From b0c4e8ce45c1bc40cd6fe25f5e1c56cafc61a920 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Anton=20Luka=20=C5=A0ijanec?= Date: Thu, 22 Jun 2023 22:23:00 +0200 Subject: fixes some eval stuff --- "prog/\305\276/app.html" | 19 ++++++++++++------- "prog/\305\276/index.php" | 3 ++- 2 files changed, 14 insertions(+), 8 deletions(-) (limited to 'prog') diff --git "a/prog/\305\276/app.html" "b/prog/\305\276/app.html" index 544db56..6502e5f 100644 --- "a/prog/\305\276/app.html" +++ "b/prog/\305\276/app.html" @@ -242,10 +242,10 @@ async function paynow () { let sender = await sec1_from_pubkey(await pubkey_from_string("me")); let rcpt = await sec1_from_pubkey(window.recipient); let amount32 = new Uint8Array(4); - amount32[3] = amount.value % 256; - amount32[2] = (amount.value >> 8) % 256; - amount32[1] = (amount.value >> 16) % 256; - amount32[0] = (amount.value >> 24) % 256; + amount32[3] = eval(amount.value) % 256; + amount32[2] = (eval(amount.value) >> 8) % 256; + amount32[1] = (eval(amount.value) >> 16) % 256; + amount32[0] = (eval(amount.value) >> 24) % 256; amount.value = ""; let comm = new TextEncoder().encode(comment.value); let comm256 = new Uint8Array(256); @@ -309,12 +309,12 @@ async function pubkey_from_string (s) { return false; } async function paypossible () { - if (amount.value == "") { - console.log("paypossible: empty amount field"); + if (!eval(amount.value)) { + console.log("paypossible: invalid amount field"); pay.disabled = true; return; } - if (!(Number(amount.value) <= 4294967296 && Number(amount.value) >= 0)) { + if (!(Number(eval(amount.value)) <= 4294967296 && Number(eval(amount.value)) >= 0)) { console.log("paypossible: amount invalid"); pay.disabled = true; return; @@ -324,6 +324,11 @@ async function paypossible () { pay.disabled = true; return; } + if (sec1.value.length < 1) { + console.log("paypossible: bad sec1 pubkey -- too short"); + pay.disabled = true; + return; + } window.recipient = await pubkey_from_string(sec1.value); if (recipient == false) { console.log("paypossible: recipient pubkey bad"); diff --git "a/prog/\305\276/index.php" "b/prog/\305\276/index.php" index 5b46ce1..dc2a2f5 100644 --- "a/prog/\305\276/index.php" +++ "b/prog/\305\276/index.php" @@ -299,11 +299,12 @@ switch ($_REQUEST["e"] . "-" . $_SERVER["REQUEST_METHOD"]) { @$balances[$tx->recipient] += $tx->amount; } response(200); - foreach ($balances as $key => $value) // do not trust balances provided by this API, since they + foreach ($balances as $key => $value) { // do not trust balances provided by this API, since they $packed = pack("q", $value); // are cast to machine dependent int by php if (pack("Q", 123) === pack("P", 123)) // machine is little endian $packed = strrev($packed); echo $key . $packed; + } break; default: response(400, "unknown endpoint or method not allowed", TEXT); -- cgit v1.2.3