libre-service.eu/pad.libre-service.eu-etherpad
libre-service.eu/pad.libre-service.eu-etherpad
1
0
Fork 0
mirror of https://github.com/ether/etherpad-lite.git synced 2025-01-19 14:13:34 +01:00
Code Issues Projects Releases Wiki Activity

sec: Fix prototype pollution in webaccess module

Browse source
This commit is contained in:
SamTV12345 2024-08-18 19:57:05 +02:00
parent 4ff00e278a
commit 852f282b03
1 changed files with 4 additions and 0 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

4
src/node/hooks/express/webaccess.ts
View file

@ -177,6 +177,10 @@ const checkAccess = async (req:any, res:any, next: Function) => {
res.status(401).send('Authentication Required');
return;
}
if (ctx.username === '__proto__' || ctx.username === 'constructor' || ctx.username === 'prototype') {
res.end(403);
return;
}
settings.users[ctx.username].username = ctx.username;
// Make a shallow copy so that the password property can be deleted (to prevent it from
// appearing in logs or in the database) without breaking future authentication attempts.