2014-01-23 03:12:43 +00:00
|
|
|
var path = require("path");
|
2014-02-25 00:32:54 +00:00
|
|
|
var fs = require("fs");
|
2014-01-23 03:12:43 +00:00
|
|
|
var net = require("net");
|
|
|
|
|
var express = require("express");
|
|
|
|
|
var webroot = path.join(__dirname, "..", "www");
|
|
|
|
|
var sendJade = require("./jade").sendJade;
|
|
|
|
|
var Server = require("../server");
|
|
|
|
|
var $util = require("../utilities");
|
|
|
|
|
var Logger = require("../logger");
|
|
|
|
|
var Config = require("../config");
|
2014-01-28 06:05:14 +00:00
|
|
|
var db = require("../database");
|
2013-12-12 20:48:23 +00:00
|
|
|
|
2014-01-23 03:12:43 +00:00
|
|
|
var httplog = new Logger.Logger(path.join(__dirname, "..", "..", "http.log"));
|
2013-12-12 20:48:23 +00:00
|
|
|
|
|
|
|
|
var suspiciousPath = (/admin|adm|\.\.|\/etc\/passwd|\\x5c|%5c|0x5c|setup|install|php|pma|blog|sql|scripts|aspx?|database/ig);
|
|
|
|
|
/**
|
|
|
|
|
* Determines whether a request is suspected of being illegitimate
|
|
|
|
|
*/
|
|
|
|
|
function isSuspicious(req) {
|
|
|
|
|
// ZmEu is a penetration script
|
2014-01-23 03:12:43 +00:00
|
|
|
if (req.header("user-agent") &&
|
|
|
|
|
req.header("user-agent").toLowerCase() === "zmeu") {
|
2013-12-12 20:48:23 +00:00
|
|
|
return true;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
if (req.path.match(suspiciousPath)) {
|
|
|
|
|
return true;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
return false;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
/**
|
|
|
|
|
* Extracts an IP address from a request. Uses X-Forwarded-For if the IP is localhost
|
|
|
|
|
*/
|
|
|
|
|
function ipForRequest(req) {
|
|
|
|
|
var ip = req.ip;
|
2014-01-23 03:12:43 +00:00
|
|
|
if (ip === "127.0.0.1" || ip === "::1") {
|
|
|
|
|
var xforward = req.header("x-forwarded-for");
|
|
|
|
|
if (typeof xforward !== "string" || !net.isIP(xforward)) {
|
2013-12-12 20:48:23 +00:00
|
|
|
return ip;
|
|
|
|
|
} else {
|
|
|
|
|
return xforward;
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
return ip;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
/**
|
|
|
|
|
* Logs an HTTP request
|
|
|
|
|
*/
|
|
|
|
|
function logRequest(req, status) {
|
|
|
|
|
if (status === undefined) {
|
|
|
|
|
status = 200;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
httplog.log([
|
|
|
|
|
ipForRequest(req),
|
2014-02-25 00:25:49 +00:00
|
|
|
req.method,
|
2013-12-12 20:48:23 +00:00
|
|
|
req.path,
|
2014-01-23 03:12:43 +00:00
|
|
|
req.header("user-agent")
|
|
|
|
|
].join(" "));
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
/**
|
|
|
|
|
* Redirects a request to HTTPS if the server supports it
|
|
|
|
|
*/
|
|
|
|
|
function redirectHttps(req, res) {
|
|
|
|
|
if (!req.secure && Config.get("https.enabled")) {
|
2014-02-26 20:28:24 +00:00
|
|
|
var ssldomain = Config.get("https.full-address");
|
2014-01-23 03:12:43 +00:00
|
|
|
res.redirect(ssldomain + req.path);
|
|
|
|
|
return true;
|
|
|
|
|
}
|
|
|
|
|
return false;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
/**
|
|
|
|
|
* Redirects a request to HTTP if the server supports it
|
|
|
|
|
*/
|
|
|
|
|
function redirectHttp(req, res) {
|
|
|
|
|
if (req.secure) {
|
2014-02-26 20:28:24 +00:00
|
|
|
var domain = Config.get("http.full-address");
|
2014-01-23 03:12:43 +00:00
|
|
|
res.redirect(domain + req.path);
|
|
|
|
|
return true;
|
|
|
|
|
}
|
|
|
|
|
return false;
|
2013-12-12 20:48:23 +00:00
|
|
|
}
|
|
|
|
|
|
|
|
|
|
/**
|
|
|
|
|
