mirror of https://github.com/CIRCL/lookyloo
Fix: validate username
parent
00e331ec5a
commit
5ab46abb21
|
@ -1636,14 +1636,13 @@ def capture_web() -> str | Response | WerkzeugResponse:
|
||||||
@app.route('/simple_capture', methods=['GET','POST'])
|
@app.route('/simple_capture', methods=['GET','POST'])
|
||||||
@flask_login.login_required # type: ignore[misc]
|
@flask_login.login_required # type: ignore[misc]
|
||||||
def simple_capture() -> str | Response | WerkzeugResponse:
|
def simple_capture() -> str | Response | WerkzeugResponse:
|
||||||
if flask_login.current_user.is_authenticated:
|
|
||||||
user = flask_login.current_user.get_id()
|
user = flask_login.current_user.get_id()
|
||||||
else:
|
if not re.match("^[A-Za-z0-9]+$", user):
|
||||||
user = src_request_ip(request)
|
# Username has been manipulated
|
||||||
if request.method == 'POST':
|
|
||||||
if not re.match("^[A-Za-z]+$", user):
|
|
||||||
flash('User is not permitted.', 'error')
|
flash('User is not permitted.', 'error')
|
||||||
return redirect(url_for('simple_capture'))
|
return redirect(url_for('submit_capture'))
|
||||||
|
|
||||||
|
if request.method == 'POST':
|
||||||
if not (request.form.get('url') or request.form.get('urls')):
|
if not (request.form.get('url') or request.form.get('urls')):
|
||||||
flash('Invalid submission: please submit at least a URL.', 'error')
|
flash('Invalid submission: please submit at least a URL.', 'error')
|
||||||
return render_template('simple_capture.html')
|
return render_template('simple_capture.html')
|
||||||
|
|
Loading…
Reference in New Issue