WebUI: remove leading and trailing spaces from user-submitted input

Signed-off-by: Nicola Murino <nicola.murino@gmail.com>
This commit is contained in:
Nicola Murino 2023-06-04 08:45:17 +02:00
parent 9470cd6e69
commit 3499edd5c2
No known key found for this signature in database
GPG key ID: 935D2952DEC4EECF
3 changed files with 93 additions and 79 deletions

View file

@ -194,8 +194,7 @@ func (s *httpdServer) handleWebClientLogout(w http.ResponseWriter, r *http.Reque
func (s *httpdServer) handleWebClientChangePwdPost(w http.ResponseWriter, r *http.Request) { func (s *httpdServer) handleWebClientChangePwdPost(w http.ResponseWriter, r *http.Request) {
r.Body = http.MaxBytesReader(w, r.Body, maxRequestSize) r.Body = http.MaxBytesReader(w, r.Body, maxRequestSize)
err := r.ParseForm() if err := r.ParseForm(); err != nil {
if err != nil {
s.renderClientChangePasswordPage(w, r, err.Error()) s.renderClientChangePasswordPage(w, r, err.Error())
return return
} }
@ -203,8 +202,8 @@ func (s *httpdServer) handleWebClientChangePwdPost(w http.ResponseWriter, r *htt
s.renderClientForbiddenPage(w, r, err.Error()) s.renderClientForbiddenPage(w, r, err.Error())
return return
} }
err = doChangeUserPassword(r, r.Form.Get("current_password"), r.Form.Get("new_password1"), err := doChangeUserPassword(r, strings.TrimSpace(r.Form.Get("current_password")),
r.Form.Get("new_password2")) strings.TrimSpace(r.Form.Get("new_password1")), strings.TrimSpace(r.Form.Get("new_password2")))
if err != nil { if err != nil {
s.renderClientChangePasswordPage(w, r, err.Error()) s.renderClientChangePasswordPage(w, r, err.Error())
return return
@ -230,8 +229,8 @@ func (s *httpdServer) handleWebClientLoginPost(w http.ResponseWriter, r *http.Re
return return
} }
protocol := common.ProtocolHTTP protocol := common.ProtocolHTTP
username := r.Form.Get("username") username := strings.TrimSpace(r.Form.Get("username"))
password := r.Form.Get("password") password := strings.TrimSpace(r.Form.Get("password"))
if username == "" || password == "" { if username == "" || password == "" {
updateLoginMetrics(&dataprovider.User{BaseUser: sdk.BaseUser{Username: username}}, updateLoginMetrics(&dataprovider.User{BaseUser: sdk.BaseUser{Username: username}},
dataprovider.LoginMethodPassword, ipAddr, common.ErrNoCredentials) dataprovider.LoginMethodPassword, ipAddr, common.ErrNoCredentials)
@ -289,7 +288,8 @@ func (s *httpdServer) handleWebClientPasswordResetPost(w http.ResponseWriter, r
s.renderClientForbiddenPage(w, r, err.Error()) s.renderClientForbiddenPage(w, r, err.Error())
return return
} }
_, user, err := handleResetPassword(r, r.Form.Get("code"), r.Form.Get("password"), false) _, user, err := handleResetPassword(r, strings.TrimSpace(r.Form.Get("code")),
strings.TrimSpace(r.Form.Get("password")), false)
if err != nil { if err != nil {
s.renderClientResetPwdPage(w, err.Error(), ipAddr) s.renderClientResetPwdPage(w, err.Error(), ipAddr)
return return
@ -323,7 +323,7 @@ func (s *httpdServer) handleWebClientTwoFactorRecoveryPost(w http.ResponseWriter
return return
} }
username := claims.Username username := claims.Username
recoveryCode := r.Form.Get("recovery_code") recoveryCode := strings.TrimSpace(r.Form.Get("recovery_code"))
if username == "" || recoveryCode == "" { if username == "" || recoveryCode == "" {
s.renderClientTwoFactorRecoveryPage(w, "Invalid credentials", ipAddr) s.renderClientTwoFactorRecoveryPage(w, "Invalid credentials", ipAddr)
return return
@ -384,7 +384,7 @@ func (s *httpdServer) handleWebClientTwoFactorPost(w http.ResponseWriter, r *htt
return return
} }
username := claims.Username username := claims.Username
passcode := r.Form.Get("passcode") passcode := strings.TrimSpace(r.Form.Get("passcode"))
if username == "" || passcode == "" { if username == "" || passcode == "" {
updateLoginMetrics(&dataprovider.User{BaseUser: sdk.BaseUser{Username: username}}, updateLoginMetrics(&dataprovider.User{BaseUser: sdk.BaseUser{Username: username}},
dataprovider.LoginMethodPassword, ipAddr, common.ErrNoCredentials) dataprovider.LoginMethodPassword, ipAddr, common.ErrNoCredentials)
@ -440,7 +440,7 @@ func (s *httpdServer) handleWebAdminTwoFactorRecoveryPost(w http.ResponseWriter,
return return
} }
username := claims.Username username := claims.Username
recoveryCode := r.Form.Get("recovery_code") recoveryCode := strings.TrimSpace(r.Form.Get("recovery_code"))
if username == "" || recoveryCode == "" { if username == "" || recoveryCode == "" {
s.renderTwoFactorRecoveryPage(w, "Invalid credentials", ipAddr) s.renderTwoFactorRecoveryPage(w, "Invalid credentials", ipAddr)
return return
