drastic removal of <! from all wide string in all RsItems, from the de-serialisation code. Shoudl prevent lol bombs throughout the whole software. To be tested further

git-svn-id: http://svn.code.sf.net/p/retroshare/code/trunk@6744 b45a01b8-16f6-495d-af2f-9b41ad6348cc
2025-01-23 22:01:05 -05:00 · 2013-09-16 22:24:43 +00:00 · 2013-09-16 22:24:43 +00:00 · 4ee7d8bb7e
commit 4ee7d8bb7e
parent 6dbbf83783
1 changed files with 12 additions and 0 deletions
--- a/libretroshare/src/serialiser/rstlvbase.cc
+++ b/libretroshare/src/serialiser/rstlvbase.cc
@ -561,6 +561,18 @@ bool GetTlvWideString(void *data, uint32_t size, uint32_t *offset,
 		ok &= getRawUInt32(data, tlvend, offset, &widechar);
 		in += widechar;
 	}
+
+	// Check for message content. We want to avoid possible lol bombs as soon as possible.
+	
+	wchar_t tmp[10];
+	mbstowcs(tmp, "<!", 9);
+
+	// Drop any string with "<!" or "<!"...
+	// TODO: check what happens with partial messages
+	//
+	if (in.find(tmp) != std::string::npos)
+		in = L"**** This string has been removed because it contains \"<!\" (forbidden for security reasons).****" ;
+
 	return ok;
 }