mirror of
https://github.com/RetroShare/RetroShare.git
synced 2024-12-27 00:19:25 -05:00
modified patch from AC to remove messages with security issues (e.g. Billion Laughs bomb). The message is replaced by a warning, and is not forwarded
git-svn-id: http://svn.code.sf.net/p/retroshare/code/trunk@6562 b45a01b8-16f6-495d-af2f-9b41ad6348cc
This commit is contained in:
parent
ff2f436d57
commit
3865c14583
@ -1060,8 +1060,39 @@ void p3ChatService::handleRecvChatAvatarItem(RsChatAvatarItem *ca)
|
||||
rsicontrol->getNotify().notifyPeerHasNewAvatar(ca->PeerId()) ;
|
||||
}
|
||||
|
||||
bool p3ChatService::checkForMessageSecurity(RsChatMsgItem *ci)
|
||||
{
|
||||
// https://en.wikipedia.org/wiki/Billion_laughs
|
||||
// This should be done for all incoming HTML messages (also in forums
|
||||
// etc.) so this should be a function in some other file.
|
||||
wchar_t tmp[10];
|
||||
mbstowcs(tmp, "<!", 9);
|
||||
|
||||
if (ci->message.find(tmp) != std::string::npos)
|
||||
{
|
||||
// Drop any message with "<!doctype" or "<!entity"...
|
||||
// TODO: check what happens with partial messages
|
||||
//
|
||||
std::wcout << "handleRecvChatMsgItem: " << ci->message << std::endl;
|
||||
std::wcout << "**********" << std::endl;
|
||||
std::wcout << "********** entity attack by " << ci->PeerId().c_str() << std::endl;
|
||||
std::wcout << "**********" << std::endl;
|
||||
|
||||
ci->message = L"**** This message has been removed because it breaks security rules.****" ;
|
||||
return false;
|
||||
}
|
||||
// For a future whitelist:
|
||||
// things to be kept:
|
||||
// <span> <img src="data:image/png;base64,... />
|
||||
// <a href="retroshare://…>…</a>
|
||||
|
||||
return true ;
|
||||
}
|
||||
|
||||
bool p3ChatService::handleRecvChatMsgItem(RsChatMsgItem *ci)
|
||||
{
|
||||
bool message_is_secure = checkForMessageSecurity(ci) ;
|
||||
|
||||
bool publicChanged = false;
|
||||
bool privateChanged = false;
|
||||
|
||||
@ -1098,8 +1129,9 @@ bool p3ChatService::handleRecvChatMsgItem(RsChatMsgItem *ci)
|
||||
std::cerr << std::endl;
|
||||
return false ;
|
||||
}
|
||||
if(!bounceLobbyObject(cli,cli->PeerId())) // forwards the message to friends, keeps track of subscribers, etc.
|
||||
return false;
|
||||
if(message_is_secure) // never bounce bad messages
|
||||
if(!bounceLobbyObject(cli,cli->PeerId())) // forwards the message to friends, keeps track of subscribers, etc.
|
||||
return false;
|
||||
|
||||
// setup the peer id to the virtual peer id of the lobby.
|
||||
//
|
||||
|
@ -152,6 +152,12 @@ class p3ChatService: public p3Service, public p3Config, public pqiMonitor, publi
|
||||
*/
|
||||
bool getPrivateChatQueue(bool incoming, const std::string &id, std::list<ChatInfo> &chats);
|
||||
|
||||
/*!
|
||||
* Checks message security, especially remove billion laughs attacks
|
||||
*/
|
||||
|
||||
static bool checkForMessageSecurity(RsChatMsgItem *) ;
|
||||
|
||||
/*!
|
||||
* @param clear private chat queue
|
||||
*/
|
||||
|
Loading…
Reference in New Issue
Block a user