@ -499,7 +499,7 @@ func (s *httpdServer) handleWebAdminTwoFactorPost(w http.ResponseWriter, r *http
return return
} }
username := claims.Username username := claims.Username
passcode := r.Form.Get("passcode") passcode := strings.TrimSpace(r.Form.Get("passcode"))
if username == "" || passcode == "" { if username == "" || passcode == "" {
s.renderTwoFactorPage(w, "Invalid credentials", ipAddr) s.renderTwoFactorPage(w, "Invalid credentials", ipAddr)
return return
@ -544,8 +544,8 @@ func (s *httpdServer) handleWebAdminLoginPost(w http.ResponseWriter, r *http.Req
s.renderAdminLoginPage(w, err.Error(), ipAddr) s.renderAdminLoginPage(w, err.Error(), ipAddr)
return return
} }
username := r.Form.Get("username") username := strings.TrimSpace(r.Form.Get("username"))
password := r.Form.Get("password") password := strings.TrimSpace(r.Form.Get("password"))
if username == "" || password == "" { if username == "" || password == "" {
s.renderAdminLoginPage(w, "Invalid credentials", ipAddr) s.renderAdminLoginPage(w, "Invalid credentials", ipAddr)
return return
@ -615,8 +615,8 @@ func (s *httpdServer) handleWebAdminChangePwdPost(w http.ResponseWriter, r *http
s.renderForbiddenPage(w, r, err.Error()) s.renderForbiddenPage(w, r, err.Error())
return return
} }
err = doChangeAdminPassword(r, r.Form.Get("current_password"), r.Form.Get("new_password1"), err = doChangeAdminPassword(r, strings.TrimSpace(r.Form.Get("current_password")),
r.Form.Get("new_password2")) strings.TrimSpace(r.Form.Get("new_password1")), strings.TrimSpace(r.Form.Get("new_password2")))
if err != nil { if err != nil {
s.renderChangePasswordPage(w, r, err.Error()) s.renderChangePasswordPage(w, r, err.Error())
return return
@ -637,7 +637,8 @@ func (s *httpdServer) handleWebAdminPasswordResetPost(w http.ResponseWriter, r *
s.renderForbiddenPage(w, r, err.Error()) s.renderForbiddenPage(w, r, err.Error())
return return
} }
admin, _, err := handleResetPassword(r, r.Form.Get("code"), r.Form.Get("password"), true) admin, _, err := handleResetPassword(r, strings.TrimSpace(r.Form.Get("code")),
strings.TrimSpace(r.Form.Get("password")), true)
if err != nil { if err != nil {
if e, ok := err.(*util.ValidationError); ok { if e, ok := err.(*util.ValidationError); ok {
s.renderResetPwdPage(w, e.GetErrorString(), ipAddr) s.renderResetPwdPage(w, e.GetErrorString(), ipAddr)
@ -666,10 +667,10 @@ func (s *httpdServer) handleWebAdminSetupPost(w http.ResponseWriter, r *http.Req
s.renderForbiddenPage(w, r, err.Error()) s.renderForbiddenPage(w, r, err.Error())
return return
} }
username := r.Form.Get("username") username := strings.TrimSpace(r.Form.Get("username"))
password := r.Form.Get("password") password := strings.TrimSpace(r.Form.Get("password"))
confirmPassword := r.Form.Get("confirm_password") confirmPassword := strings.TrimSpace(r.Form.Get("confirm_password"))
installCode := r.Form.Get("install_code") installCode := strings.TrimSpace(r.Form.Get("install_code"))
if installationCode != "" && installCode != resolveInstallationCode() { if installationCode != "" && installCode != resolveInstallationCode() {
s.renderAdminSetupPage(w, r, username, fmt.Sprintf("%v mismatch", installationCodeHint)) s.renderAdminSetupPage(w, r, username, fmt.Sprintf("%v mismatch", installationCodeHint))
return return

View file

@ -1504,7 +1504,7 @@ func getFilePatternsFromPostField(r *http.Request) []sdk.PatternsFilter {
func getGroupsFromUserPostFields(r *http.Request) []sdk.GroupMapping { func getGroupsFromUserPostFields(r *http.Request) []sdk.GroupMapping {
var groups []sdk.GroupMapping var groups []sdk.GroupMapping
primaryGroup := r.Form.Get("primary_group") primaryGroup := strings.TrimSpace(r.Form.Get("primary_group"))
if primaryGroup != "" { if primaryGroup != "" {
groups = append(groups, sdk.GroupMapping{ groups = append(groups, sdk.GroupMapping{
Name: primaryGroup, Name: primaryGroup,
@ -1514,14 +1514,14 @@ func getGroupsFromUserPostFields(r *http.Request) []sdk.GroupMapping {
secondaryGroups := r.Form["secondary_groups"] secondaryGroups := r.Form["secondary_groups"]
for _, name := range secondaryGroups { for _, name := range secondaryGroups {
groups = append(groups, sdk.GroupMapping{ groups = append(groups, sdk.GroupMapping{
Name: name, Name: strings.TrimSpace(name),
Type: sdk.GroupTypeSecondary, Type: sdk.GroupTypeSecondary,
}) })
} }
membershipGroups := r.Form["membership_groups"] membershipGroups := r.Form["membership_groups"]
for _, name := range membershipGroups { for _, name := range membershipGroups {
groups = append(groups, sdk.GroupMapping{ groups = append(groups, sdk.GroupMapping{
Name: name, Name: strings.TrimSpace(name),
Type: sdk.GroupTypeMembership, Type: sdk.GroupTypeMembership,
