current_user + "\" addon_address=\"" + document.documentURI + current_user + "\">\n";
+    text = "<passwords user=\"" + current_user + "\" addon_address=\"" + server_url + current_user + "\">\n";
     for(i=0; i<passwords.length; i++)
     {
 	if (!passwords[i].unciphered) continue;
diff --git a/server/resources/misc.js b/server/resources/misc.js
index 866d2b6..a85bdf4 100644
--- a/server/resources/misc.js
+++ b/server/resources/misc.js
@@ -20,7 +20,9 @@
 var default_preferences = {"pbkdf2_level": 1000,
 			   "account_url": "https://gpass-demo.soutade.fr/demo"};
 
-var browser = browser || chrome;
+var browser = browser;
+if (typeof chrome !== 'undefined')
+    browser = chrome;
 var crypto = crypto || window.crypto;
 
 // https://stackoverflow.com/questions/6965107/converting-between-strings-and-arraybuffers