From b6799afa66d62e67e8208a7cd957ab0cb08c63d1 Mon Sep 17 00:00:00 2001 From: Marc Ole Bulling Date: Thu, 28 Aug 2025 16:03:23 +0200 Subject: [PATCH] Fixed incorrect handling of e2e filename decryption #300 --- build/go-generate/minifyStaticContent.go | 2 +- build/go-generate/updateVersionNumbers.go | 2 +- internal/webserver/web/static/js/end2end_download.js | 7 ++++++- .../min/{end2end_admin.min.7.js => end2end_admin.min.8.js} | 0 .../webserver/web/static/js/min/end2end_download.min.7.js | 1 - .../webserver/web/static/js/min/end2end_download.min.8.js | 1 + internal/webserver/web/templates/string_constants.tmpl | 2 +- 7 files changed, 10 insertions(+), 5 deletions(-) rename internal/webserver/web/static/js/min/{end2end_admin.min.7.js => end2end_admin.min.8.js} (100%) delete mode 100644 internal/webserver/web/static/js/min/end2end_download.min.7.js create mode 100644 internal/webserver/web/static/js/min/end2end_download.min.8.js diff --git a/build/go-generate/minifyStaticContent.go b/build/go-generate/minifyStaticContent.go index 106490e..770e747 100644 --- a/build/go-generate/minifyStaticContent.go +++ b/build/go-generate/minifyStaticContent.go @@ -138,5 +138,5 @@ func fileExists(filename string) bool { // Version codes can be changed in updateVersionNumbers.go const jsAdminVersion = 12 -const jsE2EVersion = 7 +const jsE2EVersion = 8 const cssMainVersion = 5 diff --git a/build/go-generate/updateVersionNumbers.go b/build/go-generate/updateVersionNumbers.go index dea355a..f63e028 100644 --- a/build/go-generate/updateVersionNumbers.go +++ b/build/go-generate/updateVersionNumbers.go @@ -13,7 +13,7 @@ import ( const versionJsAdmin = 12 const versionJsDropzone = 5 -const versionJsE2EAdmin = 7 +const versionJsE2EAdmin = 8 const versionCssMain = 5 const fileMain = "../../cmd/gokapi/Main.go" diff --git a/internal/webserver/web/static/js/end2end_download.js b/internal/webserver/web/static/js/end2end_download.js index 3f6d270..d2eb05a 100644 --- a/internal/webserver/web/static/js/end2end_download.js +++ b/internal/webserver/web/static/js/end2end_download.js @@ -10,7 +10,7 @@ function parseHashValue(id) { } let info; try { - let infoJson = atob(hash); + let infoJson = b64ToUtf8(hash); info = JSON.parse(infoJson) } catch (err) { redirectToE2EError(); @@ -25,6 +25,11 @@ function parseHashValue(id) { } } +function b64ToUtf8(str) { + let bytes = Uint8Array.from(atob(str), c => c.charCodeAt(0)); + return new TextDecoder().decode(bytes); +} + function isCorrectJson(input) { return (input.f !== undefined && input.c !== undefined && diff --git a/internal/webserver/web/static/js/min/end2end_admin.min.7.js b/internal/webserver/web/static/js/min/end2end_admin.min.8.js similarity index 100% rename from internal/webserver/web/static/js/min/end2end_admin.min.7.js rename to internal/webserver/web/static/js/min/end2end_admin.min.8.js diff --git a/internal/webserver/web/static/js/min/end2end_download.min.7.js b/internal/webserver/web/static/js/min/end2end_download.min.7.js deleted file mode 100644 index 549dc1f..0000000 --- a/internal/webserver/web/static/js/min/end2end_download.min.7.js +++ /dev/null @@ -1 +0,0 @@ -function parseHashValue(e){let t=sessionStorage.getItem("key-"+e),n=sessionStorage.getItem("fn-"+e);if(t===null||n===null){if(hash=window.location.hash.substr(1),hash.length<50){redirectToE2EError();return}let t;try{let e=atob(hash);t=JSON.parse(e)}catch{redirectToE2EError();return}if(!isCorrectJson(t)){redirectToE2EError();return}sessionStorage.setItem("key-"+e,t.c),sessionStorage.setItem("fn-"+e,t.f)}}function isCorrectJson(e){return e.f!==0[0]&&e.c!==0[0]&&typeof e.f=="string"&&typeof e.c=="string"&&e.f!=""&&e.c!=""}function redirectToE2EError(){window.location="./error?e2e"} \ No newline at end of file diff --git a/internal/webserver/web/static/js/min/end2end_download.min.8.js b/internal/webserver/web/static/js/min/end2end_download.min.8.js new file mode 100644 index 0000000..95a6275 --- /dev/null +++ b/internal/webserver/web/static/js/min/end2end_download.min.8.js @@ -0,0 +1 @@ +function parseHashValue(e){let t=sessionStorage.getItem("key-"+e),n=sessionStorage.getItem("fn-"+e);if(t===null||n===null){if(hash=window.location.hash.substr(1),hash.length<50){redirectToE2EError();return}let t;try{let e=b64ToUtf8(hash);t=JSON.parse(e)}catch{redirectToE2EError();return}if(!isCorrectJson(t)){redirectToE2EError();return}sessionStorage.setItem("key-"+e,t.c),sessionStorage.setItem("fn-"+e,t.f)}}function b64ToUtf8(e){let t=Uint8Array.from(atob(e),e=>e.charCodeAt(0));return(new TextDecoder).decode(t)}function isCorrectJson(e){return e.f!==0[0]&&e.c!==0[0]&&typeof e.f=="string"&&typeof e.c=="string"&&e.f!=""&&e.c!=""}function redirectToE2EError(){window.location="./error?e2e"} \ No newline at end of file diff --git a/internal/webserver/web/templates/string_constants.tmpl b/internal/webserver/web/templates/string_constants.tmpl index cb3972e..2b4eaa6 100644 --- a/internal/webserver/web/templates/string_constants.tmpl +++ b/internal/webserver/web/templates/string_constants.tmpl @@ -5,5 +5,5 @@ // use a cached version, if the file has been updated {{define "js_admin_version"}}12{{end}} {{define "js_dropzone_version"}}5{{end}} -{{define "js_e2eversion"}}7{{end}} +{{define "js_e2eversion"}}8{{end}} {{define "css_main"}}5{{end}} \ No newline at end of file