From 1011401782de9fc44636e88f4b3e4bceb0de4e04 Mon Sep 17 00:00:00 2001 Message-Id: <1011401782de9fc44636e88f4b3e4bceb0de4e04.1714072441.git.mdw@distorted.org.uk> From: Mark Wooding Date: Sun, 30 Dec 2007 21:00:59 +0000 Subject: [PATCH] Shorter confirmation URLs. 'confirm=' becomes 'c=' and the confirmation secret is reduced to 80 bits (which amounts to 20 characters under base64). Organization: Straylight/Edgeware From: rjk@greenend.org.uk <> http:// and /cgi-bin/disorder?c=XXXXXXXXXXXXXXXXXXXX amount to 47 characters, leaving over 30 characters for a hostname and still fitting into an 80 column display. --- server/dcgi.c | 6 +++--- server/server.c | 10 +++++++--- 2 files changed, 10 insertions(+), 6 deletions(-) diff --git a/server/dcgi.c b/server/dcgi.c index e36719c..d54160e 100644 --- a/server/dcgi.c +++ b/server/dcgi.c @@ -537,7 +537,7 @@ static void act_register(cgi_sink *output, byte_xasprintf((char **)&text, "Welcome to DisOrder. To active your login, please visit this URL:\n" "\n" - " %s?confirm=%s\n", config->url, urlencodestring(confirm)); + "%s?c=%s\n", config->url, urlencodestring(confirm)); if(!(text = mime_encode_text(text, &charset, &encoding))) fatal(0, "cannot encode email"); byte_xasprintf(&content_type, "text/plain;charset=%s", @@ -553,7 +553,7 @@ static void act_confirm(cgi_sink *output, dcgi_state *ds) { const char *confirmation; - if(!(confirmation = cgi_get("confirm"))) { + if(!(confirmation = cgi_get("c"))) { cgi_set_option("error", "noconfirm"); expand_template(ds, output, "login"); } @@ -1707,7 +1707,7 @@ void disorder_cgi(cgi_sink *output, dcgi_state *ds) { if(!action) { /* We allow URLs which are just confirm=... in order to keep confirmation * URLs, which are user-facing, as short as possible. */ - if(cgi_get("confirm")) + if(cgi_get("c")) action = "confirm"; else action = "playing"; diff --git a/server/server.c b/server/server.c index f0dfeb4..a09025e 100644 --- a/server/server.c +++ b/server/server.c @@ -72,6 +72,10 @@ # define NONCE_SIZE 16 #endif +#ifndef CONFIRM_SIZE +# define CONFIRM_SIZE 10 +#endif + int volume_left, volume_right; /* last known volume */ /** @brief Accept all well-formed login attempts @@ -1158,11 +1162,11 @@ static int c_register(struct conn *c, int offset; /* The confirmation string is base64(username;nonce) */ - bufsize = strlen(vec[0]) + NONCE_SIZE + 2; + bufsize = strlen(vec[0]) + CONFIRM_SIZE + 2; buf = xmalloc_noptr(bufsize); offset = byte_snprintf(buf, bufsize, "%s;", vec[0]); - gcry_randomize(buf + offset, NONCE_SIZE, GCRY_STRONG_RANDOM); - cs = mime_to_base64((uint8_t *)buf, offset + NONCE_SIZE); + gcry_randomize(buf + offset, CONFIRM_SIZE, GCRY_STRONG_RANDOM); + cs = mime_to_base64((uint8_t *)buf, offset + CONFIRM_SIZE); if(trackdb_adduser(vec[0], vec[1], config->default_rights, vec[2], cs)) sink_writes(ev_writer_sink(c->w), "550 Cannot create user\n"); else -- [mdw]