external/MeshCentral
1
0
Fork 0
mirror of https://github.com/Ylianst/MeshCentral.git synced 2025-03-09 15:40:18 +00:00
Code Issues Releases Wiki Activity

Fix/xss (#6403)

Browse source 
* Fixed filenames not being escaped when editing files

This allowed a possible XSS by naming a file in a particular way on your device.

* Fixed HTML generation in webserver not escaping most things from req.query

This would allow XSS through a very simple phishing attack

* Added HtmlEscape to Mobile default as well

* Added sanitization to SAML redirect and Twitter/Azure
This commit is contained in:
Josiah Baldwin 2024-09-26 21:09:34 -07:00 committed by GitHub
parent df64c750cc
commit 04c96eb2ff
No known key found for this signature in database
GPG key ID: B5690EEEBB952194
3 changed files with 35 additions and 31 deletions
Download patch file Download diff file Expand all files Collapse all files

4
views/default-mobile.handlebars
View file

@ -5895,7 +5895,7 @@
downloadFile = { path: decodeURIComponent(x), file: decodeURIComponent(y), size: z, tsize: 0, data: '', state: 0, id: Math.random() }
//console.log('p13downloadFileCancel', downloadFile);
files.sendText({ action: 'download', sub: 'start', id: downloadFile.id, path: downloadFile.path });
setDialogMode(2, "Download File", 10, p13downloadFileCancel, '<div>' + downloadFile.file + '</div><br /><progress id=d2progressBar style=width:100% value=0 max=' + z + ' />');
setDialogMode(2, "Download File", 10, p13downloadFileCancel, '<div>' + HtmlEscape(downloadFile.file) + '</div><br /><progress id=d2progressBar style=width:100% value=0 max=' + z + ' />');
}
// Called by the html page to cancel the download
@ -6043,7 +6043,7 @@
if (uploadFile.xfiles.length > uploadFile.xfilePtr) {
uploadFile.xptr = 0;
var file = uploadFile.xfiles[uploadFile.xfilePtr];
QH('p13dfileName', file.name);
QH('p13dfileName', HtmlEscape(file.name));
Q('d2progressBar').max = file.size;
Q('d2progressBar').value = 0;
if (file.xdata == null) {

4
views/default.handlebars
View file

@ -11567,7 +11567,7 @@
gdownloadFile = { path: decodeURIComponent(x), file: decodeURIComponent(y), size: z, tsize: 0, data: '', state: 0, id: Math.random(), tag: tag }
//console.log('p13downloadFileCancel', gdownloadFile);
files.sendText({ action: 'download', sub: 'start', id: gdownloadFile.id, path: gdownloadFile.path });
setDialogMode(2, "Download File", 10, p13downloadFileCancel, '<div>' + gdownloadFile.file + '</div><br /><progress id=d2progressBar style=width:100% value=0 max=' + z + ' />');
setDialogMode(2, "Download File", 10, p13downloadFileCancel, '<div>' + EscapeHtml(gdownloadFile.file) + '</div><br /><progress id=d2progressBar style=width:100% value=0 max=' + z + ' />');
}
// Called by the html page to cancel the download
@ -11738,7 +11738,7 @@
if (uploadFile.xfiles.length > uploadFile.xfilePtr) {
uploadFile.xptr = 0;
var file = uploadFile.xfiles[uploadFile.xfilePtr];
QH('p13dfileName', file.name);
QH('p13dfileName', EscapeHtml(file.name));
Q('d2progressBar').max = file.size;
Q('d2progressBar').value = 0;
if (file.xdata == null) {