dkforest

A forum and chat platform (onion)
git clone https://git.dasho.dev/n0tr1v/dkforest.git
Log | Files | Refs | LICENSE
commit d4eb6eabb7a70576f5630273eabee4575f95d079
parent 91418b8a982c37be3aadde0c21f2f0fb1dc2e67d
Author: n0tr1v <n0tr1v@protonmail.com>
Date:   Sat, 22 Feb 2025 14:28:49 -0800

add missing username validation

Diffstat:

Mpkg/web/handlers/interceptors/slashInterceptor.go | 4++++


1 file changed, 4 insertions(+), 0 deletions(-)

diff --git a/pkg/web/handlers/interceptors/slashInterceptor.go b/pkg/web/handlers/interceptors/slashInterceptor.go
@@ -1011,6 +1011,10 @@ func handlePMCmd(c *command.Command) (handled bool) {
 
 		// Hack to have 1 on 1 chat with the user
 		if strings.TrimSpace(newMsg) == "" && c.Upload == nil {
+			if _, err := c.DB.GetUserByUsername(username); err != nil {
+				c.Err = errors.New("invalid username")
+				return true
+			}
 			redirectPmUsernameQP := command.RedirectPmUsernameQP
 			newURL := fmt.Sprintf("/api/v1/chat/messages/%s/stream?%s=%s", c.Room.Name, redirectPmUsernameQP, username)
 			database.MsgPubSub.Pub("refresh_"+string(c.AuthUser.Username), database.ChatMessageType{Typ: database.Redirect, NewURL: newURL})