Mirrors/i2pd
2
0
Fork 0
mirror of https://github.com/PurpleI2P/i2pd.git synced 2025-04-27 19:27:49 +02:00
Code Issues Projects Releases Packages Wiki Activity Actions

fix xss in webui from SAM session name

Browse source
This commit is contained in:
Jeff Becker 2018-02-16 06:28:22 -05:00
parent b6e75e9c5a
commit aaf8f527ef
No known key found for this signature in database
GPG key ID: F357B3B42F6F9B05
2 changed files with 21 additions and 0 deletions
Download patch file Download diff file Expand all files Collapse all files

20
libi2pd_client/SAM.cpp
View file

@ -296,6 +296,19 @@ namespace client
}
}
static bool IsAcceptableSessionName(const std::string & str)
{
auto itr = str.begin();
while(itr != str.end())
{
char ch = *itr;
++itr;
if (ch == '<' || ch == '>' || ch == '"' || ch == '\'' || ch == '/')
return false;
}
return true;
}
void SAMSocket::ProcessSessionCreate (char * buf, size_t len)
{
LogPrint (eLogDebug, "SAM: session create: ", buf);
@ -304,6 +317,13 @@ namespace client
std::string& style = params[SAM_PARAM_STYLE];
std::string& id = params[SAM_PARAM_ID];
std::string& destination = params[SAM_PARAM_DESTINATION];
if(!IsAcceptableSessionName(id))
{
// invalid session id
SendMessageReply (SAM_SESSION_CREATE_INVALID_ID, strlen(SAM_SESSION_CREATE_INVALID_ID), true);
return;
}
m_ID = id;
if (m_Owner.FindSession (id))
{