Handle malformed encrypted requests without panics

Signed-off-by: Sean Du <do4suki@gmail.com>
This commit is contained in:
2026-07-13 08:03:18 +08:00
parent aebbc4b889
commit b1dfc68a0f
7 changed files with 135 additions and 91 deletions
+13 -1
View File
@@ -41,6 +41,10 @@ func login(ctx *gin.Context) {
}
xmcKey := utils.XOR(clientToken, serverToken)
if len(xmcKey) < 16 {
ss.Abort(errors.New("invalid login token data"))
return
}
aesKey := xmcKey[0:16]
reqData := gjson.Parse(ctx.MustGet("request_data").(string))
@@ -48,7 +52,15 @@ func login(ctx *gin.Context) {
if ss.CheckErr(err) {
return
}
loginKey := encrypt.AESCBCDecrypt(key, aesKey)[16:]
decryptedLoginKey, err := encrypt.AESCBCDecrypt(key, aesKey)
if ss.CheckErr(err) {
return
}
if len(decryptedLoginKey) < 16 {
ss.Abort(errors.New("invalid login key"))
return
}
loginKey := decryptedLoginKey[16:]
// fmt.Println("loginKey", string(loginKey))
// password, err := base64.StdEncoding.DecodeString(reqData.Get("login_passwd").String())