}) })
} }
@ -1565,7 +1565,7 @@ func getFiltersFromUserPostFields(r *http.Request) (sdk.BaseUserFilters, error)
filters.DeniedProtocols = r.Form["denied_protocols"] filters.DeniedProtocols = r.Form["denied_protocols"]
filters.TwoFactorAuthProtocols = r.Form["required_two_factor_protocols"] filters.TwoFactorAuthProtocols = r.Form["required_two_factor_protocols"]
filters.FilePatterns = getFilePatternsFromPostField(r) filters.FilePatterns = getFilePatternsFromPostField(r)
filters.TLSUsername = sdk.TLSUsername(r.Form.Get("tls_username")) filters.TLSUsername = sdk.TLSUsername(strings.TrimSpace(r.Form.Get("tls_username")))
filters.WebClient = r.Form["web_client_options"] filters.WebClient = r.Form["web_client_options"]
filters.DefaultSharesExpiration = defaultSharesExpiration filters.DefaultSharesExpiration = defaultSharesExpiration
filters.PasswordExpiration = passwordExpiration filters.PasswordExpiration = passwordExpiration
@ -1583,7 +1583,7 @@ func getFiltersFromUserPostFields(r *http.Request) (sdk.BaseUserFilters, error)
filters.IsAnonymous = r.Form.Get("is_anonymous") != "" filters.IsAnonymous = r.Form.Get("is_anonymous") != ""
filters.DisableFsChecks = r.Form.Get("disable_fs_checks") != "" filters.DisableFsChecks = r.Form.Get("disable_fs_checks") != ""
filters.AllowAPIKeyAuth = r.Form.Get("allow_api_key_auth") != "" filters.AllowAPIKeyAuth = r.Form.Get("allow_api_key_auth") != ""
filters.StartDirectory = r.Form.Get("start_directory") filters.StartDirectory = strings.TrimSpace(r.Form.Get("start_directory"))
filters.MaxUploadFileSize = maxFileSize filters.MaxUploadFileSize = maxFileSize
filters.ExternalAuthCacheTime, err = strconv.ParseInt(r.Form.Get("external_auth_cache_time"), 10, 64) filters.ExternalAuthCacheTime, err = strconv.ParseInt(r.Form.Get("external_auth_cache_time"), 10, 64)
if err != nil { if err != nil {
@ -1614,7 +1614,7 @@ func getS3Config(r *http.Request) (vfs.S3FsConfig, error) {
config.Endpoint = strings.TrimSpace(r.Form.Get("s3_endpoint")) config.Endpoint = strings.TrimSpace(r.Form.Get("s3_endpoint"))
config.StorageClass = strings.TrimSpace(r.Form.Get("s3_storage_class")) config.StorageClass = strings.TrimSpace(r.Form.Get("s3_storage_class"))
config.ACL = strings.TrimSpace(r.Form.Get("s3_acl")) config.ACL = strings.TrimSpace(r.Form.Get("s3_acl"))
config.KeyPrefix = r.Form.Get("s3_key_prefix") config.KeyPrefix = strings.TrimSpace(r.Form.Get("s3_key_prefix"))
config.UploadPartSize, err = strconv.ParseInt(r.Form.Get("s3_upload_part_size"), 10, 64) config.UploadPartSize, err = strconv.ParseInt(r.Form.Get("s3_upload_part_size"), 10, 64)
if err != nil { if err != nil {
return config, fmt.Errorf("invalid s3 upload part size: %w", err) return config, fmt.Errorf("invalid s3 upload part size: %w", err)
@ -1650,7 +1650,7 @@ func getGCSConfig(r *http.Request) (vfs.GCSFsConfig, error) {
config.Bucket = strings.TrimSpace(r.Form.Get("gcs_bucket")) config.Bucket = strings.TrimSpace(r.Form.Get("gcs_bucket"))
config.StorageClass = strings.TrimSpace(r.Form.Get("gcs_storage_class")) config.StorageClass = strings.TrimSpace(r.Form.Get("gcs_storage_class"))
config.ACL = strings.TrimSpace(r.Form.Get("gcs_acl")) config.ACL = strings.TrimSpace(r.Form.Get("gcs_acl"))
config.KeyPrefix = r.Form.Get("gcs_key_prefix") config.KeyPrefix = strings.TrimSpace(r.Form.Get("gcs_key_prefix"))
uploadPartSize, err := strconv.ParseInt(r.Form.Get("gcs_upload_part_size"), 10, 64) uploadPartSize, err := strconv.ParseInt(r.Form.Get("gcs_upload_part_size"), 10, 64)
if err == nil { if err == nil {
config.UploadPartSize = uploadPartSize config.UploadPartSize = uploadPartSize
@ -1689,13 +1689,13 @@ func getSFTPConfig(r *http.Request) (vfs.SFTPFsConfig, error) {
var err error var err error
config := vfs.SFTPFsConfig{} config := vfs.SFTPFsConfig{}
config.Endpoint = strings.TrimSpace(r.Form.Get("sftp_endpoint")) config.Endpoint = strings.TrimSpace(r.Form.Get("sftp_endpoint"))
config.Username = r.Form.Get("sftp_username") config.Username = strings.TrimSpace(r.Form.Get("sftp_username"))
config.Password = getSecretFromFormField(r, "sftp_password") config.Password = getSecretFromFormField(r, "sftp_password")
config.PrivateKey = getSecretFromFormField(r, "sftp_private_key") config.PrivateKey = getSecretFromFormField(r, "sftp_private_key")
config.KeyPassphrase = getSecretFromFormField(r, "sftp_key_passphrase") config.KeyPassphrase = getSecretFromFormField(r, "sftp_key_passphrase")
fingerprintsFormValue := r.Form.Get("sftp_fingerprints") fingerprintsFormValue := r.Form.Get("sftp_fingerprints")
config.Fingerprints = getSliceFromDelimitedValues(fingerprintsFormValue, "\n") config.Fingerprints = getSliceFromDelimitedValues(fingerprintsFormValue, "\n")
