From d7556c74aaab24c74a9f42030eb92c59a21055f1 Mon Sep 17 00:00:00 2001 From: Anton Georgiev Date: Wed, 10 Jan 2024 14:15:56 -0500 Subject: [PATCH] fix(sec): filter tags in presentation name --- .../src/main/java/org/bigbluebutton/api/util/ParamsUtil.java | 4 ++++ bigbluebutton-html5/imports/ui/components/chat/service.js | 3 ++- .../web/controllers/PresentationController.groovy | 2 ++ 3 files changed, 8 insertions(+), 1 deletion(-) diff --git a/bbb-common-web/src/main/java/org/bigbluebutton/api/util/ParamsUtil.java b/bbb-common-web/src/main/java/org/bigbluebutton/api/util/ParamsUtil.java index 6e6697ad23c3..3f5c07aad6b3 100755 --- a/bbb-common-web/src/main/java/org/bigbluebutton/api/util/ParamsUtil.java +++ b/bbb-common-web/src/main/java/org/bigbluebutton/api/util/ParamsUtil.java @@ -21,6 +21,10 @@ public static String stripControlChars(String text) { return text.replaceAll("\\p{Cc}", "").trim(); } + public static String stripTags(String text) { + return text.replaceAll("<[^>]*>", ""); +} + public static String escapeHTMLTags(String value) { return StringEscapeUtils.escapeHtml4(value); } diff --git a/bigbluebutton-html5/imports/ui/components/chat/service.js b/bigbluebutton-html5/imports/ui/components/chat/service.js index 5149f497a082..30e266dd54fb 100755 --- a/bigbluebutton-html5/imports/ui/components/chat/service.js +++ b/bigbluebutton-html5/imports/ui/components/chat/service.js @@ -337,12 +337,13 @@ const removePackagedClassAttribute = (classnames, attribute) => { }; const getExportedPresentationString = (fileURI, filename, intl) => { + const sanitizedFilename = stripTags(filename); const href = `${APP.bbbWebBase}/${fileURI}`; const warningIcon = ''; const label = `${intl.formatMessage(intlMessages.download)}`; const notAccessibleWarning = `${warningIcon}`; const link = `${label} ${notAccessibleWarning}`; - const name = `${filename}`; + const name = `${sanitizedFilename}`; return `${name}
${link}`; }; diff --git a/bigbluebutton-web/grails-app/controllers/org/bigbluebutton/web/controllers/PresentationController.groovy b/bigbluebutton-web/grails-app/controllers/org/bigbluebutton/web/controllers/PresentationController.groovy index 064649510eec..17205d8963c8 100755 --- a/bigbluebutton-web/grails-app/controllers/org/bigbluebutton/web/controllers/PresentationController.groovy +++ b/bigbluebutton-web/grails-app/controllers/org/bigbluebutton/web/controllers/PresentationController.groovy @@ -30,6 +30,7 @@ import org.apache.commons.io.FilenameUtils; import org.bigbluebutton.web.services.PresentationService import org.bigbluebutton.presentation.UploadedPresentation import org.bigbluebutton.api.MeetingService; +import org.bigbluebutton.api.util.ParamsUtil; import org.bigbluebutton.api.Util; class PresentationController { @@ -161,6 +162,7 @@ class PresentationController { // Gets the name minus the path from a full fileName. // a/b/c.txt --> c.txt presFilename = FilenameUtils.getName(presOrigFilename) + presFilename = ParamsUtil.stripTags(presFilename) filenameExt = FilenameUtils.getExtension(presFilename) } else { log.warn "Upload failed. File Empty."