2014-01-23 03:12:43 +00:00
|
|
|
var path = require("path");
|
|
|
|
var net = require("net");
|
|
|
|
var express = require("express");
|
|
|
|
var webroot = path.join(__dirname, "..", "www");
|
|
|
|
var sendJade = require("./jade").sendJade;
|
|
|
|
var Server = require("../server");
|
|
|
|
var $util = require("../utilities");
|
|
|
|
var Logger = require("../logger");
|
|
|
|
var Config = require("../config");
|
2014-01-28 06:05:14 +00:00
|
|
|
var db = require("../database");
|
2013-12-12 20:48:23 +00:00
|
|
|
|
2014-01-23 03:12:43 +00:00
|
|
|
var httplog = new Logger.Logger(path.join(__dirname, "..", "..", "http.log"));
|
2013-12-12 20:48:23 +00:00
|
|
|
|
|
|
|
var suspiciousPath = (/admin|adm|\.\.|\/etc\/passwd|\\x5c|%5c|0x5c|setup|install|php|pma|blog|sql|scripts|aspx?|database/ig);
|
|
|
|
/**
|
|
|
|
* Determines whether a request is suspected of being illegitimate
|
|
|
|
*/
|
|
|
|
function isSuspicious(req) {
|
|
|
|
// ZmEu is a penetration script
|
2014-01-23 03:12:43 +00:00
|
|
|
if (req.header("user-agent") &&
|
|
|
|
req.header("user-agent").toLowerCase() === "zmeu") {
|
2013-12-12 20:48:23 +00:00
|
|
|
return true;
|
|
|
|
}
|
|
|
|
|
|
|
|
if (req.path.match(suspiciousPath)) {
|
|
|
|
return true;
|
|
|
|
}
|
|
|
|
|
|
|
|
return false;
|
|
|
|
}
|
|
|
|
|
|
|
|
/**
|
|
|
|
* Extracts an IP address from a request. Uses X-Forwarded-For if the IP is localhost
|
|
|
|
*/
|
|
|
|
function ipForRequest(req) {
|
|
|
|
var ip = req.ip;
|
2014-01-23 03:12:43 +00:00
|
|
|
if (ip === "127.0.0.1" || ip === "::1") {
|
|
|
|
var xforward = req.header("x-forwarded-for");
|
|
|
|
if (typeof xforward !== "string" || !net.isIP(xforward)) {
|
2013-12-12 20:48:23 +00:00
|
|
|
return ip;
|
|
|
|
} else {
|
|
|
|
return xforward;
|
|
|
|
}
|
|
|
|
}
|
|
|
|
return ip;
|
|
|
|
}
|
|
|
|
|
|
|
|
/**
|
|
|
|
* Logs an HTTP request
|
|
|
|
*/
|
|
|
|
function logRequest(req, status) {
|
|
|
|
if (status === undefined) {
|
|
|
|
status = 200;
|
|
|
|
}
|
|
|
|
|
|
|
|
httplog.log([
|
|
|
|
ipForRequest(req),
|
|
|
|
req.route.method.toUpperCase(),
|
|
|
|
req.path,
|
2014-01-23 03:12:43 +00:00
|
|
|
req.header("user-agent")
|
|
|
|
].join(" "));
|
|
|
|
}
|
|
|
|
|
|
|
|
/**
|
|
|
|
* Redirects a request to HTTPS if the server supports it
|
|
|
|
*/
|
|
|
|
function redirectHttps(req, res) {
|
|
|
|
if (!req.secure && Config.get("https.enabled")) {
|
|
|
|
var ssldomain = Config.get("https.domain");
|
|
|
|
var port = Config.get("https.port");
|
|
|
|
if (port !== 443) {
|
|
|
|
ssldomain += ":" + port;
|
|
|
|
}
|
|
|
|
res.redirect(ssldomain + req.path);
|
|
|
|
return true;
|
|
|
|
}
|
|
|
|
return false;
|
|
|
|
