From 937d0d810c7ccba397b98bc5de8b3364044a0dc3 Mon Sep 17 00:00:00 2001
From: ReenigneArcher <42013603+ReenigneArcher@users.noreply.github.com>
Date: Sat, 13 Jan 2024 22:03:49 -0500
Subject: [PATCH] fix: add additional pin validation (#2007)

---
 src/nvhttp.cpp | 18 ++++++++++++++++++
 1 file changed, 18 insertions(+)

diff --git a/src/nvhttp.cpp b/src/nvhttp.cpp
index ea4f3c82..bd00cb3a 100644
--- a/src/nvhttp.cpp
+++ b/src/nvhttp.cpp
@@ -324,6 +324,7 @@ namespace nvhttp {
     tree.put("root.plaincert", util::hex_vec(conf_intern.servercert, true));
     tree.put("root.<xmlattr>.status_code", 200);
   }
+
   void
   serverchallengeresp(pair_session_t &sess, pt::ptree &tree, const args_t &args) {
     auto encrypted_response = util::from_hex_vec(get_arg(args, "serverchallengeresp"), true);
@@ -573,6 +574,23 @@ namespace nvhttp {
       return false;
     }
 
+    // ensure pin is 4 digits
+    if (pin.size() != 4) {
+      tree.put("root.paired", 0);
+      tree.put("root.<xmlattr>.status_code", 400);
+      tree.put(
+        "root.<xmlattr>.status_message", "Pin must be 4 digits, " + std::to_string(pin.size()) + " provided");
+      return false;
+    }
+
+    // ensure all pin characters are numeric
+    if (!std::all_of(pin.begin(), pin.end(), ::isdigit)) {
+      tree.put("root.paired", 0);
+      tree.put("root.<xmlattr>.status_code", 400);
+      tree.put("root.<xmlattr>.status_message", "Pin must be numeric");
+      return false;
+    }
+
     auto &sess = std::begin(map_id_sess)->second;
     getservercert(sess, tree, pin);