2024-05-17 13:47:07 : fix login xss bug

talkincode · May 17, 2024 · 68a40d8 · 68a40d8
1 parent df2378a
commit 68a40d8
Show file tree

Hide file tree

Showing 2 changed files with 26 additions and 11 deletions.
diff --git a/assets/buildinfo.txt b/assets/buildinfo.txt
@@ -1,8 +1,8 @@
-BuildVersion=latest v8.0.7 2024-05-16 16:32:57
+BuildVersion=latest v8.0.7 2024-05-17 13:47:07
 ReleaseVersion=v8.0.7
-BuildTime=2024-05-16 16:32:57
+BuildTime=2024-05-17 13:47:07
 BuildName=toughradius
-CommitID=4d7c9e9052d7fe32a9f46cbce9259feb3ee76a17
-CommitDate=Wed, 27 Mar 2024 23:11:47 +0800
+CommitID=b4611353205746fcd10466dda836545c0cc59b37
+CommitDate=Thu, 16 May 2024 16:33:04 +0800
 [email protected]
-CommitSubject=Merge branch 'develop'
+CommitSubject=2024-05-16 16:32:57 : fix text error
diff --git a/controllers/index/index.go b/controllers/index/index.go
@@ -2,6 +2,7 @@ package index
 
 import (
 	"encoding/json"
+	"fmt"
 	"net/http"
 	"strings"
 	"time"
@@ -29,6 +30,16 @@ var pushers = []string{
 	"/static/echarts/echarts.min.js",
 }
 
+const (
+	LoginPasswdErr = "wrong password"
+	LoginUserErr   = "user does not exist"
+	LoginDbErr     = "database connection failed"
+	LoginInputErr  = "username and password cannot be empty"
+	LoginExpired   = "User not logged in or login expired"
+)
+
+var LoginErrors = []string{LoginPasswdErr, LoginUserErr, LoginDbErr, LoginInputErr, LoginExpired}
+
 func InitRouter() {
 
 	// 系统首页
@@ -44,7 +55,7 @@ func InitRouter() {
 		sess, _ := session.Get(webserver.UserSession, c)
 		username := sess.Values[webserver.UserSessionName]
 		if username == nil || username == "" {
-			return c.Redirect(http.StatusTemporaryRedirect, "/login?errmsg=User not logged in or login expired")
+			return c.Redirect(http.StatusTemporaryRedirect, fmt.Sprintf("/login?errmsg=%s", LoginExpired))
 		}
 		return c.Render(http.StatusOK, "index", map[string]interface{}{})
 	})
@@ -94,6 +105,10 @@ func InitRouter() {
 	// 登录页面
 	webserver.GET("/login", func(c echo.Context) error {
 		errmsg := c.QueryParam("errmsg")
+		// errmsg must in LoginErrors
+		if !common.InSlice(errmsg, LoginErrors) {
+			errmsg = ""
+		}
 		return c.Render(http.StatusOK, "login", map[string]interface{}{
 			"errmsg":    errmsg,
 			"LoginLogo": "/static/images/login-logo.png",
@@ -104,7 +119,7 @@ func InitRouter() {
 		isdark := c.Param("isdark")
 		if isdark == "1" {
 			app.GApp().SetSystemTheme("dark")
-		} else {
+		} else if isdark == "0" {
 			app.GApp().SetSystemTheme("light")
 		}
 		return c.JSON(http.StatusOK, web.RestSucc("success"))
@@ -123,19 +138,19 @@ func InitRouter() {
 		username := c.FormValue("username")
 		password := c.FormValue("password")
 		if username == "" || password == "" {
-			return c.Redirect(http.StatusMovedPermanently, "/login?errmsg=Username and password cannot be empty")
+			return c.Redirect(http.StatusMovedPermanently, fmt.Sprintf("/login?errmsg=%s", LoginInputErr))
 		}
 		var user models.SysOpr
 		err := app.GDB().Where("username=?", username).First(&user).Error
 		if err != nil {
 			if strings.Contains(err.Error(), "dial error") {
-				return c.Redirect(http.StatusMovedPermanently, "/login?errmsg=Database connection failed")
+				return c.Redirect(http.StatusMovedPermanently, fmt.Sprintf("/login?errmsg=%s", LoginDbErr))
 			}
-			return c.Redirect(http.StatusMovedPermanently, "/login?errmsg=User does not exist")
+			return c.Redirect(http.StatusMovedPermanently, fmt.Sprintf("/login?errmsg=%s", LoginUserErr))
 		}
 
 		if common.Sha256HashWithSalt(password, common.SecretSalt) != user.Password {
-			return c.Redirect(http.StatusMovedPermanently, "/login?errmsg=wrong password")
+			return c.Redirect(http.StatusMovedPermanently, fmt.Sprintf("/login?errmsg=%s", LoginPasswdErr))
 		}
 
 		sess, _ := session.Get(webserver.UserSession, c)