}
|
|
|
|
|
|
|
|
/**
|
|
|
|
* Redirects a request to HTTP if the server supports it
|
|
|
|
*/
|
|
|
|
function redirectHttp(req, res) {
|
|
|
|
if (req.secure) {
|
|
|
|
var domain = Config.get("http.domain");
|
|
|
|
var port = Config.get("http.port");
|
|
|
|
if (port !== 80) {
|
|
|
|
domain += ":" + port;
|
|
|
|
}
|
|
|
|
console.log(domain);
|
|
|
|
res.redirect(domain + req.path);
|
|
|
|
return true;
|
|
|
|
}
|
|
|
|
return false;
|
2013-12-12 20:48:23 +00:00
|
|
|
}
|
|
|
|
|
|
|
|
/**
|
|
|
|
* Handles a GET request for /r/:channel - serves channel.html
|
|
|
|
*/
|
|
|
|
function handleChannel(req, res) {
|
2014-01-23 03:12:43 +00:00
|
|
|
if (redirectHttp(req, res)) {
|
|
|
|
return;
|
|
|
|
}
|
|
|
|
|
2013-12-12 20:48:23 +00:00
|
|
|
if (!$util.isValidChannelName(req.params.channel)) {
|
|
|
|
logRequest(req, 404);
|
|
|
|
res.status(404);
|
2014-01-23 03:12:43 +00:00
|
|
|
res.send("Invalid channel name '" + req.params.channel + "'");
|
2013-12-12 20:48:23 +00:00
|
|
|
return;
|
|
|
|
}
|
2014-01-23 03:12:43 +00:00
|
|
|
|
2013-12-12 20:48:23 +00:00
|
|
|
logRequest(req);
|
2014-01-23 03:12:43 +00:00
|
|
|
|
2013-12-12 20:48:23 +00:00
|
|
|
var loginName = false;
|
|
|
|
if (req.cookies.auth) {
|
2014-01-23 03:12:43 +00:00
|
|
|
loginName = req.cookies.auth.split(":")[0];
|
2013-12-12 20:48:23 +00:00
|
|
|
}
|
2014-01-23 03:12:43 +00:00
|
|
|
|
2014-01-30 03:50:45 +00:00
|
|
|
var sio;
|
|
|
|
if (req.secure) {
|
|
|
|
sio = Config.get("https.domain") + ":" + Config.get("https.port");
|
|
|
|
} else {
|
|
|
|
sio = Config.get("http.domain") + ":" + Config.get("io.port");
|
|
|
|
}
|
|
|
|
sio += "/socket.io/socket.io.js";
|
|
|
|
|
2014-01-23 03:12:43 +00:00
|
|
|
sendJade(res, "channel", {
|
2013-12-12 20:48:23 +00:00
|
|
|
channelName: req.params.channel,
|
|
|
|
loggedIn: loginName !== false,
|
|
|
|
loginName: loginName,
|
2014-01-30 03:50:45 +00:00
|
|
|
sioSource: sio
|
2013-12-12 20:48:23 +00:00
|
|
|
});
|
|
|
|
}
|
|
|
|
|
|
|
|
/**
|
|
|
|
* Handles a request for the index page
|
|
|
|
*/
|
|
|
|
function handleIndex(req, res) {
|
|
|
|
logRequest(req);
|
2014-01-23 03:12:43 +00:00
|
|
|
|
2013-12-12 20:48:23 +00:00
|
|
|
var loginName = false;
|
|
|
|
if (req.cookies.auth) {
|
2014-01-23 03:12:43 +00:00
|
|
|
loginName = req.cookies.auth.split(":")[0];
|
2013-12-12 20:48:23 +00:00
|
|
|
}
|
2014-01-20 23:52:36 +00:00
|
|
|
|
2014-01-23 21:53:53 +00:00
|
|
|
var channels = Server.getServer().packChannelList(true);
|
|
|
|
channels.sort(function (a, b) {
|
|
|
|
if (a.usercount === b.usercount) {
|
|
|
|
return a.uniqueName > b.uniqueName ? 1 : -1;
|
|
|
|
}
|
|
|
|
|
|
|
|