config.Prefix = r.Form.Get("sftp_prefix") config.Prefix = strings.TrimSpace(r.Form.Get("sftp_prefix"))
config.DisableCouncurrentReads = r.Form.Get("sftp_disable_concurrent_reads") != "" config.DisableCouncurrentReads = r.Form.Get("sftp_disable_concurrent_reads") != ""
config.BufferSize, err = strconv.ParseInt(r.Form.Get("sftp_buffer_size"), 10, 64) config.BufferSize, err = strconv.ParseInt(r.Form.Get("sftp_buffer_size"), 10, 64)
if r.Form.Get("sftp_equality_check_mode") != "" { if r.Form.Get("sftp_equality_check_mode") != "" {
@ -1712,7 +1712,7 @@ func getSFTPConfig(r *http.Request) (vfs.SFTPFsConfig, error) {
func getHTTPFsConfig(r *http.Request) vfs.HTTPFsConfig { func getHTTPFsConfig(r *http.Request) vfs.HTTPFsConfig {
config := vfs.HTTPFsConfig{} config := vfs.HTTPFsConfig{}
config.Endpoint = strings.TrimSpace(r.Form.Get("http_endpoint")) config.Endpoint = strings.TrimSpace(r.Form.Get("http_endpoint"))
config.Username = r.Form.Get("http_username") config.Username = strings.TrimSpace(r.Form.Get("http_username"))
config.SkipTLSVerify = r.Form.Get("http_skip_tls_verify") != "" config.SkipTLSVerify = r.Form.Get("http_skip_tls_verify") != ""
config.Password = getSecretFromFormField(r, "http_password") config.Password = getSecretFromFormField(r, "http_password")
config.APIKey = getSecretFromFormField(r, "http_api_key") config.APIKey = getSecretFromFormField(r, "http_api_key")
@ -1732,7 +1732,7 @@ func getAzureConfig(r *http.Request) (vfs.AzBlobFsConfig, error) {
config.AccountKey = getSecretFromFormField(r, "az_account_key") config.AccountKey = getSecretFromFormField(r, "az_account_key")
config.SASURL = getSecretFromFormField(r, "az_sas_url") config.SASURL = getSecretFromFormField(r, "az_sas_url")
config.Endpoint = strings.TrimSpace(r.Form.Get("az_endpoint")) config.Endpoint = strings.TrimSpace(r.Form.Get("az_endpoint"))
config.KeyPrefix = r.Form.Get("az_key_prefix") config.KeyPrefix = strings.TrimSpace(r.Form.Get("az_key_prefix"))
config.AccessTier = strings.TrimSpace(r.Form.Get("az_access_tier")) config.AccessTier = strings.TrimSpace(r.Form.Get("az_access_tier"))
config.UseEmulator = r.Form.Get("az_use_emulator") != "" config.UseEmulator = r.Form.Get("az_use_emulator") != ""
config.UploadPartSize, err = strconv.ParseInt(r.Form.Get("az_upload_part_size"), 10, 64) config.UploadPartSize, err = strconv.ParseInt(r.Form.Get("az_upload_part_size"), 10, 64)
@ -1841,12 +1841,12 @@ func getAdminFromPostFields(r *http.Request) (dataprovider.Admin, error) {
if err != nil { if err != nil {
return admin, fmt.Errorf("invalid status: %w", err) return admin, fmt.Errorf("invalid status: %w", err)
} }
admin.Username = r.Form.Get("username") admin.Username = strings.TrimSpace(r.Form.Get("username"))
admin.Password = r.Form.Get("password") admin.Password = strings.TrimSpace(r.Form.Get("password"))
admin.Permissions = r.Form["permissions"] admin.Permissions = r.Form["permissions"]
admin.Email = r.Form.Get("email") admin.Email = strings.TrimSpace(r.Form.Get("email"))
admin.Status = status admin.Status = status
admin.Role = r.Form.Get("role") admin.Role = strings.TrimSpace(r.Form.Get("role"))
admin.Filters.AllowList = getSliceFromDelimitedValues(r.Form.Get("allowed_ip"), ",") admin.Filters.AllowList = getSliceFromDelimitedValues(r.Form.Get("allowed_ip"), ",")
admin.Filters.AllowAPIKeyAuth = r.Form.Get("allow_api_key_auth") != "" admin.Filters.AllowAPIKeyAuth = r.Form.Get("allow_api_key_auth") != ""
admin.AdditionalInfo = r.Form.Get("additional_info") admin.AdditionalInfo = r.Form.Get("additional_info")
@ -2093,11 +2093,11 @@ func getUserFromPostFields(r *http.Request) (dataprovider.User, error) {
} }
user = dataprovider.User{ user = dataprovider.User{
BaseUser: sdk.BaseUser{ BaseUser: sdk.BaseUser{
Username: r.Form.Get("username"), Username: strings.TrimSpace(r.Form.Get("username")),
Email: r.Form.Get("email"), Email: strings.TrimSpace(r.Form.Get("email")),
Password: r.Form.Get("password"), Password: strings.TrimSpace(r.Form.Get("password")),
PublicKeys: r.Form["public_keys"], PublicKeys: r.Form["public_keys"],
HomeDir: r.Form.Get("home_dir"), HomeDir: strings.TrimSpace(r.Form.Get("home_dir")),
UID: uid, UID: uid,
GID: gid, GID: gid,
Permissions: getUserPermissionsFromPostFields(r), Permissions: getUserPermissionsFromPostFields(r),
@ -2113,7 +2113,7 @@ func getUserFromPostFields(r *http.Request) (dataprovider.User, error) {
ExpirationDate: expirationDateMillis, ExpirationDate: expirationDateMillis,
AdditionalInfo: r.Form.Get("additional_info"), AdditionalInfo: r.Form.Get("additional_info"),
