modified patch from AC to remove messages with security issues (e.g. Billion Laughs bomb). The message is replaced by a warning, and is not forwarded

git-svn-id: http://svn.code.sf.net/p/retroshare/code/trunk@6562 b45a01b8-16f6-495d-af2f-9b41ad6348cc
This commit is contained in:
csoler 2013-08-08 09:55:19 +00:00
parent ff2f436d57
commit 3865c14583
2 changed files with 40 additions and 2 deletions

View File

@ -1060,8 +1060,39 @@ void p3ChatService::handleRecvChatAvatarItem(RsChatAvatarItem *ca)
rsicontrol->getNotify().notifyPeerHasNewAvatar(ca->PeerId()) ;
}
bool p3ChatService::checkForMessageSecurity(RsChatMsgItem *ci)
{
// https://en.wikipedia.org/wiki/Billion_laughs
// This should be done for all incoming HTML messages (also in forums
// etc.) so this should be a function in some other file.
wchar_t tmp[10];
mbstowcs(tmp, "<!", 9);
if (ci->message.find(tmp) != std::string::npos)
{
// Drop any message with "<!doctype" or "<!entity"...
// TODO: check what happens with partial messages
//
std::wcout << "handleRecvChatMsgItem: " << ci->message << std::endl;
std::wcout << "**********" << std::endl;
std::wcout << "********** entity attack by " << ci->PeerId().c_str() << std::endl;
std::wcout << "**********" << std::endl;
ci->message = L"**** This message has been removed because it breaks security rules.****" ;
return false;
}
// For a future whitelist:
// things to be kept:
// <span> <img src="data:image/png;base64,... />
// <a href="retroshare://…>…</a>
return true ;
}
bool p3ChatService::handleRecvChatMsgItem(RsChatMsgItem *ci)
{
bool message_is_secure = checkForMessageSecurity(ci) ;
bool publicChanged = false;
bool privateChanged = false;
@ -1098,8 +1129,9 @@ bool p3ChatService::handleRecvChatMsgItem(RsChatMsgItem *ci)
std::cerr << std::endl;
return false ;
}
if(!bounceLobbyObject(cli,cli->PeerId())) // forwards the message to friends, keeps track of subscribers, etc.
return false;
if(message_is_secure) // never bounce bad messages
if(!bounceLobbyObject(cli,cli->PeerId())) // forwards the message to friends, keeps track of subscribers, etc.
return false;
// setup the peer id to the virtual peer id of the lobby.
//

View File

@ -152,6 +152,12 @@ class p3ChatService: public p3Service, public p3Config, public pqiMonitor, publi
*/
bool getPrivateChatQueue(bool incoming, const std::string &id, std::list<ChatInfo> &chats);
/*!
* Checks message security, especially remove billion laughs attacks
*/
static bool checkForMessageSecurity(RsChatMsgItem *) ;
/*!
* @param clear private chat queue
*/