patch XSS related to directories, remove redundant text editor file load

2025-04-24 17:22:35 +02:00 · 2017-01-17 21:20:34 -08:00 · 2017-01-17 21:20:34 -08:00 · e95dd99c29
commit e95dd99c29
parent eed42b7558
3 changed files with 36 additions and 36 deletions
--- a/app/site_files.rb
+++ b/app/site_files.rb
@ -32,7 +32,7 @@ post '/site_files/create' do
  name = current_site.scrubbed_path name

  if current_site.file_exists?(name)
-    flash[:error] = %{Web page "#{name}" already exists! Choose another name.}
+    flash[:error] = %{Web page "#{Rack::Utils.escape_html name}" already exists! Choose another name.}
    redirect redirect_uri
  end

@ -67,7 +67,9 @@ post '/site_files/create' do
    site_file.save
  end

-  flash[:success] = %{#{name} was created! <a style="color: #FFFFFF; text-decoration: underline" href="/site_files/text_editor/#{name}">Click here to edit it</a>.}
+  escaped_name = Rack::Utils.escape_html name
+
+  flash[:success] = %{#{escaped_name} was created! <a style="color: #FFFFFF; text-decoration: underline" href="/site_files/text_editor/#{escaped_name}">Click here to edit it</a>.}

  redirect redirect_uri
 end
--- a/views/dashboard.erb
+++ b/views/dashboard.erb
@ -122,7 +122,6 @@
      <div class="upload-Boundary <%= @file_list.length <= 5 ? 'with-instruction' : '' %>">
        <% @file_list.each do |file| %>
          <div class="file filehover">
-            <!-- <input type="checkbox" name="" value="" /> -->
            <% if file[:is_html] && current_site.screenshot_exists?(file[:path], '210x158') %>
              <div class="html-thumbnail html fileimagehover">
                <img src="<%= current_site.screenshot_url(file[:path], '210x158') %>" alt="">
@ -160,6 +159,7 @@
            </div>

            <div class="overlay">
+              <div id="<%= Digest::SHA256.hexdigest file[:path] %>" style="display: none"><%= file[:path] %></div>
              <% if file[:is_editable] %>
                <a href="/site_files/text_editor<%= file[:path] %>"><i class="fa fa-edit" title="Edit"></i> Edit</a>
              <% end %>
@ -167,7 +167,7 @@
                <a href="?dir=<%= Rack::Utils.escape file[:path] %>"><i class="fa fa-edit" title="Manage"></i> Manage</a>
              <% end %>
              <% if !file[:is_root_index] %>
-                <a href="#" onclick="confirmFileDelete('<%== file[:path].gsub("'", '&apos;') %>')"><i class="fa fa-trash" title="Delete"></i> Delete</a>
+                <a href="#" onclick="confirmFileDelete($('#<%= Digest::SHA256.hexdigest file[:path] %>').text())"><i class="fa fa-trash" title="Delete"></i> Delete</a>
              <% end %>
              <% if file[:is_directory] %>
              <a class="link-overlay" href="?dir=<%= Rack::Utils.escape file[:path] %>" title="View <%= file[:path] %>"></a>
@ -262,7 +262,7 @@
 <script>

  function confirmFileDelete(name) {
-    $('#deleteFileName').html(name.replace('/',''));
+    $('#deleteFileName').text(name.replace('/',''));
    $('#deleteConfirmModal').modal();
  }

@ -305,7 +305,7 @@
        if(file.status == 'error' && file.name.match(/.+\..+/) == null && errorMessage == 'Server responded with 0 code.') {
          alert('Recursive directory upload is only supported by the Chrome web browser.')
        } else {
-          location.href = '/dashboard<%= @dir ? "?dir=#{@dir}" : "" %>'
+          location.href = '/dashboard<%= @dir ? "?dir=#{Rack::Utils.escape @dir}" : "" %>'
        }
      })

--- a/views/site_files/text_editor.erb
+++ b/views/site_files/text_editor.erb
@ -154,40 +154,38 @@

  var editor = {}

-  $.get('/site_files/download/<%= @filename %>', function(resp) {
-    $(document).ready(function() {
-      $.get('/site_files/download/<%= @filename %>', function(resp) {
-        editor = ace.edit("editor")
-        setTheme()
-        <% if @ace_mode %>
-          editor.getSession().setMode("ace/mode/<%= @ace_mode %>")
-        <% end %>
-        editor.getSession().setTabSize(2)
-        editor.getSession().setUseWrapMode(true)
-        editor.setFontSize(14)
-        editor.setShowPrintMargin(false)
-        editor.setOptions({
-          maxLines: Infinity,
-          autoScrollEditorIntoView: true
-        })
+  $(document).ready(function() {
+    $.get("/site_files/download/<%= Addressable::URI.parse(@filename).normalized_path.to_s %>", function(resp) {
+      editor = ace.edit("editor")
+      setTheme()
+      <% if @ace_mode %>
+        editor.getSession().setMode("ace/mode/<%= @ace_mode %>")
+      <% end %>
+      editor.getSession().setTabSize(2)
+      editor.getSession().setUseWrapMode(true)
+      editor.setFontSize(14)
+      editor.setShowPrintMargin(false)
+      editor.setOptions({
+        maxLines: Infinity,
+        autoScrollEditorIntoView: true
+      })

-        // Disable autocomplete
-        editor.setBehavioursEnabled(false)
+      // Disable autocomplete
+      editor.setBehavioursEnabled(false)

-        editor.setValue(resp, -1)
+      editor.setValue(resp, -1)

-        editor.on('change', function(obj) {
-          $('a#saveButton,a#saveAndExitButton').css('opacity', 1)
-          unsavedChanges = true
-        })
+      editor.on('change', function(obj) {
+        $('a#saveButton,a#saveAndExitButton').css('opacity', 1)
+        unsavedChanges = true
+      })

-        editor.commands.addCommand({
-            name: 'saveCommand',
-            bindKey: {win: 'Ctrl-S',  mac: 'Command-S'},
-            exec: function(editor) {
-              saveTextFile(false)
-            }
-        })
+      editor.commands.addCommand({
+          name: 'saveCommand',
+          bindKey: {win: 'Ctrl-S',  mac: 'Command-S'},
+          exec: function(editor) {
+            saveTextFile(false)
+          }
      })
    })
  })