Skip to content

Commit

Permalink
Merge pull request #6354 from kamushadenes/develop
Browse files Browse the repository at this point in the history 
Security Fixes
  • Loading branch information
@engelgabriel
engelgabriel authored Mar 16, 2017
2 parents 590d120 + 97c2c22 commit 0320520
Show file tree
Hide file tree
Showing 4 changed files with 23 additions and 3 deletions.
2 changes: 2 additions & 0 deletions packages/rocketchat-file-upload/server/lib/requests.js
View file
Original file line number Diff line number Diff line change
Expand Up @@ -40,6 +40,8 @@ WebApp.connectHandlers.use('/file-upload/', function(req, res, next) {
}
}

res.header('Content-Security-Policy', 'default-src \'none\'');

return FileUpload.get(file, req, res, next);
}
}
Expand Down
18 changes: 18 additions & 0 deletions packages/rocketchat-message-attachments/client/messageAttachment.coffee
View file
Original file line number Diff line number Diff line change
Expand Up @@ -59,3 +59,21 @@ Template.messageAttachment.helpers
injectIndex: (data, previousIndex, index) ->
data.index = previousIndex + '.attachments.' + index
return

safeLoadImageAttachment: (url) ->
host = ''
url = fixCordova(url)
if (url.indexOf("://") > -1) {
host = url.split('/')[2]
} else {
host = url.split('/')[0]
}

host = host.split(':')[0]

if (host != window.location.hostname) {
return ''
} else {
return url
}

4 changes: 2 additions & 2 deletions packages/rocketchat-message-attachments/client/messageAttachment.html
View file
Original file line number Diff line number Diff line change
Expand Up @@ -66,8 +66,8 @@
<div class="attachment-image">
{{#if loadImage}}
<figure>
<div class="inline-image" style="background-image: url('{{fixCordova image_url}}');">
<img src="{{fixCordova image_url}}" height="{{getImageHeight image_dimensions.height}}" class="gallery-item" data-title="{{title}}" data-description="{{description}}">
<div class="inline-image" style="background-image: url('{{safeLoadImageAttachment image_url}}');">
<img src="{{safeLoadImageAttachment image_url}}" height="{{getImageHeight image_dimensions.height}}" class="gallery-item" data-title="{{title}}" data-description="{{description}}">
</div>
{{#if description}}
<figcaption class="attachment-description">{{description}}</figcaption>
Expand Down
2 changes: 1 addition & 1 deletion packages/rocketchat-ui-sidenav/client/createCombinedFlex.coffee
View file
Original file line number Diff line number Diff line change
Expand Up @@ -84,7 +84,7 @@ Template.createCombinedFlex.events

'click .save-channel': (e, instance) ->
err = SideNav.validate()
name = instance.find('#channel-name').value.toLowerCase().trim()
name = instance.find('#channel-name').value.toLowerCase().trim().replace(/</g, "&lt;").replace(/>/g, "&gt;")
privateGroup = instance.find('#channel-type').checked
readOnly = instance.find('#channel-ro').checked
createRoute = if privateGroup then 'createPrivateGroup' else 'createChannel'
Expand Down

0 comments on commit 0320520

Please sign in to comment.