mirrors/etherpad-lite
1
0
Fork 0
mirror of https://github.com/ether/etherpad-lite.git synced 2025-04-23 00:46:16 -04:00
Code Issues Projects Releases Packages Wiki Activity Actions 9

export: Don't leak writeable pad ID when exporting

Browse source 
Co-authored-by: Richard Hansen <rhansen@rhansen.org>
This commit is contained in:
webzwo0i 2021-06-29 19:13:10 +02:00 committed by Richard Hansen
parent 58bd96ce8f
commit dbd76f0c5d
4 changed files with 30 additions and 20 deletions
Download patch file Download diff file Expand all files Collapse all files

28
src/node/utils/ExportEtherpad.js
View file

@ -19,23 +19,18 @@
const db = require('../db/DB');
const hooks = require('../../static/js/pluginfw/hooks');
exports.getPadRaw = async (padId) => {
const padKey = `pad:${padId}`;
const padcontent = await db.get(padKey);
exports.getPadRaw = async (padId, readOnlyId) => {
const keyPrefixRead = `pad:${padId}`;
const keyPrefixWrite = readOnlyId ? `pad:${readOnlyId}` : keyPrefixRead;
const padcontent = await db.get(keyPrefixRead);
const records = [padKey];
for (let i = 0; i <= padcontent.head; i++) {
records.push(`${padKey}:revs:${i}`);
}
for (let i = 0; i <= padcontent.chatHead; i++) {
records.push(`${padKey}:chat:${i}`);
}
const keySuffixes = [''];
for (let i = 0; i <= padcontent.head; i++) keySuffixes.push(`:revs:${i}`);
for (let i = 0; i <= padcontent.chatHead; i++) keySuffixes.push(`:chat:${i}`);
const data = {};
for (const key of records) {
// For each piece of info about a pad.
const entry = data[key] = await db.get(key);
for (const keySuffix of keySuffixes) {
const entry = data[keyPrefixWrite + keySuffix] = await db.get(keyPrefixRead + keySuffix);
// Get the Pad Authors
if (entry.pool && entry.pool.numToAttrib) {
@ -50,7 +45,7 @@ exports.getPadRaw = async (padId) => {
if (authorEntry) {
data[`globalAuthor:${authorId}`] = authorEntry;
if (authorEntry.padIDs) {
authorEntry.padIDs = padId;
authorEntry.padIDs = readOnlyId || padId;
}
}
}
@ -63,7 +58,8 @@ exports.getPadRaw = async (padId) => {
const prefixes = await hooks.aCallAll('exportEtherpadAdditionalContent');
await Promise.all(prefixes.map(async (prefix) => {
const key = `${prefix}:${padId}`;
data[key] = await db.get(key);
const writeKey = readOnlyId ? `${prefix}:${readOnlyId}` : key;
data[writeKey] = await db.get(key);
}));
return data;

4
src/node/utils/ExportHtml.js
View file

@ -457,7 +457,7 @@ const getHTMLFromAtext = async (pad, atext, authorColors) => {
return pieces.join('');
};
exports.getPadHTMLDocument = async (padId, revNum) => {
exports.getPadHTMLDocument = async (padId, revNum, readOnlyId) => {
const pad = await padManager.getPad(padId);
// Include some Styles into the Head for Export
@ -475,7 +475,7 @@ exports.getPadHTMLDocument = async (padId, revNum) => {
return eejs.require('ep_etherpad-lite/templates/export_html.html', {
body: html,
padId: Security.escapeHTML(padId),
padId: Security.escapeHTML(readOnlyId || padId),
extraCSS: stylesForExportCSS,
});
};