* Handles a GET request for /r/:channel - serves channel.html
|
|
|
|
|
*/
|
|
|
|
|
function handleChannel(req, res) {
|
2014-01-23 03:12:43 +00:00
|
|
|
if (redirectHttp(req, res)) {
|
|
|
|
|
return;
|
|
|
|
|
}
|
|
|
|
|
|
2013-12-12 20:48:23 +00:00
|
|
|
if (!$util.isValidChannelName(req.params.channel)) {
|
|
|
|
|
logRequest(req, 404);
|
|
|
|
|
res.status(404);
|
2014-01-23 03:12:43 +00:00
|
|
|
res.send("Invalid channel name '" + req.params.channel + "'");
|
2013-12-12 20:48:23 +00:00
|
|
|
return;
|
|
|
|
|
}
|
2014-01-23 03:12:43 +00:00
|
|
|
|
2013-12-12 20:48:23 +00:00
|
|
|
logRequest(req);
|
2014-01-23 03:12:43 +00:00
|
|
|
|
2013-12-12 20:48:23 +00:00
|
|
|
var loginName = false;
|
|
|
|
|
if (req.cookies.auth) {
|
2014-01-23 03:12:43 +00:00
|
|
|
loginName = req.cookies.auth.split(":")[0];
|
2013-12-12 20:48:23 +00:00
|
|
|
}
|
2014-01-23 03:12:43 +00:00
|
|
|
|
2014-01-30 03:50:45 +00:00
|
|
|
var sio;
|
|
|
|
|
if (req.secure) {
|
2014-02-26 20:28:24 +00:00
|
|
|
sio = Config.get("https.full-address");
|
2014-01-30 03:50:45 +00:00
|
|
|
} else {
|
2014-02-26 16:57:49 +00:00
|
|
|
sio = Config.get("io.domain") + ":" + Config.get("io.port");
|
2014-01-30 03:50:45 +00:00
|
|
|
}
|
|
|
|
|
sio += "/socket.io/socket.io.js";
|
|
|
|
|
|
2014-01-23 03:12:43 +00:00
|
|
|
sendJade(res, "channel", {
|
2013-12-12 20:48:23 +00:00
|
|
|
channelName: req.params.channel,
|
|
|
|
|
loggedIn: loginName !== false,
|
|
|
|
|
loginName: loginName,
|
2014-01-30 03:50:45 +00:00
|
|
|
sioSource: sio
|
2013-12-12 20:48:23 +00:00
|
|
|
});
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
/**
|
|
|
|
|
* Handles a request for the index page
|
|
|
|
|
*/
|
|
|
|
|
function handleIndex(req, res) {
|
|
|
|
|
logRequest(req);
|
2014-01-23 03:12:43 +00:00
|
|
|
|
2013-12-12 20:48:23 +00:00
|
|
|
var loginName = false;
|
|
|
|
|
if (req.cookies.auth) {
|
2014-01-23 03:12:43 +00:00
|
|
|
loginName = req.cookies.auth.split(":")[0];
|
2013-12-12 20:48:23 +00:00
|
|
|
}
|
2014-01-20 23:52:36 +00:00
|
|
|
|
2014-01-23 21:53:53 +00:00
|
|
|
var channels = Server.getServer().packChannelList(true);
|
|
|
|
|
channels.sort(function (a, b) {
|
|
|
|
|
if (a.usercount === b.usercount) {
|
2014-02-28 15:04:41 +00:00
|
|
|
return a.uniqueName > b.uniqueName ? -1 : 1;
|
2014-01-23 21:53:53 +00:00
|
|
|
}
|
|
|
|
|
|
2014-02-28 15:04:41 +00:00
|
|
|
return b.usercount - a.usercount;
|
2014-01-23 21:53:53 +00:00
|
|
|
});
|
|
|
|
|
|
2014-01-23 03:12:43 +00:00
|
|
|
sendJade(res, "index", {
|
2013-12-12 20:48:23 +00:00
|
|
|
loggedIn: loginName !== false,
|
2014-01-20 23:52:36 +00:00
|
|
|
loginName: loginName,
|
2014-02-26 17:04:22 +00:00
|
|
|
channels: channels
|
2013-12-12 20:48:23 +00:00
|
|
|
});
|
|
|
|
|
}
|
|
|
|
|
|
2014-01-23 03:12:43 +00:00
|
|
|
/**
|
|
|
|
|
* Handles a request for the socket.io information
|
|
|
|
|
*/
|
|
|
|
|
function handleSocketConfig(req, res) {
|
|
|
|
|
logRequest(req);
|
|
|
|
|
|
|
|
|
|
res.type("application/javascript");
|
|
|
|
|
|
2014-02-26 16:57:49 +00:00
|
|
|
var io_url = Config.get("io.domain") + ":" + Config.get("io.port");
|
2014-01-23 03:12:43 +00:00
|
|
|
var web_url = Config.get("http.domain") + ":" + Config.get("http.port");
|
|
|
|
|
var ssl_url = Config.get("https.domain") + ":" + Config.get("https.port");
|
|
|
|
|
res.send("var IO_URL='"+io_url+"',WEB_URL='"+web_url+"',SSL_URL='" + ssl_url +
|
|
|
|
|
"',ALLOW_SSL="+Config.get("https.enabled")+";" +
|
|
|
|
|
(Config.get("https.enabled") ?
