hectamail-website/signup/signup.py

from flask import Flask, render_template, request, redirect, url_for, session
import uuid
import subprocess
import re
import os
import random
from captcha.image import ImageCaptcha
from waitress import serve
import base64
import configparser
import configparser

# Load from config.ini

config = configparser.ConfigParser()
config.read("../config.ini")
secretkey = config.get("Signup", "secretkey")
captchachars = config.get("Signup", "captchachars")
runport = config.get("Signup", "port")

# Status report

print("HectaMail is starting up...")
print("Your secret key is:", secretkey)
print("Your CAPTCHA allowed characters are:", captchachars)

# Define the allowed pattern for the username

allowed_pattern = r'^[a-zA-Z0-9.]+$'

# Function to generate the CAPTCHA Code

def generate_captcha_text():
#    characters = 'ABCDEFGHIJKLMNOPQRSTUVWXYZ'
    captcha_text = ''.join(random.choice(captchachars) for i in range(6))
    return captcha_text

# Function to determine if the username is compilent with the regex filter

def is_valid_input(input_string):
    return re.match(allowed_pattern, input_string) is not None

# Initalise Flask

app = Flask(__name__)
app.secret_key = secretkey

# Function to create the email account, in this case using doas for security

def create_email_account(username, password):
    if password and is_valid_input(username):
        try:

            # Create a temporary file to escape the password

            with open("../tmp/password.tmp", "w") as file:
                file.write(password)

            # Pass the file through a shell command
            cmd = ["cat", "../tmp/password.tmp", "|", "maddy", "creds", "create", f"{username}@hectabit.org"]

            # Run and determine the result of the shell command
            result = subprocess.run(" ".join(cmd), shell=True, check=True, stdout=subprocess.PIPE, stderr=subprocess.PIPE)

            # Delete the temporary file
            os.remove("../tmp/password.tmp")


            # Check if command executed correctly
            if result.returncode == 0:
                # Command executed successfully
                return True
            else:
                # Handle errors, log them, and return False
                error_message = result.stderr.decode("utf-8")
                print(f"Error creating email account: {error_message}")
                return False
        except Exception as e:
            # Handle exceptions and return False
            print(f"Error creating email account: {str(e)}")
            return False
    else:
        # Something went very wrong if this function triggers
        print(f"Injection Bypass! Very bad!")
        return False

@app.route('/')
def index():
    # Generate a unique token
    unique_token = str(uuid.uuid4())

    # Generate the CAPTCHA for the user
    captcha_text = generate_captcha_text()
    image = ImageCaptcha().generate(captcha_text)

    # Store the CAPTCHA and token in the session
    session['captcha_text'] = captcha_text
    session['unique_token'] = unique_token

    # Encode the image in base64
    image_base64 = base64.b64encode(image.getvalue()).decode('utf-8')

    # Report the CAPTCHA
    print(captcha_text)

    # Pass the CAPTCHA through to index.html
    return render_template('index.html', captcha_image=image_base64, unique_token=unique_token)

@app.route('/api', methods=['POST'])
def register():
    # Get the form data
    username = request.form.get('username')
    password = request.form.get('password')

    # Get the CAPTCHA
    user_captcha = request.form.get('captcha')

    # Get the unique token
    submitted_token = request.form.get('unique_token')

    # Check if the submitted token matches the one in the session
    if submitted_token != session.get('unique_token'):
        # Token mismatch, handle accordingly
        return render_template('expired.html'), 400

    # Generate a new unique token for the next request
    session['unique_token'] = str(uuid.uuid4())

    # Report the user captcha result
    print(user_captcha)

    # Check the regex filter
    if not is_valid_input(username):
        return render_template('num.html'), 400

    # Validate the captcha
    captcha_text = session.get('captcha_text', '')
    print(captcha_text)
    if user_captcha.lower() != captcha_text.lower():
        # CAPTCHA incorrect
        return render_template('captcha_err.html'), 400

    # Attempt to create the email
    if create_email_account(username, password):
        # Email created
        return render_template('ok.html')
    else:
        # Username probably taken
        return render_template('taken.html'), 500

# Start the web server
if __name__ == '__main__':
    serve(app, host='0.0.0.0', port=runport)
Looks like my caching prevention thing was broken? Oh well... 2023-11-19 11:40:23 +00:00			`from flask import Flask, render_template, request, redirect, url_for, session`
			`import uuid`
Init 2023-11-04 16:46:10 +00:00			`import subprocess`
			`import re`
Forgot to import os 2023-11-18 23:36:45 +00:00			`import os`
Added CAPTCHA support 2023-11-19 01:06:08 +00:00			`import random`
			`from captcha.image import ImageCaptcha`
Init 2023-11-04 16:46:10 +00:00			`from waitress import serve`
Added CAPTCHA support 2023-11-19 01:06:08 +00:00			`import base64`
Updated with comments and config file 2023-11-19 11:30:01 +00:00			`import configparser`
			`import configparser`

