From ff4865f4b682c18043a4a75cbceeace3e769adea Mon Sep 17 00:00:00 2001
From: lare <lare@lare.cc>
Date: Sun, 4 Dec 2022 18:37:35 +0100
Subject: [PATCH] check values for debug login (@famfo, you know why)

---
 web/backend/main.py | 15 ++++++++++++---
 1 file changed, 12 insertions(+), 3 deletions(-)

diff --git a/web/backend/main.py b/web/backend/main.py
index 73aa493..3b260c4 100644
--- a/web/backend/main.py
+++ b/web/backend/main.py
@@ -4,7 +4,7 @@ from flask import Flask, Response, redirect, render_template, request, session,
 import werkzeug.exceptions as werkzeug_exceptions
 import json, os, base64, logging, random
 from functools import wraps
-from ipaddress import ip_address, ip_network
+from ipaddress import ip_address, ip_network, IPv4Network, IPv6Network
 import kioubit_verify
 
 app = Flask(__name__)
@@ -327,21 +327,30 @@ def login():
                 msg = "what is the answer for everything?"
                 return render_template("login.html", session=session,config=config,return_addr=session["return_url"], msg=msg)
             mnt = request.form["mnt"]
+            if not mnt.upper().endswith("-MNT"): raise ValueError
             asn = request.form["asn"]
             asn = asn[2:] if asn[:2].lower() == "as" else asn
+            int(asn)
             if "allowed4" in request.form:
                 allowed4 = request.form["allowed4"]
-                # allowed4 = allowed4.split(",") if "," in allowed4 else allowed4
+                v4_ranges = allowed4.split(",") if "," in allowed4 else [allowed4]
+                for v4_range in v4_ranges:
+                    IPv4Network(v4_range)
             else:
                 allowed4 = None
             if "allowed6" in request.form:
                 allowed6 = request.form["allowed6"]
-                # allowed6 = allowed6.split(",") if "," in allowed6 else allowed6
+                v6_ranges = allowed6.split(",") if "," in allowed6 else [allowed6]
+                for v6_range in v6_ranges:
+                    IPv6Network(v6_range)
             else:
                 allowed6 = None
             session["user-data"] = {'asn':asn,'allowed4': allowed4, 'allowed6': allowed6,'mnt':mnt, 'authtype': "debug"}
             session["login"] = mnt
             return redirect(session["return_url"])
+        except ValueError:
+            msg = "at least one of the values provided is wrong/invalid"
+            return render_template("login.html", session=session,config=config,return_addr=session["return_url"], msg=msg)
         except KeyError:
             msg = "not all required field were specified"
             return render_template("login.html", session=session,config=config,return_addr=session["return_url"], msg=msg)