Added BREACH attack mittigation, #4084

2025-03-09 15:40:18 +00:00 · 2022-06-08 10:47:23 -07:00 · 2022-06-08 10:47:23 -07:00 · ea7e98b3b4
commit ea7e98b3b4
parent f5f4305841
24 changed files with 727 additions and 700 deletions
--- a/webserver.js
+++ b/webserver.js
@ -7696,6 +7696,10 @@ module.exports.CreateWebServer = function (parent, db, args, certificates, doneF
        xargs.domainurl = domain.url;
        xargs.autocomplete = (domain.autocomplete === false)?'x':'autocomplete'; // This option allows autocomplete to be turned off on the login page.
        if (typeof domain.hide == 'number') { xargs.hide = domain.hide; }
+
+        // To mitigate any possible BREACH attack, we generate a random length string here.
+        xargs.randomlength = (args.webpagelengthrandomization !== false) ? parent.crypto.randomBytes(parent.crypto.randomInt(0, 256)).toString('base64') : '';
+
        return xargs;
    }