Annikka/evennia
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

Escape AJAX session input to better protect against XSS attacks. Resolve #1846

Browse source
This commit is contained in:
Griatch 2019-06-09 11:21:04 +02:00
parent 52699c06e8
commit 78c93b6678
1 changed files with 9 additions and 8 deletions
Download patch file Download diff file Expand all files Collapse all files

17
evennia/server/portal/webclient_ajax.py
View file

@ -19,6 +19,7 @@ http://localhost:4001/webclient.)
import json import json
import re import re
import time import time
import cgi
from twisted.web import server, resource from twisted.web import server, resource
from twisted.internet.task import LoopingCall from twisted.internet.task import LoopingCall
@ -35,12 +36,12 @@ _RE_SCREENREADER_REGEX = re.compile(r"%s" % settings.SCREENREADER_REGEX_STRIP, r
_SERVERNAME = settings.SERVERNAME _SERVERNAME = settings.SERVERNAME
_KEEPALIVE = 30 # how often to check keepalive _KEEPALIVE = 30 # how often to check keepalive
# defining a simple json encoder for returning # defining a simple json encoder for returning
# django data to the client. Might need to # django data to the client. Might need to
# extend this if one wants to send more # extend this if one wants to send more
# complex database objects too. # complex database objects too.
class LazyEncoder(json.JSONEncoder): class LazyEncoder(json.JSONEncoder):
def default(self, obj): def default(self, obj):
if isinstance(obj, Promise): if isinstance(obj, Promise):
@ -158,7 +159,7 @@ class AjaxWebClient(resource.Resource):
request (Request): Incoming request. request (Request): Incoming request.
""" """
csessid = request.args.get('csessid')[0] csessid = cgi.escape(request.args['csessid'][0])
remote_addr = request.getClientIP() remote_addr = request.getClientIP()
host_string = "%s (%s:%s)" % (_SERVERNAME, request.getRequestHostname(), request.getHost().port) host_string = "%s (%s:%s)" % (_SERVERNAME, request.getRequestHostname(), request.getHost().port)
@ -190,7 +191,7 @@ class AjaxWebClient(resource.Resource):
This is called by render_POST when the This is called by render_POST when the
client is replying to the keepalive. client is replying to the keepalive.
""" """
csessid = request.args.get('csessid')[0] csessid = cgi.escape(request.args['csessid'][0])
self.last_alive[csessid] = (time.time(), False) self.last_alive[csessid] = (time.time(), False)
return '""' return '""'
@ -203,13 +204,12 @@ class AjaxWebClient(resource.Resource):
request (Request): Incoming request. request (Request): Incoming request.
""" """
csessid = request.args.get('csessid')[0] csessid = cgi.escape(request.args['csessid'][0])
self.last_alive[csessid] = (time.time(), False) self.last_alive[csessid] = (time.time(), False)
sess = self.sessionhandler.sessions_from_csessid(csessid) sess = self.sessionhandler.sessions_from_csessid(csessid)
if sess: if sess:
sess = sess[0] sess = sess[0]
cmdarray = json.loads(request.args.get('data')[0]) cmdarray = json.loads(cgi.escape(request.args.get('data')[0]))
sess.sessionhandler.data_in(sess, **{cmdarray[0]: [cmdarray[1], cmdarray[2]]}) sess.sessionhandler.data_in(sess, **{cmdarray[0]: [cmdarray[1], cmdarray[2]]})
return '""' return '""'
@ -224,7 +224,7 @@ class AjaxWebClient(resource.Resource):
request (Request): Incoming request. request (Request): Incoming request.
""" """
csessid = request.args.get('csessid')[0] csessid = cgi.escape(request.args['csessid'][0])
self.last_alive[csessid] = (time.time(), False) self.last_alive[csessid] = (time.time(), False)
dataentries = self.databuffer.get(csessid, []) dataentries = self.databuffer.get(csessid, [])
@ -245,7 +245,7 @@ class AjaxWebClient(resource.Resource):
request (Request): Incoming request. request (Request): Incoming request.
""" """
csessid = request.args.get('csessid')[0] csessid = cgi.escape(request.args['csessid'][0])
try: try:
sess = self.sessionhandler.sessions_from_csessid(csessid)[0] sess = self.sessionhandler.sessions_from_csessid(csessid)[0]
sess.sessionhandler.disconnect(sess) sess.sessionhandler.disconnect(sess)
@ -267,6 +267,7 @@ class AjaxWebClient(resource.Resource):
""" """
dmode = request.args.get('mode', [None])[0] dmode = request.args.get('mode', [None])[0]
if dmode == 'init': if dmode == 'init':
# startup. Setup the server. # startup. Setup the server.
return self.mode_init(request) return self.mode_init(request)