Add Base32 validation, better URL entity decoding

2017-12-09 22:34:01 -07:00 · 2017-12-09 22:34:01 -07:00 · 88dbc75f5d
commit 88dbc75f5d
parent 01ba58322d
1 changed files with 14 additions and 0 deletions
--- a/www/views/addotp.html
+++ b/www/views/addotp.html
@ -55,6 +55,12 @@
 	    navigator.notification.alert("Missing secret key.", null, "Error", 'Dismiss');
 	    return;
 	}
+        key = key.toUpperCase();
+        /* Thanks to https://stackoverflow.com/a/27362880 for the regex */
+        if (!key.match(/^(?:[A-Z2-7]{8})*(?:[A-Z2-7]{2}={6}|[A-Z2-7]{4}={4}|[A-Z2-7]{5}={3}|[A-Z2-7]{7}=)?$/)) {
+            navigator.notification.alert("Secret key is not valid base32.", null, "Error", 'Dismiss');
+	    return;
+        }
 	if (label == "") {
 	    navigator.notification.alert("Missing label.", null, "Error", 'Dismiss');
 	    return;
@ -112,6 +118,14 @@
 				    return;
 				}
 			    }
+			    try {
+                                secret = decodeURIComponent(secret);
+				issuer = decodeURIComponent(issuer);
+				label = decodeURIComponent(label);
+			    } catch (e) {
+				navigator.notification.alert("Could not decode OTP URI.", null, "Error", 'Dismiss');
+				return;
+			    }
 			    addOTP(secret, label, issuer);
 			}
 		    },