return a.usercount - b.usercount;
|
|
|
|
});
|
|
|
|
|
2014-01-23 03:12:43 +00:00
|
|
|
sendJade(res, "index", {
|
2013-12-12 20:48:23 +00:00
|
|
|
loggedIn: loginName !== false,
|
2014-01-20 23:52:36 +00:00
|
|
|
loginName: loginName,
|
|
|
|
channels: Server.getServer().packChannelList(true)
|
2013-12-12 20:48:23 +00:00
|
|
|
});
|
|
|
|
}
|
|
|
|
|
2014-01-23 03:12:43 +00:00
|
|
|
/**
|
|
|
|
* Handles a request for the socket.io information
|
|
|
|
*/
|
|
|
|
function handleSocketConfig(req, res) {
|
|
|
|
logRequest(req);
|
|
|
|
|
|
|
|
res.type("application/javascript");
|
|
|
|
|
|
|
|
var io_url = Config.get("http.domain") + ":" + Config.get("io.port");
|
|
|
|
var web_url = Config.get("http.domain") + ":" + Config.get("http.port");
|
|
|
|
var ssl_url = Config.get("https.domain") + ":" + Config.get("https.port");
|
|
|
|
res.send("var IO_URL='"+io_url+"',WEB_URL='"+web_url+"',SSL_URL='" + ssl_url +
|
|
|
|
"',ALLOW_SSL="+Config.get("https.enabled")+";" +
|
|
|
|
(Config.get("https.enabled") ?
|
|
|
|
"if(location.protocol=='https:'||USEROPTS.secure_connection){" +
|
2014-02-13 06:12:17 +00:00
|
|
|
"IO_URL=WEB_URL=SSL_URL;}" : ""));
|
|
|
|
}
|
|
|
|
|
|
|
|
function handleUserAgreement(req, res) {
|
|
|
|
logRequest(req);
|
2014-02-15 06:12:11 +00:00
|
|
|
|
|
|
|
var loginName = false;
|
|
|
|
if (req.cookies.auth) {
|
|
|
|
loginName = req.cookies.auth.split(":")[0];
|
|
|
|
}
|
|
|
|
|
2014-02-13 06:12:17 +00:00
|
|
|
sendJade(res, "tos", {
|
2014-02-15 06:12:11 +00:00
|
|
|
loggedIn: loginName !== false,
|
|
|
|
loginName: loginName,
|
2014-02-13 06:12:17 +00:00
|
|
|
domain: Config.get("http.domain")
|
|
|
|
});
|
|
|
|
}
|
2014-01-23 03:12:43 +00:00
|
|
|
|
2014-02-14 00:15:22 +00:00
|
|
|
function handleContactPage(req, res) {
|
|
|
|
logRequest(req);
|
|
|
|
|
2014-02-15 06:12:11 +00:00
|
|
|
var loginName = false;
|
|
|
|
if (req.cookies.auth) {
|
|
|
|
loginName = req.cookies.auth.split(":")[0];
|
|
|
|
}
|
|
|
|
|
2014-02-14 00:15:22 +00:00
|
|
|
// Make a copy to prevent messing with the original
|
|
|
|
var contacts = Config.get("contacts").map(function (c) {
|
|
|
|
return {
|
|
|
|
name: c.name,
|
|
|
|
email: c.email,
|
|
|
|
title: c.title
|
|
|
|
};
|
|
|
|
});
|
|
|
|
|
|
|
|
// Rudimentary hiding of email addresses to prevent spambots
|
|
|
|
contacts.forEach(function (c) {
|
|
|
|
c.emkey = $util.randomSalt(16)
|
|
|
|
var email = new Array(c.email.length);
|
|
|
|
for (var i = 0; i < c.email.length; i++) {
|
|
|
|
email[i] = String.fromCharCode(
|
|
|
|
c.email.charCodeAt(i) ^ c.emkey.charCodeAt(i % c.emkey.length)
|
|
|
|
);
|
|
|
|
}
|
|
|
|
c.email = escape(email.join(""));
|
|
|
|
