Merge pull request from GHSA-r3vv-c788-9fph

fix(sec): filter tags in presentation name (backport to 2.6)
bigbluebutton · Jan 11, 2024 · 08c8387 · 08c8387
2 parents 0046f25 + d7556c7
commit 08c8387
Show file tree

Hide file tree

Showing 3 changed files with 8 additions and 1 deletion.
diff --git a/bbb-common-web/src/main/java/org/bigbluebutton/api/util/ParamsUtil.java b/bbb-common-web/src/main/java/org/bigbluebutton/api/util/ParamsUtil.java
@@ -21,6 +21,10 @@ public static String stripControlChars(String text) {
     return text.replaceAll("\\p{Cc}", "").trim();
   }
 
+  public static String stripTags(String text) {
+    return text.replaceAll("<[^>]*>", "");
+}
+
   public static String escapeHTMLTags(String value) {
     return StringEscapeUtils.escapeHtml4(value);
   }

diff --git a/bigbluebutton-html5/imports/ui/components/chat/service.js b/bigbluebutton-html5/imports/ui/components/chat/service.js
@@ -337,12 +337,13 @@ const removePackagedClassAttribute = (classnames, attribute) => {
 };
 
 const getExportedPresentationString = (fileURI, filename, intl) => {
+  const sanitizedFilename = stripTags(filename);
   const href = `${APP.bbbWebBase}/${fileURI}`;
   const warningIcon = '<i class="icon-bbb-warning"></i>';
   const label = `<span>${intl.formatMessage(intlMessages.download)}</span>`;
   const notAccessibleWarning = `<span title="${intl.formatMessage(intlMessages.notAccessibleWarning)}">${warningIcon}</span>`;
   const link = `<a aria-label="${intl.formatMessage(intlMessages.notAccessibleWarning)}" href=${href} type="application/pdf" target="_blank" rel="noopener, noreferrer" download>${label}&nbsp;${notAccessibleWarning}</a>`;
-  const name = `<span>${filename}</span>`;
+  const name = `<span>${sanitizedFilename}</span>`;
   return `${name}</br>${link}`;
 };
 

diff --git a/...eb/grails-app/controllers/org/bigbluebutton/web/controllers/PresentationController.groovy b/...eb/grails-app/controllers/org/bigbluebutton/web/controllers/PresentationController.groovy
@@ -30,6 +30,7 @@ import org.apache.commons.io.FilenameUtils;
 import org.bigbluebutton.web.services.PresentationService
 import org.bigbluebutton.presentation.UploadedPresentation
 import org.bigbluebutton.api.MeetingService;
+import org.bigbluebutton.api.util.ParamsUtil;
 import org.bigbluebutton.api.Util;
 
 class PresentationController {
@@ -161,6 +162,7 @@ class PresentationController {
       // Gets the name minus the path from a full fileName.
       // a/b/c.txt --> c.txt
       presFilename =  FilenameUtils.getName(presOrigFilename)
+      presFilename = ParamsUtil.stripTags(presFilename)
       filenameExt = FilenameUtils.getExtension(presFilename)
     } else {
       log.warn "Upload failed. File Empty."