From a12c380cab19df4238f88e52d0474298b9666c3b Mon Sep 17 00:00:00 2001
From: Felix Ableitner <me@nutomic.com>
Date: Wed, 16 Oct 2019 13:51:19 +0200
Subject: [PATCH] Verify inputs for create.php

---
 htdocs/create.php | 17 ++++++++++++++---
 1 file changed, 14 insertions(+), 3 deletions(-)

diff --git a/htdocs/create.php b/htdocs/create.php
index 86dab02..137ae73 100644
--- a/htdocs/create.php
+++ b/htdocs/create.php
@@ -105,13 +105,24 @@ function isAuthorized($mail,$secret) {
 	}
 	return false;
 }
+
+if(strlen($mbox) > 30 || strlen($name) > 30 || strlen($pw) > 1024 || strlen($pw2) > 1024 || strlen($authmail) > 1024 || strlen($authsecret) > 1024) {
+    echo "Input too large";
+    exit;
+}
+
+if(!preg_match("/^[a-z0-9_\-\.]{3,30}$/", $mbox)) {
+    echo "Invalid username";
+    exit;
+}
+
 if(!isset($_POST['authmail']) || !isset($_POST['authsecret'])) {
 	echo "You are not authorized to create an account";
 	exit;
 }
 if(!isAuthorized(trim($authmail),trim($authsecret))) {
-	echo "You are not authorized to create an account";
-        exit;
+    echo "You are not authorized to create an account";
+    exit;
 }
 
 if(!isset($_POST['username']) || !isset($_POST['password']) ||!isset($_POST['displayname']) ||!isset($_POST['repassword']) || strcmp($pw,$pw2)!=0) 
@@ -121,7 +132,7 @@ if(!isset($_POST['username']) || !isset($_POST['password']) ||!isset($_POST['dis
 	} else {
 		echo "Passwords do not match";
     }
-    return;
+    exit;
 }
 
 $resultmail=$mbox."@".$domain;
-- 
GitLab