MyFavMirrors/MeshCentral
1
0
Fork 0
mirror of https://github.com/Ylianst/MeshCentral.git synced 2025-11-07 21:02:53 -05:00
Code Issues Packages Projects Releases Wiki Activity

Fix/xss (#6403)

Browse Source 
* Fixed filenames not being escaped when editing files

This allowed a possible XSS by naming a file in a particular way on your device.

* Fixed HTML generation in webserver not escaping most things from req.query

This would allow XSS through a very simple phishing attack

* Added HtmlEscape to Mobile default as well

* Added sanitization to SAML redirect and Twitter/Azure
This commit is contained in:
Josiah Baldwin
2024-09-26 21:09:34 -07:00
committed by GitHub
parent df64c750cc
commit 04c96eb2ff
3 changed files with 35 additions and 31 deletions
Download Patch File Download Diff File Expand all files Collapse all files

4
views/default.handlebars
View File

@@ -11567,7 +11567,7 @@
gdownloadFile = { path: decodeURIComponent(x), file: decodeURIComponent(y), size: z, tsize: 0, data: '', state: 0, id: Math.random(), tag: tag }
//console.log('p13downloadFileCancel', gdownloadFile);
files.sendText({ action: 'download', sub: 'start', id: gdownloadFile.id, path: gdownloadFile.path });
setDialogMode(2, "Download File", 10, p13downloadFileCancel, '<div>' + gdownloadFile.file + '</div><br /><progress id=d2progressBar style=width:100% value=0 max=' + z + ' />');
setDialogMode(2, "Download File", 10, p13downloadFileCancel, '<div>' + EscapeHtml(gdownloadFile.file) + '</div><br /><progress id=d2progressBar style=width:100% value=0 max=' + z + ' />');
}
// Called by the html page to cancel the download
@@ -11738,7 +11738,7 @@
if (uploadFile.xfiles.length > uploadFile.xfilePtr) {
uploadFile.xptr = 0;
var file = uploadFile.xfiles[uploadFile.xfilePtr];
QH('p13dfileName', file.name);
QH('p13dfileName', EscapeHtml(file.name));
Q('d2progressBar').max = file.size;
Q('d2progressBar').value = 0;
if (file.xdata == null) {