|
|
|
|
|
"if(location.protocol=='https:'||USEROPTS.secure_connection){" +
|
2014-02-13 06:12:17 +00:00
|
|
|
"IO_URL=WEB_URL=SSL_URL;}" : ""));
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
function handleUserAgreement(req, res) {
|
|
|
|
|
logRequest(req);
|
2014-02-15 06:12:11 +00:00
|
|
|
|
|
|
|
|
var loginName = false;
|
|
|
|
|
if (req.cookies.auth) {
|
|
|
|
|
loginName = req.cookies.auth.split(":")[0];
|
|
|
|
|
}
|
|
|
|
|
|
2014-02-13 06:12:17 +00:00
|
|
|
sendJade(res, "tos", {
|
2014-02-15 06:12:11 +00:00
|
|
|
loggedIn: loginName !== false,
|
|
|
|
|
loginName: loginName,
|
2014-02-13 06:12:17 +00:00
|
|
|
domain: Config.get("http.domain")
|
|
|
|
|
});
|
|
|
|
|
}
|
2014-01-23 03:12:43 +00:00
|
|
|
|
2014-02-14 00:15:22 +00:00
|
|
|
function handleContactPage(req, res) {
|
|
|
|
|
logRequest(req);
|
|
|
|
|
|
2014-02-15 06:12:11 +00:00
|
|
|
var loginName = false;
|
|
|
|
|
if (req.cookies.auth) {
|
|
|
|
|
loginName = req.cookies.auth.split(":")[0];
|
|
|
|
|
}
|
|
|
|
|
|
2014-02-14 00:15:22 +00:00
|
|
|
// Make a copy to prevent messing with the original
|
|
|
|
|
var contacts = Config.get("contacts").map(function (c) {
|
|
|
|
|
return {
|
|
|
|
|
name: c.name,
|
|
|
|
|
email: c.email,
|
|
|
|
|
title: c.title
|
|
|
|
|
};
|
|
|
|
|
});
|
|
|
|
|
|
|
|
|
|
// Rudimentary hiding of email addresses to prevent spambots
|
|
|
|
|
contacts.forEach(function (c) {
|
|
|
|
|
c.emkey = $util.randomSalt(16)
|
|
|
|
|
var email = new Array(c.email.length);
|
|
|
|
|
for (var i = 0; i < c.email.length; i++) {
|
|
|
|
|
email[i] = String.fromCharCode(
|
|
|
|
|
c.email.charCodeAt(i) ^ c.emkey.charCodeAt(i % c.emkey.length)
|
|
|
|
|
);
|
|
|
|
|
}
|
|
|
|
|
c.email = escape(email.join(""));
|
|
|
|
|
c.emkey = escape(c.emkey);
|
|
|
|
|
});
|
|
|
|
|
|
|
|
|
|
sendJade(res, "contact", {
|
2014-02-15 06:12:11 +00:00
|
|
|
loggedIn: loginName !== false,
|
|
|
|
|
loginName: loginName,
|
2014-02-14 00:15:22 +00:00
|
|
|
contacts: contacts
|
|
|
|
|
});
|
|
|
|
|
}
|
|
|
|
|
|
2014-02-24 05:27:07 +00:00
|
|
|
function static(dir) {
|
|
|
|
|
dir = path.join(__dirname, dir);
|
|
|
|
|
return function (req, res) {
|
2014-02-28 15:04:41 +00:00
|
|
|
try {
|
|
|
|
|
if (isSuspicious(req)) {
|
|
|
|
|
logRequest(req, 403);
|
|
|
|
|
res.status(403);
|
|
|
|
|
if (typeof req.header("user-agent") === "string" &&
|
|
|
|
|
req.header("user-agent").toLowerCase() === "zmeu") {
|
|
|
|
|
res.send("This server disallows requests from ZmEu.");
|
|
|
|
|
} else {
|
|
|
|
|
res.send("The request " + req.method.toUpperCase() + " " +
|
|
|
|
|
req.path + " looks pretty fishy to me. Double check that " +
|
|
|
|
|
"you typed it correctly.");
|
|
|
|
|
}
|
|
|
|
|
