Fix #13

PlanetTheCloud · Jan 29, 2021 · 4ac47c4 · 4ac47c4
1 parent 5c1b62a
commit 4ac47c4
Show file tree

Hide file tree

Showing 6 changed files with 66 additions and 48 deletions.
diff --git a/signup.php b/signup.php
@@ -10,7 +10,7 @@
 # Initialize
 define('THIS_DIR', dirname(__FILE__));
 require THIS_DIR . '/sys-auth/app/app.php';
-if (@$_GET['submit'] !== 'Register') {
+if (@$_GET['action'] !== 'register' && @$_POST['action'] !== 'register') {
     header("Location: /auth/signup");
     die;
 }
@@ -42,28 +42,31 @@ function reject($msg = false)
 }
 
 # Validate inputs
-$isExternalRequest = (isset($_GET['identifier']) or isset($_GET['signature']) or !isset($_GET['token']))
+$isExternalRequest = !(isset($_POST['action']));
 if ($isExternalRequest) {
-    $required = ['username', 'email', 'password', 'password_confirm', 'id', 'number', 'signature', 'identifier'];
+    $data = $_GET;
+    $required = ['username', 'email', 'password', 'password_confirm', 'id', 'number', 'signature', 'identifier', 'action'];
 } elseif (config('sys.enable_domain_selector')) {
-    $required = ['username', 'email', 'domain', 'password', 'password_confirm', 'id', 'number', 'token'];
+    $data = $_POST;
+    $required = ['username', 'email', 'domain', 'password', 'password_confirm', 'id', 'number', 'token', 'action'];
 } else {
-    $required = ['username', 'email', 'password', 'password_confirm', 'id', 'number', 'token'];
+    $data = $_POST;
+    $required = ['username', 'email', 'password', 'password_confirm', 'id', 'number', 'token', 'action'];
 }
-(function () use ($required) {
+(function() use ($data, $required){
     foreach ($required as $key => $value) {
-        if (!isset($_GET[$value])) {
+        if (!isset($data[$value])) {
             return reject();
         }
-        if (!is_string($_GET[$value])) {
+        if (!is_string($data[$value])) {
             return reject();
         }
-        if (empty(trim($_GET[$value]))) {
+        if (empty(trim($data[$value]))) {
             return reject("{$value} cannot be empty!");
         }
-        $_GET[$value] = htmlspecialchars($_GET[$value]);
+        $data[$value] = htmlspecialchars($data[$value]);
     }
-    if ($_GET['password'] !== $_GET['password_confirm']) {
+    if ($data['password'] !== $data['password_confirm']) {
         return reject('Confirm Password does not match!');
     }
 })();
@@ -72,7 +75,7 @@ function reject($msg = false)
 if (!$isExternalRequest) {
     require APP . '/csrf.class.php';
     $csrf = new Csrf;
-    if (!$csrf->verifyToken('registration', $_GET['token'])) {
+    if (!$csrf->verifyToken('registration', $data['token'])) {
         reject();
     }
 }
@@ -81,76 +84,76 @@ function reject($msg = false)
 require APP . '/account.class.php';
 if ($isExternalRequest) {
     # External Request
-    (function () {
+    (function () use ($data) {
         if (!config('sys.accept_request_from_other_logged')) {
             return reject();
         }
 
         $credentials = require APP . '/api.credentials.php';
-        if (!isset($credentials[$_GET['identifier']])) {
+        if (!isset($credentials[$data['identifier']])) {
             return reject();
         }
 
         $known = Signature::create(
             'sha256',
-            base64_encode($_GET['identifier'] . $_GET['username'] . $_GET['email'] . $_GET['password'] . $_GET['id'] . $_GET['number']),
-            $credentials[$_GET['identifier']]['key']
+            base64_encode($data['identifier'] . $data['username'] . $data['email'] . $data['password'] . $data['id'] . $data['number']),
+            $credentials[$data['identifier']]['key']
         );
-        if (!Signature::verify($known, $_GET['signature'])) {
+        if (!Signature::verify($known, $data['signature'])) {
             return reject();
         }
 
         return Account::create([
-            'username' => $_GET['username'],
-            'email' => $_GET['email'],
-            'password' => $_GET['password'],
-            'id' => $_GET['id'],
-            'number' => $_GET['number']
+            'username' => $data['username'],
+            'email' => $data['email'],
+            'password' => $data['password'],
+            'id' => $data['id'],
+            'number' => $data['number']
         ]);
     })();
 } else {
     # Internal Request
     if (config('sys.enable_domain_selector')) {
         // With target domain
-        (function () use ($cfg) {
-            if (!isset($_GET['domain'])) {
+        (function () use ($cfg, $data) {
+            if (!isset($data['domain'])) {
                 return reject();
             }
-            if (config('sys.current_domain') === $_GET['domain']) {
+            if (config('sys.current_domain') === $data['domain']) {
                 return Account::create([
-                    'username' => $_GET['username'],
-                    'email' => $_GET['email'],
-                    'password' => $_GET['password'],
-                    'id' => $_GET['id'],
-                    'number' => $_GET['number']
+                    'username' => $data['username'],
+                    'email' => $data['email'],
+                    'password' => $data['password'],
+                    'id' => $data['id'],
+                    'number' => $data['number']
                 ]);
             }
-            if (array_search($_GET['domain'], $cfg['sys.domain_selection']) === false) {
+            if (array_search($data['domain'], $cfg['sys.domain_selection']) === false) {
                 return reject();
             }
 
