diff options
| -rw-r--r-- | fastbangs.yaml | 3 | ||||
| -rw-r--r-- | src/Data/PendingBang.hs | 8 |
2 files changed, 10 insertions, 1 deletions
diff --git a/fastbangs.yaml b/fastbangs.yaml index d184bae..1927761 100644 --- a/fastbangs.yaml +++ b/fastbangs.yaml @@ -20,4 +20,7 @@ admin-pw-hash: "" # Users can leave their email in order to be notified when their bang is # accepted/rejected. In order to send emails, the following command (if not # commented out) will receive as arguments, in order: recipient, subject, body +# HUGE WARNING: THE ARGUMENTS ARE UNTRUSTED USER INPUT. Users can enter almost +# everything as their email address, so not being careful can easily lead to SQLI-type +# vulnerabilities, and possibly remote command execution, so be careful. #email-command: "/path/to/your/email/script" diff --git a/src/Data/PendingBang.hs b/src/Data/PendingBang.hs index 05fafba..3a2aaa1 100644 --- a/src/Data/PendingBang.hs +++ b/src/Data/PendingBang.hs @@ -45,5 +45,11 @@ instance FromJSON PendingBang where verifyPendingBang :: PendingBang -> Bool verifyPendingBang (PendingBang n u dp mayEm) = - T.all isAlphaNum n && all ((<255) . T.length) strings + T.all isAlphaNum n && + all ((<255) . T.length) strings && + emailOk mayEm where strings = [n, u, dp] <> maybeToList mayEm + emailOk Nothing = True + emailOk (Just e) = + T.all (\c -> isAlphaNum c || c `T.elem` "@-.") e && + T.take 1 e /= "-" |