Description: r.Form.Get("description"), Description: r.Form.Get("description"),
Role: r.Form.Get("role"), Role: strings.TrimSpace(r.Form.Get("role")),
}, },
Filters: dataprovider.UserFilters{ Filters: dataprovider.UserFilters{
BaseUserFilters: filters, BaseUserFilters: filters,
@ -2168,12 +2168,12 @@ func getGroupFromPostFields(r *http.Request) (dataprovider.Group, error) {
} }
group = dataprovider.Group{ group = dataprovider.Group{
BaseGroup: sdk.BaseGroup{ BaseGroup: sdk.BaseGroup{
Name: r.Form.Get("name"), Name: strings.TrimSpace(r.Form.Get("name")),
Description: r.Form.Get("description"), Description: r.Form.Get("description"),
}, },
UserSettings: dataprovider.GroupUserSettings{ UserSettings: dataprovider.GroupUserSettings{
BaseGroupUserSettings: sdk.BaseGroupUserSettings{ BaseGroupUserSettings: sdk.BaseGroupUserSettings{
HomeDir: r.Form.Get("home_dir"), HomeDir: strings.TrimSpace(r.Form.Get("home_dir")),
MaxSessions: maxSessions, MaxSessions: maxSessions,
QuotaSize: quotaSize, QuotaSize: quotaSize,
QuotaFiles: quotaFiles, QuotaFiles: quotaFiles,
@ -2199,7 +2199,7 @@ func getKeyValsFromPostFields(r *http.Request, key, val string) []dataprovider.K
if strings.HasPrefix(k, key) { if strings.HasPrefix(k, key) {
formKey := r.Form.Get(k) formKey := r.Form.Get(k)
idx := strings.TrimPrefix(k, key) idx := strings.TrimPrefix(k, key)
formVal := r.Form.Get(fmt.Sprintf("%s%s", val, idx)) formVal := strings.TrimSpace(r.Form.Get(fmt.Sprintf("%s%s", val, idx)))
if formKey != "" && formVal != "" { if formKey != "" && formVal != "" {
res = append(res, dataprovider.KeyValue{ res = append(res, dataprovider.KeyValue{
Key: formKey, Key: formKey,
@ -2215,7 +2215,7 @@ func getFoldersRetentionFromPostFields(r *http.Request) ([]dataprovider.FolderRe
var res []dataprovider.FolderRetention var res []dataprovider.FolderRetention
for k := range r.Form { for k := range r.Form {
if strings.HasPrefix(k, "folder_retention_path") { if strings.HasPrefix(k, "folder_retention_path") {
folderPath := r.Form.Get(k) folderPath := strings.TrimSpace(r.Form.Get(k))
if folderPath != "" { if folderPath != "" {
idx := strings.TrimPrefix(k, "folder_retention_path") idx := strings.TrimPrefix(k, "folder_retention_path")
retention, err := strconv.Atoi(r.Form.Get(fmt.Sprintf("folder_retention_val%s", idx))) retention, err := strconv.Atoi(r.Form.Get(fmt.Sprintf("folder_retention_val%s", idx)))
@ -2239,14 +2239,14 @@ func getHTTPPartsFromPostFields(r *http.Request) []dataprovider.HTTPPart {
var result []dataprovider.HTTPPart var result []dataprovider.HTTPPart
for k := range r.Form { for k := range r.Form {
if strings.HasPrefix(k, "http_part_name") { if strings.HasPrefix(k, "http_part_name") {
partName := r.Form.Get(k) partName := strings.TrimSpace(r.Form.Get(k))
if partName != "" { if partName != "" {
idx := strings.TrimPrefix(k, "http_part_name") idx := strings.TrimPrefix(k, "http_part_name")
order, err := strconv.Atoi(idx) order, err := strconv.Atoi(idx)
if err != nil { if err != nil {
continue continue
} }
filePath := r.Form.Get(fmt.Sprintf("http_part_file%s", idx)) filePath := strings.TrimSpace(r.Form.Get(fmt.Sprintf("http_part_file%s", idx)))
body := r.Form.Get(fmt.Sprintf("http_part_body%s", idx)) body := r.Form.Get(fmt.Sprintf("http_part_body%s", idx))
concatHeaders := getSliceFromDelimitedValues(r.Form.Get(fmt.Sprintf("http_part_headers%s", idx)), "\n") concatHeaders := getSliceFromDelimitedValues(r.Form.Get(fmt.Sprintf("http_part_headers%s", idx)), "\n")
var headers []dataprovider.KeyValue var headers []dataprovider.KeyValue
@ -2314,8 +2314,8 @@ func getEventActionOptionsFromPostFields(r *http.Request) (dataprovider.BaseEven
} }
options := dataprovider.BaseEventActionOptions{ options := dataprovider.BaseEventActionOptions{
HTTPConfig: dataprovider.EventActionHTTPConfig{ HTTPConfig: dataprovider.EventActionHTTPConfig{
Endpoint: r.Form.Get("http_endpoint"), Endpoint: strings.TrimSpace(r.Form.Get("http_endpoint")),
Username: r.Form.Get("http_username"), Username: strings.TrimSpace(r.Form.Get("http_username")),
Password: getSecretFromFormField(r, "http_password"), Password: getSecretFromFormField(r, "http_password"),
Headers: getKeyValsFromPostFields(r, "http_header_key", "http_header_val"), Headers: getKeyValsFromPostFields(r, "http_header_key", "http_header_val"),
Timeout: httpTimeout, Timeout: httpTimeout,
@ -2326,7 +2326,7 @@ func getEventActionOptionsFromPostFields(r *http.Request) (dataprovider.BaseEven
Parts: getHTTPPartsFromPostFields(r), Parts: getHTTPPartsFromPostFields(r),
}, },
CmdConfig: dataprovider.EventActionCommandConfig{ CmdConfig: dataprovider.EventActionCommandConfig{
Cmd: r.Form.Get("cmd_path"), Cmd: strings.TrimSpace(r.Form.Get("cmd_path")),