             $credentials = require APP . '/target.credentials.php';
-            if (!isset($credentials[$_GET['domain']])) {
+            if (!isset($credentials[$data['domain']])) {
                 return reject();
             }
 
-            return Account::createExternal($_GET['domain'], [
-                'username' => $_GET['username'],
-                'email' => $_GET['email'],
-                'password' => $_GET['password'],
-                'id' => $_GET['id'],
-                'number' => $_GET['number']
-            ], $credentials[$_GET['domain']]);
+            return Account::createExternal($data['domain'], [
+                'username' => $data['username'],
+                'email' => $data['email'],
+                'password' => $data['password'],
+                'id' => $data['id'],
+                'number' => $data['number']
+            ], $credentials[$data['domain']]);
         })();
     } else {
         // Without target domain
-        (function () {
+        (function () use ($data) {
             return Account::create([
-                'username' => $_GET['username'],
-                'email' => $_GET['email'],
-                'password' => $_GET['password'],
-                'id' => $_GET['id'],
-                'number' => $_GET['number']
+                'username' => $data['username'],
+                'email' => $data['email'],
+                'password' => $data['password'],
+                'id' => $data['id'],
+                'number' => $data['number']
             ]);
         })();
     }

diff --git a/sys-auth/app/account.class.php b/sys-auth/app/account.class.php
@@ -15,6 +15,7 @@ class Account
 {
     private static $target;
     private static $parameters;
+    private static $method;
 
     /**
      * Create a new account
@@ -26,6 +27,7 @@ public static function create(array $parameters)
     {
         self::$target = config('sys.form_target.signup');
         self::$parameters = $parameters;
+        self::$method = 'POST';
     }
 
     /**
@@ -45,9 +47,11 @@ public static function createExternal(string $domain, array $parameters, array $
         );
         $parameters['identifier'] = $credentials['identifier'];
         $parameters['password_confirm'] = $parameters['password'];
+        $parameters['action'] = 'register';
 
         self::$target = "{$credentials['protocol']}://{$domain}/signup.php";
         self::$parameters = $parameters;
+        self::$method = 'GET';
     }
 
     /**
@@ -69,4 +73,14 @@ public static function getTarget(): string
     {
         return self::$target;
     }
+
+    /**
+     * Get the method to use
+     *
+     * @return string
+     */
+    public static function getMethod(): string
+    {
+        return self::$method;
+    }
 }
diff --git a/sys-auth/app/config.php b/sys-auth/app/config.php
@@ -43,7 +43,7 @@
         'main_domain' => 'http://hosting.com',
         'favicon' => '',
         'contact_email' => '[email protected]',
-        'report_abuse_email' => 'rep@hosting.com'
+        'report_abuse_email' => 'abuse@hosting.com'
     ],
 
     # Page settings

diff --git a/sys-auth/app/target.credentials.php b/sys-auth/app/target.credentials.php
@@ -18,4 +18,4 @@
         'key' => 'YOUR_KEY_HERE',
         'protocol' => 'https'
     ]
-];
+];
diff --git a/sys-auth/components/form.signup.tpl b/sys-auth/components/form.signup.tpl
@@ -2,7 +2,7 @@
 <p style="text-align:center">
     <img style="width: 25%" src="https://i.ibb.co/9r6TvgH/loader.gif">
 </p>
-<form action="<?= Account::getTarget(); ?>" method="get">
+<form action="<?= Account::getTarget(); ?>" method="<?= Account::getMethod(); ?>">
     <?php
     foreach (Account::getParameters() as $key => $value) {
         echo "<input type=\"hidden\" name=\"{$key}\" value=\"{$value}\">" . PHP_EOL;

diff --git a/sys-auth/signup.php b/sys-auth/signup.php
@@ -113,6 +113,7 @@
                     </div>
                     <p>By signing up, you accept and agree to our <a href="/auth/read/tos">terms of service</a> and <a href="/auth/read/privacy">privacy policies</a>.</p>
                     <input type="hidden" name="token" value="<?= $csrf->getToken('registration'); ?>">
+                    <input type="hidden" name="action" value="register">
                     <div class="row">
                         <div class="col-xs-12">
                             <button class="btn btn-block bg-<?= config('sys.color_scheme'); ?> waves-effect">REGISTER</button>
-Original file line number
+Diff line change
@@ Expand Up / @@ -18,4 +18,4 @@ @@
             'key' => 'YOUR_KEY_HERE',
             'protocol' => 'https'
         ]
-    ];
+    ];