			`# Load from config.ini`

			`config = configparser.ConfigParser()`
Fixed it not reading the config file 2023-11-19 13:51:30 +00:00			`config.read("../config.ini")`
Updated to include mockup of login 2023-11-19 13:48:33 +00:00			`secretkey = config.get("Signup", "secretkey")`
			`captchachars = config.get("Signup", "captchachars")`
			`runport = config.get("Signup", "port")`
Updated with comments and config file 2023-11-19 11:30:01 +00:00
			`# Status report`

			`print("HectaMail is starting up...")`
			`print("Your secret key is:", secretkey)`
			`print("Your CAPTCHA allowed characters are:", captchachars)`

			`# Define the allowed pattern for the username`
Init 2023-11-04 16:46:10 +00:00
			`allowed_pattern = r'^[a-zA-Z0-9.]+$'`

Updated with comments and config file 2023-11-19 11:30:01 +00:00			`# Function to generate the CAPTCHA Code`

Added CAPTCHA support 2023-11-19 01:06:08 +00:00			`def generate_captcha_text():`
Updated with comments and config file 2023-11-19 11:30:01 +00:00			`# characters = 'ABCDEFGHIJKLMNOPQRSTUVWXYZ'`
			`captcha_text = ''.join(random.choice(captchachars) for i in range(6))`
Added CAPTCHA support 2023-11-19 01:06:08 +00:00			`return captcha_text`

Updated with comments and config file 2023-11-19 11:30:01 +00:00			`# Function to determine if the username is compilent with the regex filter`

Init 2023-11-04 16:46:10 +00:00			`def is_valid_input(input_string):`
			`return re.match(allowed_pattern, input_string) is not None`

Updated with comments and config file 2023-11-19 11:30:01 +00:00			`# Initalise Flask`

Init 2023-11-04 16:46:10 +00:00			`app = Flask(__name__)`
Updated with comments and config file 2023-11-19 11:30:01 +00:00			`app.secret_key = secretkey`

			`# Function to create the email account, in this case using doas for security`
Init 2023-11-04 16:46:10 +00:00
			`def create_email_account(username, password):`
Should fix passwords with chars 2023-11-16 07:47:17 +00:00			`if password and is_valid_input(username):`
Init 2023-11-04 16:46:10 +00:00			`try:`
Should fix passwords with chars 2023-11-16 07:47:17 +00:00
Updated with comments and config file 2023-11-19 11:30:01 +00:00			`# Create a temporary file to escape the password`

Updated signup 2023-11-20 00:53:37 +00:00			`with open("../tmp/password.tmp", "w") as file:`
Should fix passwords with chars 2023-11-16 07:47:17 +00:00			`file.write(password)`

Updated with comments and config file 2023-11-19 11:30:01 +00:00			`# Pass the file through a shell command`
Updated signup 2023-11-20 00:53:37 +00:00			`cmd = ["cat", "../tmp/password.tmp", "\|", "maddy", "creds", "create", f"{username}@hectabit.org"]`
Init 2023-11-04 16:46:10 +00:00
Updated with comments and config file 2023-11-19 11:30:01 +00:00			`# Run and determine the result of the shell command`
			`result = subprocess.run(" ".join(cmd), shell=True, check=True, stdout=subprocess.PIPE, stderr=subprocess.PIPE)`
Updated imap-acct to be created independently Committer: Tracker-Friendly <jliwin98@danwin1210.de> 2023-11-04 17:27:55 +00:00
Updated with comments and config file 2023-11-19 11:30:01 +00:00			`# Delete the temporary file`
Updated signup 2023-11-20 00:53:37 +00:00			`os.remove("../tmp/password.tmp")`
Should fix passwords with chars 2023-11-16 07:47:38 +00:00
Updated with comments and config file 2023-11-19 11:30:01 +00:00
			`# Check if command executed correctly`
			`if result.returncode == 0:`
Init 2023-11-04 16:46:10 +00:00			`# Command executed successfully`
			`return True`
			`else:`
			`# Handle errors, log them, and return False`
			`error_message = result.stderr.decode("utf-8")`
			`print(f"Error creating email account: {error_message}")`
			`return False`
			`except Exception as e:`
			`# Handle exceptions and return False`
			`print(f"Error creating email account: {str(e)}")`
			`return False`
			`else:`
Updated with comments and config file 2023-11-19 11:30:01 +00:00			`# Something went very wrong if this function triggers`
Init 2023-11-04 16:46:10 +00:00			`print(f"Injection Bypass! Very bad!")`
			`return False`

