Stricter hostname validation (#246). Thank's to @SZenglein !!

biologist79 · Jun 18, 2023 · dc8d7ee · dc8d7ee
1 parent 9fa575e
commit dc8d7ee
Show file tree

Hide file tree

Showing 5 changed files with 32 additions and 6 deletions.
diff --git a/changelog.md b/changelog.md
@@ -1,4 +1,6 @@
 ## DEV-branch
+* 18.06.2023: Stricter hostname validation (#246). Thank's to @SZenglein !!
+* 18.06.2023: Some Web-UI improvements (#247) 
 * 17.06.2023: CMD_TOGGLE_WIFI_STATUS: Escape from BT-mode, WiFi cannot coexist with BT and can cause a crash
 * 13.06.2023: Bluetooth configuration tab in web-interface (#244)
 * 13.06.2023: Introduce new playmode "RANDOM_SUBDIRECTORY_OF_DIRECTORY_ALL_TRACKS_OF_DIR_RANDOM"

diff --git a/html/accesspoint.html b/html/accesspoint.html
@@ -83,7 +83,7 @@ <h1 data-i18n="wifi.title">WiFi-configuration</h1>
 			<label for="pwd" data-i18n="wifi.password.title">Password</label>:<br>
 			<input type="password" id="pwd" name="pwd" autocomplete="off" required><br>
 			<label for="hostname" data-i18n="wifi.hostname.title">Hostname</label>:<br>
-			<input type="text" id="hostname" name="hostname" value="espuino" required><br><br>
+			<input type="text" id="hostname" name="hostname" value="espuino" pattern="^[0-9a-zA-Z][0-9a-zA-Z\\-]{0,30}[0-9a-zA-Z]" required><br><br>
 
 			<input type="checkbox" id="scan_wifi_on_start" name="scan_wifi_on_start" value=false>
 			<label for="scan_wifi_on_start" data-i18n="wifi.scan.enabled">Start with best WiFi</label><br><br>

diff --git a/html/management.html b/html/management.html
@@ -216,7 +216,7 @@ <h5 class="modal-title" data-i18n="wifi.delete.title"></h5>
 					<div class="form-group col-md-12">
 						<label for="hostname" data-i18n="[prepend]wifi.hostname.title">:</label>
 						<input type="text" class="form-control" id="hostname" data-i18n="[placeholder]wifi.hostname.placeholder" name="hostname"
-							value="%HOSTNAME%" pattern="^[^-\.]{2,32}" required>
+							value="%HOSTNAME%" pattern="^[0-9a-zA-Z][0-9a-zA-Z\\-]{0,30}[0-9a-zA-Z]" required>
 					</div>
 					<br>
 					<div class="text-center">

diff --git a/src/Web.cpp b/src/Web.cpp
@@ -1327,7 +1327,7 @@ void handleDeleteSavedSSIDs(AsyncWebServerRequest *request) {
 }
 
 void handleGetActiveSSID(AsyncWebServerRequest *request) {
-	AsyncJsonResponse *response = new AsyncJsonResponse(true);
+	AsyncJsonResponse *response = new AsyncJsonResponse();
 	JsonObject obj = response->getRoot();
 
 	if (Wlan_IsConnected()) {
@@ -1346,9 +1346,33 @@ void handleGetHostname(AsyncWebServerRequest *request) {
 
 void handlePostHostname(AsyncWebServerRequest *request, JsonVariant &json){
 	const JsonString& jsonStr = json.as<JsonString>();
-	String hostname = String(jsonStr.c_str());
-	bool succ = Wlan_SetHostname(hostname);
+	size_t len = jsonStr.size();
+	const char *hostname = jsonStr.c_str();
+
+	// validation: first char alphanumerical, then alphanumerical or '-', last char alphanumerical
+	// These rules are mainly for mDNS purposes, a "pretty" hostname could have far fewer restrictions
+	bool validated = true;
+	if(len < 2 || len > 32) {
+		validated = false;
+	}
+
+	if(!isAlphaNumeric(hostname[0]) || !isAlphaNumeric(hostname[len-1])) {
+		validated = false;
+	}
+
+	for(int i = 0; i < len; i++) {
+		if(!isAlphaNumeric(hostname[i]) && hostname[i] != '-') {
+			validated = false;
+			break;
+		}
+	}
+
+	if (!validated) {
+		request->send(400, "text/plain; charset=utf-8", "hostname validation failed");
+		return;
+	}
 
+	bool succ = Wlan_SetHostname(String(hostname));
 	if (succ) {
 		request->send(200, "text/plain; charset=utf-8", hostname);
 	} else {

diff --git a/src/revision.h b/src/revision.h
@@ -1,4 +1,4 @@
 #pragma once
 
 #include "gitrevision.h"
-constexpr const char softwareRevision[] = "Software-revision: 20230617-1";
+constexpr const char softwareRevision[] = "Software-revision: 20230618-1";