Args: cmdArgs, Args: cmdArgs,
Timeout: cmdTimeout, Timeout: cmdTimeout,
EnvVars: getKeyValsFromPostFields(r, "cmd_env_key", "cmd_env_val"), EnvVars: getKeyValsFromPostFields(r, "cmd_env_key", "cmd_env_val"),
@ -2350,7 +2350,7 @@ func getEventActionOptionsFromPostFields(r *http.Request) (dataprovider.BaseEven
Exist: getSliceFromDelimitedValues(r.Form.Get("fs_exist_paths"), ","), Exist: getSliceFromDelimitedValues(r.Form.Get("fs_exist_paths"), ","),
Copy: getKeyValsFromPostFields(r, "fs_copy_source", "fs_copy_target"), Copy: getKeyValsFromPostFields(r, "fs_copy_source", "fs_copy_target"),
Compress: dataprovider.EventActionFsCompress{ Compress: dataprovider.EventActionFsCompress{
Name: r.Form.Get("fs_compress_name"), Name: strings.TrimSpace(r.Form.Get("fs_compress_name")),
Paths: getSliceFromDelimitedValues(r.Form.Get("fs_compress_paths"), ","), Paths: getSliceFromDelimitedValues(r.Form.Get("fs_compress_paths"), ","),
}, },
}, },
@ -2380,7 +2380,7 @@ func getEventActionFromPostFields(r *http.Request) (dataprovider.BaseEventAction
return dataprovider.BaseEventAction{}, err return dataprovider.BaseEventAction{}, err
} }
action := dataprovider.BaseEventAction{ action := dataprovider.BaseEventAction{
Name: r.Form.Get("name"), Name: strings.TrimSpace(r.Form.Get("name")),
Description: r.Form.Get("description"), Description: r.Form.Get("description"),
Type: actionType, Type: actionType,
Options: options, Options: options,
@ -2404,12 +2404,12 @@ func getEventRuleConditionsFromPostFields(r *http.Request) (dataprovider.EventCo
var names, groupNames, roleNames, fsPaths []dataprovider.ConditionPattern var names, groupNames, roleNames, fsPaths []dataprovider.ConditionPattern
for k := range r.Form { for k := range r.Form {
if strings.HasPrefix(k, "schedule_hour") { if strings.HasPrefix(k, "schedule_hour") {
hour := r.Form.Get(k) hour := strings.TrimSpace(r.Form.Get(k))
if hour != "" { if hour != "" {
idx := strings.TrimPrefix(k, "schedule_hour") idx := strings.TrimPrefix(k, "schedule_hour")
dayOfWeek := r.Form.Get(fmt.Sprintf("schedule_day_of_week%s", idx)) dayOfWeek := strings.TrimSpace(r.Form.Get(fmt.Sprintf("schedule_day_of_week%s", idx)))
dayOfMonth := r.Form.Get(fmt.Sprintf("schedule_day_of_month%s", idx)) dayOfMonth := strings.TrimSpace(r.Form.Get(fmt.Sprintf("schedule_day_of_month%s", idx)))
month := r.Form.Get(fmt.Sprintf("schedule_month%s", idx)) month := strings.TrimSpace(r.Form.Get(fmt.Sprintf("schedule_month%s", idx)))
schedules = append(schedules, dataprovider.Schedule{ schedules = append(schedules, dataprovider.Schedule{
Hours: hour, Hours: hour,
DayOfWeek: dayOfWeek, DayOfWeek: dayOfWeek,
@ -2419,7 +2419,7 @@ func getEventRuleConditionsFromPostFields(r *http.Request) (dataprovider.EventCo
} }
} }
if strings.HasPrefix(k, "name_pattern") { if strings.HasPrefix(k, "name_pattern") {
pattern := r.Form.Get(k) pattern := strings.TrimSpace(r.Form.Get(k))
if pattern != "" { if pattern != "" {
idx := strings.TrimPrefix(k, "name_pattern") idx := strings.TrimPrefix(k, "name_pattern")
patternType := r.Form.Get(fmt.Sprintf("type_name_pattern%s", idx)) patternType := r.Form.Get(fmt.Sprintf("type_name_pattern%s", idx))
@ -2430,7 +2430,7 @@ func getEventRuleConditionsFromPostFields(r *http.Request) (dataprovider.EventCo
} }
} }
if strings.HasPrefix(k, "group_name_pattern") { if strings.HasPrefix(k, "group_name_pattern") {
pattern := r.Form.Get(k) pattern := strings.TrimSpace(r.Form.Get(k))
if pattern != "" { if pattern != "" {
idx := strings.TrimPrefix(k, "group_name_pattern") idx := strings.TrimPrefix(k, "group_name_pattern")
patternType := r.Form.Get(fmt.Sprintf("type_group_name_pattern%s", idx)) patternType := r.Form.Get(fmt.Sprintf("type_group_name_pattern%s", idx))
@ -2441,7 +2441,7 @@ func getEventRuleConditionsFromPostFields(r *http.Request) (dataprovider.EventCo
} }
} }
if strings.HasPrefix(k, "role_name_pattern") { if strings.HasPrefix(k, "role_name_pattern") {
pattern := r.Form.Get(k) pattern := strings.TrimSpace(r.Form.Get(k))
if pattern != "" { if pattern != "" {
idx := strings.TrimPrefix(k, "role_name_pattern") idx := strings.TrimPrefix(k, "role_name_pattern")
patternType := r.Form.Get(fmt.Sprintf("type_role_name_pattern%s", idx)) patternType := r.Form.Get(fmt.Sprintf("type_role_name_pattern%s", idx))
@ -2452,7 +2452,7 @@ func getEventRuleConditionsFromPostFields(r *http.Request) (dataprovider.EventCo
} }
} }
if strings.HasPrefix(k, "fs_path_pattern") { if strings.HasPrefix(k, "fs_path_pattern") {
pattern := r.Form.Get(k) pattern := strings.TrimSpace(r.Form.Get(k))
if pattern != "" { if pattern != "" {