			`@app.route('/')`
			`def index():`
Actually generate the token 2023-11-19 11:41:25 +00:00			`# Generate a unique token`
			`unique_token = str(uuid.uuid4())`

Updated with comments and config file 2023-11-19 11:30:01 +00:00			`# Generate the CAPTCHA for the user`
Added CAPTCHA support 2023-11-19 01:06:08 +00:00			`captcha_text = generate_captcha_text()`
			`image = ImageCaptcha().generate(captcha_text)`
Updated with comments and config file 2023-11-19 11:30:01 +00:00
More bypass prevention 2023-11-19 11:38:22 +00:00			`# Store the CAPTCHA and token in the session`
Added CAPTCHA support 2023-11-19 01:06:08 +00:00			`session['captcha_text'] = captcha_text`
More bypass prevention 2023-11-19 11:38:22 +00:00			`session['unique_token'] = unique_token`
Updated with comments and config file 2023-11-19 11:30:01 +00:00
			`# Encode the image in base64`
Added CAPTCHA support 2023-11-19 01:06:08 +00:00			`image_base64 = base64.b64encode(image.getvalue()).decode('utf-8')`
Updated with comments and config file 2023-11-19 11:30:01 +00:00
			`# Report the CAPTCHA`
Added CAPTCHA support 2023-11-19 01:06:08 +00:00			`print(captcha_text)`
Updated with comments and config file 2023-11-19 11:30:01 +00:00
			`# Pass the CAPTCHA through to index.html`
More bypass prevention 2023-11-19 11:38:22 +00:00			`return render_template('index.html', captcha_image=image_base64, unique_token=unique_token)`
Init 2023-11-04 16:46:10 +00:00
			`@app.route('/api', methods=['POST'])`
			`def register():`
Updated with comments and config file 2023-11-19 11:30:01 +00:00			`# Get the form data`
Init 2023-11-04 16:46:10 +00:00			`username = request.form.get('username')`
			`password = request.form.get('password')`
Updated with comments and config file 2023-11-19 11:30:01 +00:00
			`# Get the CAPTCHA`
Added CAPTCHA support 2023-11-19 01:06:08 +00:00			`user_captcha = request.form.get('captcha')`
Init 2023-11-04 16:46:10 +00:00
More bypass prevention 2023-11-19 11:38:22 +00:00			`# Get the unique token`
			`submitted_token = request.form.get('unique_token')`

			`# Check if the submitted token matches the one in the session`
			`if submitted_token != session.get('unique_token'):`
			`# Token mismatch, handle accordingly`
Updated buttons to refresh and made token expire page 2023-11-19 11:59:26 +00:00			`return render_template('expired.html'), 400`
More bypass prevention 2023-11-19 11:38:22 +00:00
Generate a new token each request to /api 2023-11-19 11:43:23 +00:00			`# Generate a new unique token for the next request`
			`session['unique_token'] = str(uuid.uuid4())`

Updated with comments and config file 2023-11-19 11:30:01 +00:00			`# Report the user captcha result`
Added CAPTCHA support 2023-11-19 01:06:08 +00:00			`print(user_captcha)`
Updated with comments and config file 2023-11-19 11:30:01 +00:00
			`# Check the regex filter`
			`if not is_valid_input(username):`
Init 2023-11-04 16:46:10 +00:00			`return render_template('num.html'), 400`

Added CAPTCHA support 2023-11-19 01:06:08 +00:00			`# Validate the captcha`
			`captcha_text = session.get('captcha_text', '')`
			`print(captcha_text)`
			`if user_captcha.lower() != captcha_text.lower():`
Updated with comments and config file 2023-11-19 11:30:01 +00:00			`# CAPTCHA incorrect`
Added CAPTCHA support 2023-11-19 01:06:08 +00:00			`return render_template('captcha_err.html'), 400`

Updated with comments and config file 2023-11-19 11:30:01 +00:00			`# Attempt to create the email`
Init 2023-11-04 16:46:10 +00:00			`if create_email_account(username, password):`
Updated with comments and config file 2023-11-19 11:30:01 +00:00			`# Email created`
Init 2023-11-04 16:46:10 +00:00			`return render_template('ok.html')`
			`else:`
Updated login 2023-11-20 17:55:25 +00:00			`# Username probably taken`
			`return render_template('taken.html'), 500`
Init 2023-11-04 16:46:10 +00:00
Updated with comments and config file 2023-11-19 11:30:01 +00:00			`# Start the web server`
Init 2023-11-04 16:46:10 +00:00			`if __name__ == '__main__':`
Updated to include mockup of login 2023-11-19 13:48:33 +00:00			`serve(app, host='0.0.0.0', port=runport)`