Skip to content
Permalink

Comparing changes

Choose two branches to see what’s changed or to start a new pull request. If you need to, you can also .

Open a pull request

Create a new pull request by comparing changes across two branches. If you need to, you can also .
base repository: webtorrent/webtorrent
base: v0.107.5
Choose a base ref
head repository: webtorrent/webtorrent
compare: v0.107.6
Choose a head ref
  • 6 commits
  • 3 files changed
  • 1 contributor

Commits on Aug 21, 2019

  1. build

    feross committed Aug 21, 2019

Commits on Aug 27, 2019

  1. Fix http server XSS

    Low risk xss. If the torrent contains a specially crafted title or file name, and the user starts the WebTorrent HTTP server via createServer(), and then the user visits the HTTP server index page (which lists the contents of the torrent), then the attacker can run JavaScript in this browser context.
    
    The reason this seems relatively low risk is that the WebTorrent HTTP server only allows fetching data pieces from the torrent. It doesn't support any other control of the torrent client. So, attacker code could e.g. figure out what content the user is downloading and exfiltrate that to an external domain.
    
    This commit mitigates the issue in two ways (either of which could have prevented this XSS on its own):
    
    1. HTML-escape untrusted torrent metadata (name, path, file names, etc.)
    
    2. Add the strictest possible CSP to prevent all connections, scripts, styles, plugins, frames. Every capability is denied.
    feross committed Aug 27, 2019
  2. Address @diracdeltas feedback on #1714

    feross committed Aug 27, 2019
  3. Merge pull request #1714 from webtorrent/fix-server-xss

    Fix http server XSS
    feross committed Aug 27, 2019
  4. 0.107.6

    feross committed Aug 27, 2019