idx := strings.TrimPrefix(k, "fs_path_pattern") idx := strings.TrimPrefix(k, "fs_path_pattern")
patternType := r.Form.Get(fmt.Sprintf("type_fs_path_pattern%s", idx)) patternType := r.Form.Get(fmt.Sprintf("type_fs_path_pattern%s", idx))
@ -2495,7 +2495,7 @@ func getEventRuleActionsFromPostFields(r *http.Request) ([]dataprovider.EventAct
var actions []dataprovider.EventAction var actions []dataprovider.EventAction
for k := range r.Form { for k := range r.Form {
if strings.HasPrefix(k, "action_name") { if strings.HasPrefix(k, "action_name") {
name := r.Form.Get(k) name := strings.TrimSpace(r.Form.Get(k))
if name != "" { if name != "" {
idx := strings.TrimPrefix(k, "action_name") idx := strings.TrimPrefix(k, "action_name")
order, err := strconv.Atoi(r.Form.Get(fmt.Sprintf("action_order%s", idx))) order, err := strconv.Atoi(r.Form.Get(fmt.Sprintf("action_order%s", idx)))
@ -2542,7 +2542,7 @@ func getEventRuleFromPostFields(r *http.Request) (dataprovider.EventRule, error)
return dataprovider.EventRule{}, err return dataprovider.EventRule{}, err
} }
rule := dataprovider.EventRule{ rule := dataprovider.EventRule{
Name: r.Form.Get("name"), Name: strings.TrimSpace(r.Form.Get("name")),
Status: status, Status: status,
Description: r.Form.Get("description"), Description: r.Form.Get("description"),
Trigger: trigger, Trigger: trigger,
@ -2559,7 +2559,7 @@ func getRoleFromPostFields(r *http.Request) (dataprovider.Role, error) {
} }
return dataprovider.Role{ return dataprovider.Role{
Name: r.Form.Get("name"), Name: strings.TrimSpace(r.Form.Get("name")),
Description: r.Form.Get("description"), Description: r.Form.Get("description"),
}, nil }, nil
} }
@ -2587,7 +2587,7 @@ func getIPListEntryFromPostFields(r *http.Request, listType dataprovider.IPListT
} }
return dataprovider.IPListEntry{ return dataprovider.IPListEntry{
IPOrNet: r.Form.Get("ipornet"), IPOrNet: strings.TrimSpace(r.Form.Get("ipornet")),
Mode: mode, Mode: mode,
Protocols: protocols, Protocols: protocols,
Description: r.Form.Get("description"), Description: r.Form.Get("description"),
@ -2651,14 +2651,14 @@ func getSMTPConfigsFromPostFields(r *http.Request) *dataprovider.SMTPConfigs {
oauth2Provider = 1 oauth2Provider = 1
} }
return &dataprovider.SMTPConfigs{ return &dataprovider.SMTPConfigs{
Host: r.Form.Get("smtp_host"), Host: strings.TrimSpace(r.Form.Get("smtp_host")),
Port: port, Port: port,
From: r.Form.Get("smtp_from"), From: strings.TrimSpace(r.Form.Get("smtp_from")),
User: r.Form.Get("smtp_username"), User: strings.TrimSpace(r.Form.Get("smtp_username")),
Password: getSecretFromFormField(r, "smtp_password"), Password: getSecretFromFormField(r, "smtp_password"),
AuthType: authType, AuthType: authType,
Encryption: encryption, Encryption: encryption,
Domain: r.Form.Get("smtp_domain"), Domain: strings.TrimSpace(r.Form.Get("smtp_domain")),
Debug: debug, Debug: debug,
OAuth2: dataprovider.SMTPOAuth2{ OAuth2: dataprovider.SMTPOAuth2{
Provider: oauth2Provider, Provider: oauth2Provider,
@ -3385,8 +3385,8 @@ func (s *httpdServer) handleWebAddFolderPost(w http.ResponseWriter, r *http.Requ
s.renderForbiddenPage(w, r, err.Error()) s.renderForbiddenPage(w, r, err.Error())
return return
} }
folder.MappedPath = r.Form.Get("mapped_path") folder.MappedPath = strings.TrimSpace(r.Form.Get("mapped_path"))
folder.Name = r.Form.Get("name") folder.Name = strings.TrimSpace(r.Form.Get("name"))
folder.Description = r.Form.Get("description") folder.Description = r.Form.Get("description")
fsConfig, err := getFsConfigFromPostFields(r) fsConfig, err := getFsConfigFromPostFields(r)
if err != nil { if err != nil {
@ -3452,7 +3452,7 @@ func (s *httpdServer) handleWebUpdateFolderPost(w http.ResponseWriter, r *http.R
return return
} }
updatedFolder := vfs.BaseVirtualFolder{ updatedFolder := vfs.BaseVirtualFolder{
MappedPath: r.Form.Get("mapped_path"), MappedPath: strings.TrimSpace(r.Form.Get("mapped_path")),
Description: r.Form.Get("description"), Description: r.Form.Get("description"),
} }
updatedFolder.ID = folder.ID updatedFolder.ID = folder.ID
@ -4214,8 +4214,16 @@ func (s *httpdServer) handleOAuth2TokenRedirect(w http.ResponseWriter, r *http.R
s.renderMessagePage(w, r, errorTitle, "Unable to get token:", http.StatusInternalServerError, err, "") s.renderMessagePage(w, r, errorTitle, "Unable to get token:", http.StatusInternalServerError, err, "")
return return
} }
if token.RefreshToken == "" {
errTxt := "the OAuth2 provider returned an empty token. " +
"Some providers only return the token when the user first authorizes. " +
"If you have already registered SFTPGo with this user in the past, revoke access and try again. " +
"This way you will invalidate the previous token."
