diff --git a/zefie_wtvp_minisrv/app.js b/zefie_wtvp_minisrv/app.js index 3cc509e6..cd0bcbc5 100644 --- a/zefie_wtvp_minisrv/app.js +++ b/zefie_wtvp_minisrv/app.js @@ -2657,9 +2657,9 @@ Content-type: text/html`; if (getServiceEnabled(service_name)) { if (req.body) { - if (typeof (req.body) == "string") { + if (typeof (req.body) === "string") { request_headers.post_data = req.body; - } else if (req.body.length) { + } else if (Buffer.isBuffer(req.body)) { if (req.body.length > (minisrv_config.config.max_post_length * 1024 * 1024)) { errpage = wtvshared.doErrorPage("400", "POST size too large", null, true); } else { @@ -2669,8 +2669,11 @@ Content-type: text/html`; } } } else { - request_headers.post_data = ""; + request_headers.post_data = req.body.toString(); } + } else { + request_headers.post_data = ""; // Invalid type (array/object), possible type confusion attack + errpage = wtvshared.doErrorPage("400", "Invalid POST data type", null, true); } if (minisrv_config.config.debug_flags.show_headers) console.debug(" * Incoming " + ((ssl) ? "HTTPS" : "HTTP") + " PC POST Headers on", service_name, "socket ID", req.socket.id, wtvshared.filterRequestLog(request_headers)); diff --git a/zefie_wtvp_minisrv/client_sim.js b/zefie_wtvp_minisrv/client_sim.js index 114ff9ed..b899da79 100644 --- a/zefie_wtvp_minisrv/client_sim.js +++ b/zefie_wtvp_minisrv/client_sim.js @@ -63,7 +63,7 @@ class WebTVClientSimulator { this.previousUrl = null; // Store previous URL for Referer header this.debug = debug; this.defaultBox = "plus"; - this.connectSessionId = Math.random().toString(16).slice(2, 10).padEnd(8, '0'); + this.connectSessionId = crypto.randomBytes(4).toString('hex');; this.username = username; // Load minisrv config to get the initial shared key