c.emkey = escape(c.emkey);
|
|
|
|
});
|
|
|
|
|
|
|
|
sendJade(res, "contact", {
|
2014-02-15 06:12:11 +00:00
|
|
|
loggedIn: loginName !== false,
|
|
|
|
loginName: loginName,
|
2014-02-14 00:15:22 +00:00
|
|
|
contacts: contacts
|
|
|
|
});
|
|
|
|
}
|
|
|
|
|
2013-12-12 20:48:23 +00:00
|
|
|
module.exports = {
|
|
|
|
/**
|
|
|
|
* Initializes webserver callbacks
|
|
|
|
*/
|
|
|
|
init: function (app) {
|
|
|
|
app.use(express.json());
|
|
|
|
app.use(express.urlencoded());
|
|
|
|
app.use(express.cookieParser());
|
2014-02-04 17:32:52 +00:00
|
|
|
|
|
|
|
if (Config.get("http.minify")) {
|
|
|
|
app.use(require("express-minify")());
|
|
|
|
Logger.syslog.log("Enabled express-minify for CSS and JS");
|
|
|
|
}
|
2013-12-12 20:48:23 +00:00
|
|
|
/* Order here is important
|
|
|
|
* Since I placed /r/:channel above *, the function will
|
|
|
|
* not apply to the /r/:channel route. This prevents
|
2014-01-23 03:12:43 +00:00
|
|
|
* duplicate logging, since /r/:channel"s callback does
|
2013-12-12 20:48:23 +00:00
|
|
|
* its own logging
|
|
|
|
*/
|
2014-01-23 03:12:43 +00:00
|
|
|
app.get("/r/:channel", handleChannel);
|
|
|
|
app.get("/", handleIndex);
|
|
|
|
app.get("/sioconfig", handleSocketConfig);
|
2014-02-13 06:12:17 +00:00
|
|
|
app.get("/useragreement", handleUserAgreement);
|
2014-02-14 00:15:22 +00:00
|
|
|
app.get("/contact", handleContactPage);
|
2014-01-29 02:04:25 +00:00
|
|
|
require("./auth").init(app);
|
|
|
|
require("./account").init(app);
|
|
|
|
require("./acp").init(app);
|
2014-01-23 03:12:43 +00:00
|
|
|
app.all("*", function (req, res, next) {
|
2013-12-12 20:48:23 +00:00
|
|
|
if (isSuspicious(req)) {
|
2014-01-29 02:04:25 +00:00
|
|
|
console.log("isSuspicious");
|
2013-12-12 20:48:23 +00:00
|
|
|
logRequest(req, 403);
|
|
|
|
res.status(403);
|
2014-01-23 03:12:43 +00:00
|
|
|
if (req.header("user-agent").toLowerCase() === "zmeu") {
|
|
|
|
res.send("This server disallows requests from ZmEu.");
|
2013-12-12 20:48:23 +00:00
|
|
|
} else {
|
2014-01-23 03:12:43 +00:00
|
|
|
res.send("The request " + req.route.method.toUpperCase() + " " +
|
|
|
|
req.path + " looks pretty fishy to me. Double check that " +
|
|
|
|
"you typed it correctly.");
|
2013-12-12 20:48:23 +00:00
|
|
|
}
|
|
|
|
return;
|
|
|
|
}
|
|
|
|
logRequest(req);
|
|
|
|
next();
|
|
|
|
});
|
2014-01-23 03:12:43 +00:00
|
|
|
app.use(express.static("www"));
|
2013-12-12 20:48:23 +00:00
|
|
|
},
|
|
|
|
|
|
|
|
logRequest: logRequest,
|
|
|
|
|
2014-01-23 03:12:43 +00:00
|
|
|
ipForRequest: ipForRequest,
|
|
|
|
|
|
|
|
redirectHttps: redirectHttps,
|
|
|
|
|
|
|
|
redirectHttp: redirectHttp
|
2013-12-12 20:48:23 +00:00
|
|
|
};
|