s.renderMessagePage(w, r, errorTitle, "Unable to get token:", http.StatusBadRequest, errors.New(errTxt), "")
return
}
s.renderMessagePage(w, r, successTitle, "", http.StatusOK, nil, s.renderMessagePage(w, r, successTitle, "", http.StatusOK, nil,
fmt.Sprintf("Copy the following string, without the quotes, into your SMTP OAuth2 Token configuration: %q", token.RefreshToken)) fmt.Sprintf("Copy the following string, without the quotes, into SMTP OAuth2 Token configuration field: %q", token.RefreshToken))
} }
func updateSMTPSecrets(newConfigs, currentConfigs *dataprovider.SMTPConfigs) { func updateSMTPSecrets(newConfigs, currentConfigs *dataprovider.SMTPConfigs) {

View file

@ -1265,7 +1265,7 @@ func (s *httpdServer) handleWebClientProfilePost(w http.ResponseWriter, r *http.
user.Filters.AllowAPIKeyAuth = r.Form.Get("allow_api_key_auth") != "" user.Filters.AllowAPIKeyAuth = r.Form.Get("allow_api_key_auth") != ""
} }
if userMerged.CanChangeInfo() { if userMerged.CanChangeInfo() {
user.Email = r.Form.Get("email") user.Email = strings.TrimSpace(r.Form.Get("email"))
user.Description = r.Form.Get("description") user.Description = r.Form.Get("description")
} }
err = dataprovider.UpdateUser(&user, dataprovider.ActionExecutorSelf, ipAddr, user.Role) err = dataprovider.UpdateUser(&user, dataprovider.ActionExecutorSelf, ipAddr, user.Role)
@ -1297,10 +1297,15 @@ func getShareFromPostFields(r *http.Request) (*dataprovider.Share, error) {
if err := r.ParseForm(); err != nil { if err := r.ParseForm(); err != nil {
return share, err return share, err
} }
share.Name = r.Form.Get("name") share.Name = strings.TrimSpace(r.Form.Get("name"))
share.Description = r.Form.Get("description") share.Description = r.Form.Get("description")
share.Paths = r.Form["paths"] for _, p := range r.Form["paths"] {
share.Password = r.Form.Get("password") p = strings.TrimSpace(p)
if p != "" {
share.Paths = append(share.Paths, p)
}
}
share.Password = strings.TrimSpace(r.Form.Get("password"))
share.AllowFrom = getSliceFromDelimitedValues(r.Form.Get("allowed_ip"), ",") share.AllowFrom = getSliceFromDelimitedValues(r.Form.Get("allowed_ip"), ",")
scope, err := strconv.Atoi(r.Form.Get("scope")) scope, err := strconv.Atoi(r.Form.Get("scope"))
if err != nil { if err != nil {
@ -1313,8 +1318,8 @@ func getShareFromPostFields(r *http.Request) (*dataprovider.Share, error) {
} }
share.MaxTokens = maxTokens share.MaxTokens = maxTokens
expirationDateMillis := int64(0) expirationDateMillis := int64(0)
expirationDateString := r.Form.Get("expiration_date") expirationDateString := strings.TrimSpace(r.Form.Get("expiration_date"))
if strings.TrimSpace(expirationDateString) != "" { if expirationDateString != "" {
expirationDate, err := time.Parse(webDateTimeFormat, expirationDateString) expirationDate, err := time.Parse(webDateTimeFormat, expirationDateString)
if err != nil { if err != nil {
return share, err return share, err
@ -1347,7 +1352,7 @@ func (s *httpdServer) handleWebClientForgotPwdPost(w http.ResponseWriter, r *htt
s.renderClientForbiddenPage(w, r, err.Error()) s.renderClientForbiddenPage(w, r, err.Error())
return return
} }
username := r.Form.Get("username") username := strings.TrimSpace(r.Form.Get("username"))
err = handleForgotPassword(r, username, false) err = handleForgotPassword(r, username, false)
if err != nil { if err != nil {
if e, ok := err.(*util.ValidationError); ok { if e, ok := err.(*util.ValidationError); ok {
@ -1479,7 +1484,7 @@ func (s *httpdServer) handleClientShareLoginPost(w http.ResponseWriter, r *http.
s.renderShareLoginPage(w, r.RequestURI, dataprovider.ErrInvalidCredentials.Error(), ipAddr) s.renderShareLoginPage(w, r.RequestURI, dataprovider.ErrInvalidCredentials.Error(), ipAddr)
return return
} }
match, err := share.CheckCredentials(r.Form.Get("share_password")) match, err := share.CheckCredentials(strings.TrimSpace(r.Form.Get("share_password")))
if !match || err != nil { if !match || err != nil {
s.renderShareLoginPage(w, r.RequestURI, dataprovider.ErrInvalidCredentials.Error(), ipAddr) s.renderShareLoginPage(w, r.RequestURI, dataprovider.ErrInvalidCredentials.Error(), ipAddr)
return return