Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

fix: xss vulnerability in /api/raw (#2570) #2572

Merged
merged 1 commit into from
Jul 27, 2023
Merged

fix: xss vulnerability in /api/raw (#2570) #2572

merged 1 commit into from
Jul 27, 2023

Conversation

IceWreck
Copy link
Contributor

@IceWreck IceWreck commented Jul 26, 2023
edited
Loading

Description

Fixed the XSS vulnerability reported by @febinrev in #2570

🚨 Before submitting your PR, please read community, and indicate which issues (in any of the repos) are either fixed or closed by this PR. See GitHub Help: Closing issues using keywords.

  • DO make sure you are requesting to pull a topic/feature/bugfix branch (right side). Don't request your master!
  • DO make sure you are making a pull request against the master branch (left side). Also you should start your branch off our master.
  • DO make sure that File Browser can be successfully built. See builds and development.
  • DO make sure that related issues are opened in other repositories. I.e., the frontend, caddy plugins or the web page need to be updated accordingly.
  • AVOID breaking the continuous integration build.

Further comments

I experimented with quite a few policies and felt this is the least restrictive one while doing the job (allows browser previews etc to render while blocking all javascript and wasm inside any content returned by /api/raw - blocks execution of <script> or onclick etc).

@IceWreck IceWreck requested a review from o1egl as a code owner July 26, 2023 06:06
@o1egl o1egl merged commit b508ac3 into filebrowser:master Jul 27, 2023
langren1353 pushed a commit to langren1353/filebrowser-player that referenced this pull request Jul 31, 2023
@IceWreck @langren1353
fix: xss vulnerability in /api/raw (filebrowser#2570) (filebrowser#2572)
21056e6 
(cherry picked from commit b508ac3)
langren1353 pushed a commit to langren1353/filebrowser-player that referenced this pull request Jul 31, 2023
@IceWreck @langren1353
fix: xss vulnerability in /api/raw (filebrowser#2570) (filebrowser#2572)
64507a8 
(cherry picked from commit b508ac3)
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@o1egl o1egl Awaiting requested review from o1egl o1egl is a code owner

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
2 participants
@IceWreck @o1egl