dyzulk/twinpath-hotspot-themes
1
0
Fork 0
mirror of https://github.com/dyzulk/twinpath-hotspot-themes.git synced 2026-01-26 05:25:40 +07:00
Code Issues Packages Projects Releases 2 Wiki Activity

Security: Fix unauthorized URL submission bug in QR scanner

Browse Source
This commit is contained in:
dyzulk
2026-01-12 09:00:13 +07:00
parent fec1613713
commit 7bddcf24c4
1 changed files with 20 additions and 11 deletions
Download Patch File Download Diff File Expand all files Collapse all files

21
js/qr-scanner.js
View File

@@ -26,6 +26,7 @@ function handleDecodedText(decodedText) {
let username = decodedText; let username = decodedText;
let password = ""; let password = "";
let isUnauthorized = false;
scannedUrl = ""; scannedUrl = "";
// Check if result is a URL // Check if result is a URL
@@ -36,8 +37,6 @@ function handleDecodedText(decodedText) {
const currentHostname = window.location.hostname; const currentHostname = window.location.hostname;
// SECURITY CHECK: // SECURITY CHECK:
// 1. Fail-safe: Always allow current domain
// 2. Config: Allow domains in whitelist
const isAllowed = (hostname === currentHostname) || (brandConfig.allowedDomains && brandConfig.allowedDomains.some(domain => const isAllowed = (hostname === currentHostname) || (brandConfig.allowedDomains && brandConfig.allowedDomains.some(domain =>
hostname === domain || hostname.endsWith('.' + domain) hostname === domain || hostname.endsWith('.' + domain)
)); ));
@@ -54,27 +53,37 @@ function handleDecodedText(decodedText) {
password = params.get('password'); password = params.get('password');
} }
} else { } else {
// Not in whitelist: Treat as plain text and warn user // ILLEGAL DOMAIN: Strict blocking
console.warn(`Blocked unauthorized domain: ${hostname}`); console.warn(`Blocked unauthorized domain: ${hostname}`);
scannedUrl = ""; // Reset URL redirect isUnauthorized = true;
// Optionally: alert user or handle it as raw text username = hostname; // Show the blocked domain name
} }
} }
} catch (e) { } catch (e) {
console.error("Error parsing QR URL:", e); console.error("Error parsing QR URL:", e);
} }
// Fill inputs // Fill inputs (only if authorized)
if (!isUnauthorized) {
const voucherInput = document.getElementById('voucher-input'); const voucherInput = document.getElementById('voucher-input');
const passField = document.getElementById('voucher-pass'); const passField = document.getElementById('voucher-pass');
if (voucherInput) voucherInput.value = username; if (voucherInput) voucherInput.value = username;
if (passField) passField.value = password || username; if (passField) passField.value = password || username;
}
// Show confirmation overlay // Show confirmation overlay
const overlay = document.getElementById('qr-confirm-overlay'); const overlay = document.getElementById('qr-confirm-overlay');
const confirmUser = document.getElementById('confirm-user'); const confirmUser = document.getElementById('confirm-user');
const connectBtn = document.querySelector('button[onclick="proceedSubmit()"]');
if (overlay && confirmUser) { if (overlay && confirmUser) {
if (isUnauthorized) {
confirmUser.innerHTML = `<span style="color: #ff4d4d;">Blocked: ${username}</span>`;
if (connectBtn) connectBtn.style.display = 'none';
} else {
confirmUser.innerText = username; confirmUser.innerText = username;
if (connectBtn) connectBtn.style.display = 'block';
}
overlay.classList.remove('hidden'); overlay.classList.remove('hidden');
} }