Andreas/siyuan
1
0
Fork 0
mirror of https://github.com/siyuan-note/siyuan.git synced 2025-12-16 22:50:13 +01:00
Code Issues Projects Releases Packages Wiki Activity Actions 1

🔒 XSS through emoji name https://github.com/siyuan-note/siyuan/issues/15034

Browse source
This commit is contained in:
Daniel 2025-06-16 10:31:04 +08:00
parent e64b486ea4
commit 8fff4b742e
No known key found for this signature in database
GPG key ID: 86211BA83DF03017
3 changed files with 19 additions and 8 deletions
Download patch file Download diff file Expand all files Collapse all files

16
kernel/api/system.go
View file

@ -26,6 +26,7 @@ import (
"github.com/88250/gulu"
"github.com/88250/lute"
"github.com/88250/lute/html"
"github.com/gin-gonic/gin"
"github.com/siyuan-note/logging"
"github.com/siyuan-note/siyuan/kernel/conf"
@ -165,10 +166,15 @@ func getEmojiConf(c *gin.Context) {
} else {
for _, customEmoji := range customEmojis {
name := customEmoji.Name()
if strings.HasPrefix(name, ".") || strings.ContainsAny(name, "<\"") {
if strings.HasPrefix(name, ".") {
continue
}
if !util.IsValidUploadFileName(html.UnescapeString(name)) {
// XSS through emoji name https://github.com/siyuan-note/siyuan/issues/15034
logging.LogWarnf("invalid custom emoji name [%s]", name)
}
if customEmoji.IsDir() {
// 子级
subCustomEmojis, err := os.ReadDir(filepath.Join(customConfDir, name))
@ -183,7 +189,13 @@ func getEmojiConf(c *gin.Context) {
}
name = subCustomEmoji.Name()
if strings.HasPrefix(name, ".") || strings.ContainsAny(name, "<\"") {
if strings.HasPrefix(name, ".") {
continue
}
if !util.IsValidUploadFileName(html.UnescapeString(name)) {
// XSS through emoji name https://github.com/siyuan-note/siyuan/issues/15034
logging.LogWarnf("invalid custom emoji name [%s]", name)
continue
}