infra
/
cryptpad
2
1
Fork 0
Code Issues Pull Requests Projects Releases 1 Activity

Don't join or get metadata of an invalid channel

Browse Source
pull/1/head
yflory 4 years ago
parent 6d6bd9908e
commit cee0a2c577
3 changed files with 16 additions and 0 deletions
Show Stats Download Patch File Download Diff File

4
www/common/common-hash.js
Unescape Escape View File

@ -644,6 +644,10 @@ Version 4: Data URL when not a realtime link yet (new pad or "static" app)
'/' + curvePublic.replace(/\//g, '-') + '/'; '/' + curvePublic.replace(/\//g, '-') + '/';
}; };
Hash.isValidChannel = function (channelId) {
return /^[a-zA-Z0-9]{32,48}$/.test(channelId);
};
Hash.isValidHref = function (href) { Hash.isValidHref = function (href) {
// Non-empty href? // Non-empty href?
if (!href) { return; } if (!href) { return; }

7
www/common/outer/async-store.js
Unescape Escape View File

@ -1661,6 +1661,9 @@ define([
if (data.versionHash) { if (data.versionHash) {
return void getVersionHash(clientId, data); return void getVersionHash(clientId, data);
} }
if (!Hash.isValidChannel(data.channel)) {
return void postMessage(clientId, "PAD_ERROR", 'INVALID_CHAN');
}
var isNew = typeof channels[data.channel] === "undefined"; var isNew = typeof channels[data.channel] === "undefined";
var channel = channels[data.channel] = channels[data.channel] || { var channel = channels[data.channel] = channels[data.channel] || {
queue: [], queue: [],
@ -2043,6 +2046,10 @@ define([
if (store.offline || !store.anon_rpc) { return void cb({ error: 'OFFLINE' }); } if (store.offline || !store.anon_rpc) { return void cb({ error: 'OFFLINE' }); }
if (!data.channel) { return void cb({ error: 'ENOTFOUND'}); } if (!data.channel) { return void cb({ error: 'ENOTFOUND'}); }
if (data.channel.length !== 32) { return void cb({ error: 'EINVAL'}); } if (data.channel.length !== 32) { return void cb({ error: 'EINVAL'}); }
if (!Hash.isValidChannel(data.channel)) {
Feedback.send('METADATA_INVALID_CHAN');
return void cb({ error: 'EINVAL' });
}
store.anon_rpc.send('GET_METADATA', data.channel, function (err, obj) { store.anon_rpc.send('GET_METADATA', data.channel, function (err, obj) {
if (err) { return void cb({error: err}); } if (err) { return void cb({error: err}); }
var metadata = (obj && obj[0]) || {}; var metadata = (obj && obj[0]) || {};

5
www/common/outer/userObject.js
Unescape Escape View File

@ -829,6 +829,11 @@ define([
console.error(e); console.error(e);
} }
} }
if (!Hash.isValidChannel(el.channel)) {
// XXX delete channel?
console.error('Remove invalid channel', el.channel, el);
// toClean.push(id);
}
if ((loggedIn || config.testMode) && rootFiles.indexOf(id) === -1) { if ((loggedIn || config.testMode) && rootFiles.indexOf(id) === -1) {
debug("An element in filesData was not in ROOT, TEMPLATE or TRASH.", id, el); debug("An element in filesData was not in ROOT, TEMPLATE or TRASH.", id, el);

Write Preview
Loading…
Cancel
Save