From a77396b9a8614b51bff933c0886151ffeaa651e8 Mon Sep 17 00:00:00 2001
From: Ben Harris <ben@tilde.team>
Date: Tue, 8 Mar 2022 12:47:56 -0500
Subject: [PATCH] allow all valid pubkey types, not just ssh-

---
 signup/signup-handler.php | 42 ++++++++++++++++++++++++++++++---------
 1 file changed, 33 insertions(+), 9 deletions(-)

diff --git a/signup/signup-handler.php b/signup/signup-handler.php
index 461bdae..e5a04c7 100644
--- a/signup/signup-handler.php
+++ b/signup/signup-handler.php
@@ -22,6 +22,30 @@ function add_ban_info($name, $email) {
     file_put_contents("/var/signups_banned", $user_info.PHP_EOL, FILE_APPEND);
 }
 
+function starts_with($string, $prefix)
+{
+    return substr($string, 0, strlen($prefix)) === $prefix;
+}
+
+function is_ssh_pubkey($string)
+{
+    // list from sshd(8)
+    $valid_pubkeys = [
+        'sk-ecdsa-sha2-nistp256@openssh.com',
+        'ecdsa-sha2-nistp256',
+        'ecdsa-sha2-nistp384',
+        'ecdsa-sha2-nistp521',
+        'sk-ssh-ed25519@openssh.com',
+        'ssh-ed25519',
+        'ssh-dss',
+        'ssh-rsa',
+    ];
+
+    foreach ($valid_pubkeys as $pub)
+        if (starts_with($string, $pub)) return true;
+    return false;
+}
+
 function forbidden_name($name): bool
 {
     $badnames = [
@@ -151,10 +175,10 @@ if (isset($_REQUEST["username"]) && isset($_REQUEST["email"])) {
         $message .= "<li>please explain why you're interested so we can make sure you're a real human being</li>";
 
     $sshkey = trim($_REQUEST["sshkey"]);
-    if ($sshkey == "" || (mb_substr($sshkey, 0, 4) !== "ssh-" && mb_substr($sshkey, 0, 11) !== "ecdsa-sha2-"))
+    if ($sshkey == "" || !is_ssh_pubkey($sshkey))
         $message .= '<li>ssh key required: please create one and submit the public key. '
-            . 'see our <a href="https://tilde.team/wiki/ssh">ssh wiki</a> or '
-            . 'hop on <a href="https://tilde.chat/kiwi/#team">irc</a> and ask for help</li>';
+        . 'see our <a href="https://tilde.team/wiki/ssh">ssh wiki</a> or '
+        . 'hop on <a href="https://tilde.chat/kiwi/#team">irc</a> and ask for help</li>';
     else {
         if ($name != "" && $email != "") {
             if (forbidden_sshkey($sshkey)) {
@@ -179,24 +203,24 @@ $makeuser
 
         if (mail('sudoers', 'new tilde.team signup', $msgbody)) {
             echo '<div class="alert alert-success" role="alert">
-                    email sent! we\'ll get back to you soon (usually within a day) with login instructions! <a href="/">back to tilde.team home</a>
-                  </div>';
+                email sent! we\'ll get back to you soon (usually within a day) with login instructions! <a href="/">back to tilde.team home</a>
+                </div>';
             // temp. add to forbidden to prevent double signups (cleanup after user creation)
             file_put_contents("/var/signups_current", $name.PHP_EOL, FILE_APPEND);
             file_put_contents("/var/signups", $makeuser.PHP_EOL, FILE_APPEND);
         } else {
             echo '<div class="alert alert-danger" role="alert">
-                    something went wrong... please send an email to <a href="mailto:sudoers@tilde.team">sudoers@tilde.team</a> with details of what happened
-                  </div>';
+                something went wrong... please send an email to <a href="mailto:sudoers@tilde.team">sudoers@tilde.team</a> with details of what happened
+                </div>';
         }
 
     } else {
-        ?>
+?>
         <div class="alert alert-warning" role="alert">
             <strong>notice: </strong>
             <?=$message?>
         </div>
-        <?php
+<?php
     }
 }
 ?>