From 0ccc57f6f7ec07199b0c1b6111d5a1c7fd58074f Mon Sep 17 00:00:00 2001 From: yflory Date: Tue, 7 Apr 2020 17:12:06 +0200 Subject: [PATCH] Protect current pad keys in the unsafe iframe --- www/common/sframe-common-outer.js | 8 +++++++- www/secureiframe/main.js | 2 +- 2 files changed, 8 insertions(+), 2 deletions(-) diff --git a/www/common/sframe-common-outer.js b/www/common/sframe-common-outer.js index 98aa7c8a2..2ae6f789a 100644 --- a/www/common/sframe-common-outer.js +++ b/www/common/sframe-common-outer.js @@ -488,7 +488,7 @@ define([ // Put in the following function the RPC queries that should also work in filepicker - var addCommonRpc = function (sframeChan) { + var addCommonRpc = function (sframeChan, safe) { sframeChan.on('Q_ANON_RPC_MESSAGE', function (data, cb) { Cryptpad.anonRpcMsg(data.msg, data.content, function (err, response) { cb({error: err, response: response}); @@ -595,6 +595,12 @@ define([ } if (data.href) { href = data.href; } Cryptpad.getPadAttribute(data.key, function (e, data) { + if (!safe && data) { + // Remove unsafe data for the unsafe iframe + delete data.href; + delete data.roHref; + delete data.password; + } cb({ error: e, data: data diff --git a/www/secureiframe/main.js b/www/secureiframe/main.js index 95fa826a6..ced68bbc6 100644 --- a/www/secureiframe/main.js +++ b/www/secureiframe/main.js @@ -106,7 +106,7 @@ define([ Cryptpad.onMetadataChanged(updateMeta); sframeChan.onReg('EV_METADATA_UPDATE', updateMeta); - config.addCommonRpc(sframeChan); + config.addCommonRpc(sframeChan, true); Cryptpad.padRpc.onMetadataEvent.reg(function (data) { sframeChan.event('EV_RT_METADATA', data);