return;
|
2014-02-25 00:25:49 +00:00
|
|
|
}
|
|
|
|
|
|
2014-02-28 15:04:41 +00:00
|
|
|
res.sendfile(req.path.replace(/^\//, ""), {
|
|
|
|
|
maxAge: Config.get("http.cache-ttl") * 1000,
|
|
|
|
|
root: dir
|
|
|
|
|
}, function (err) {
|
|
|
|
|
logRequest(req);
|
|
|
|
|
if (err) {
|
|
|
|
|
res.send(err.status);
|
|
|
|
|
}
|
|
|
|
|
});
|
|
|
|
|
} catch (e) {
|
|
|
|
|
Logger.errlog.log(e);
|
|
|
|
|
Logger.errlog.log(e.trace);
|
|
|
|
|
}
|
2014-02-24 05:27:07 +00:00
|
|
|
};
|
|
|
|
|
}
|
|
|
|
|
|
2013-12-12 20:48:23 +00:00
|
|
|
module.exports = {
|
|
|
|
|
/**
|
|
|
|
|
* Initializes webserver callbacks
|
|
|
|
|
*/
|
|
|
|
|
init: function (app) {
|
|
|
|
|
app.use(express.json());
|
|
|
|
|
app.use(express.urlencoded());
|
|
|
|
|
app.use(express.cookieParser());
|
2014-02-04 17:32:52 +00:00
|
|
|
|
|
|
|
|
if (Config.get("http.minify")) {
|
2014-02-25 00:32:54 +00:00
|
|
|
var cache = path.join(__dirname, "..", "..", "www", "cache")
|
|
|
|
|
if (!fs.existsSync(cache)) {
|
|
|
|
|
fs.mkdirSync(cache);
|
|
|
|
|
}
|
|
|
|
|
app.use(require("express-minify")({
|
|
|
|
|
cache: cache
|
|
|
|
|
}));
|
2014-02-04 17:32:52 +00:00
|
|
|
Logger.syslog.log("Enabled express-minify for CSS and JS");
|
|
|
|
|
}
|
2013-12-12 20:48:23 +00:00
|
|
|
/* Order here is important
|
|
|
|
|
* Since I placed /r/:channel above *, the function will
|
|
|
|
|
* not apply to the /r/:channel route. This prevents
|
2014-01-23 03:12:43 +00:00
|
|
|
* duplicate logging, since /r/:channel"s callback does
|
2013-12-12 20:48:23 +00:00
|
|
|
* its own logging
|
|
|
|
|
*/
|
2014-01-23 03:12:43 +00:00
|
|
|
app.get("/r/:channel", handleChannel);
|
|
|
|
|
app.get("/", handleIndex);
|
|
|
|
|
app.get("/sioconfig", handleSocketConfig);
|
2014-02-13 06:12:17 +00:00
|
|
|
app.get("/useragreement", handleUserAgreement);
|
2014-02-14 00:15:22 +00:00
|
|
|
app.get("/contact", handleContactPage);
|
2014-01-29 02:04:25 +00:00
|
|
|
require("./auth").init(app);
|
|
|
|
|
require("./account").init(app);
|
|
|
|
|
require("./acp").init(app);
|
2014-02-24 05:27:07 +00:00
|
|
|
app.use(static(path.join("..", "..", "www")));
|
2014-02-28 15:04:41 +00:00
|
|
|
app.use(function (err, req, res, next) {
|
|
|
|
|
if (err) {
|
|
|
|
|
Logger.errlog.log(err);
|
|
|
|
|
Logger.errlog.log(err.stack);
|
|
|
|
|
res.send(500);
|
|
|
|
|
} else {
|
|
|
|
|
next();
|
|
|
|
|
}
|
|
|
|
|
});
|
2013-12-12 20:48:23 +00:00
|
|
|
},
|
|
|
|
|
|
|
|
|
|
logRequest: logRequest,
|
|
|
|
|
|
2014-01-23 03:12:43 +00:00
|
|
|
ipForRequest: ipForRequest,
|
|
|
|
|
|
|
|
|
|
redirectHttps: redirectHttps,
|
|
|
|
|
|
2014-02-25 00:25:49 +00:00
|
|
|
redirectHttp: redirectHttp,
|
2013-12-12 20:48:23 +00:00
|
|
|
};
|
