From b578803136705f4d67134520fc6be5cd5043e859 Mon Sep 17 00:00:00 2001 From: ansuz Date: Thu, 16 Mar 2017 10:37:16 +0100 Subject: [PATCH 1/3] clean up registration code a little bit --- www/register/main.js | 14 +++++++------- 1 file changed, 7 insertions(+), 7 deletions(-) diff --git a/www/register/main.js b/www/register/main.js index 37cb17155..251a69f24 100644 --- a/www/register/main.js +++ b/www/register/main.js @@ -108,6 +108,8 @@ define([ Cryptpad.addLoadingScreen(Messages.login_hashing); Login.loginOrRegister(uname, passwd, true, function (err, result) { + var proxy = result.proxy; + if (err) { switch (err) { case 'NO_SUCH_USER': @@ -129,10 +131,10 @@ define([ Cryptpad.removeLoadingScreen(function () { Cryptpad.confirm(Messages.register_alreadyRegistered, function (yes) { if (!yes) { return; } - result.proxy.login_name = uname; + proxy.login_name = uname; - if (!result.proxy[Cryptpad.displayNameKey]) { - result.proxy[Cryptpad.displayNameKey] = uname; + if (!proxy[Cryptpad.displayNameKey]) { + proxy[Cryptpad.displayNameKey] = uname; } Cryptpad.eraseTempSessionValues(); logMeIn(result); @@ -144,8 +146,6 @@ define([ } return; } - var proxy = result.proxy; - Cryptpad.eraseTempSessionValues(); if (shouldImport) { sessionStorage.migrateAnonDrive = 1; @@ -158,8 +158,8 @@ define([ logMeIn(result); }); }, { - ok: Messages.register_writtenPassword, //'I have written down my password, proceed', - cancel: Messages.register_cancel, // 'Go back', + ok: Messages.register_writtenPassword, + cancel: Messages.register_cancel, cancelClass: 'safe', okClass: 'danger', reverseOrder: true, From d585fce67b7f746c3aee38206ae08ef63bfbb55d Mon Sep 17 00:00:00 2001 From: ansuz Date: Thu, 16 Mar 2017 13:07:01 +0100 Subject: [PATCH 2/3] suppress RPC errors if configured to do so --- NetfluxWebsocketSrv.js | 4 +++- config.js.dist | 5 +++++ 2 files changed, 8 insertions(+), 1 deletion(-) diff --git a/NetfluxWebsocketSrv.js b/NetfluxWebsocketSrv.js index b8c4f5a2a..3bad068d5 100644 --- a/NetfluxWebsocketSrv.js +++ b/NetfluxWebsocketSrv.js @@ -232,7 +232,9 @@ const handleMessage = function (ctx, user, msg) { // slice off the sequence number and pass in the rest of the message ctx.rpc(ctx, rpc_call, function (err, output) { if (err) { - console.error('[' + err + ']', output); // TODO make this disableable + if (!ctx.config.suppressRPCErrors) { + console.error('[' + err + ']', output); + } sendMsg(ctx, user, [seq, 'ACK']); sendMsg(ctx, user, [0, HISTORY_KEEPER_ID, 'MSG', user.id, JSON.stringify([parsed[0], 'ERROR', err])]); return diff --git a/config.js.dist b/config.js.dist index 3818ae002..479949b74 100644 --- a/config.js.dist +++ b/config.js.dist @@ -137,6 +137,11 @@ module.exports = { */ rpc: './rpc.js', + /* RPC errors are shown by default, but if you really don't care, + * you can suppress them + */ + suppressRPCErrors: false, + /* it is recommended that you serve cryptpad over https * the filepaths below are used to configure your certificates */ From ac08c9f3d91ebcde88df9b7434a21c36c1c8a364 Mon Sep 17 00:00:00 2001 From: ansuz Date: Thu, 16 Mar 2017 13:07:42 +0100 Subject: [PATCH 3/3] rpc should only respond to signed messages --- rpc.js | 35 ++++++++++++++++++++++++++++++++++- 1 file changed, 34 insertions(+), 1 deletion(-) diff --git a/rpc.js b/rpc.js index cff3dfeb0..eacaa05b2 100644 --- a/rpc.js +++ b/rpc.js @@ -15,11 +15,44 @@ var isValidChannel = function (chan) { return /^[a-fA-F0-9]/.test(chan); }; +var checkSignature = function (signedMsg, publicKey) { + if (!(signedMsg && publicKey)) { return null; } + + var signedBuffer = Nacl.util.decodeBase64(signedMsg); + var pubBuffer = Nacl.util.decodeBase64(publicKey); + + var opened = Nacl.sign.open(signedBuffer, pubBuffer); + + if (opened) { + var decoded = Nacl.util.encodeUTF8(opened); + try { + return JSON.parse(decoded); + } catch (e) { } // fall through to return + } + return null; +}; + RPC.create = function (config, cb) { // load pin-store... console.log('loading rpc module...'); - var rpc = function (ctx, msg, respond) { + var rpc = function (ctx, args, respond) { + if (args.length < 2) { + return void respond("INSUFFICIENT_ARGS"); + } + + var signed = args[0]; + var publicKey = args[1]; + + var msg = checkSignature(signed, publicKey); + if (!msg) { + return void respond("INVALID_SIGNATURE"); + } + + if (typeof(msg) !== 'object') { + return void respond('INVALID_MSG'); + } + switch (msg[0]) { case 'ECHO': respond(void 0, msg);