zefie/minisrv
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

small security updates

Browse Source
This commit is contained in:
zefie
2025-08-13 01:09:18 -04:00
parent 005bd377a2
commit bd03b3a6db
2 changed files with 7 additions and 4 deletions
Download Patch File Download Diff File Expand all files Collapse all files

9
zefie_wtvp_minisrv/app.js
View File

@@ -2657,9 +2657,9 @@ Content-type: text/html`;
if (getServiceEnabled(service_name)) { if (getServiceEnabled(service_name)) {
if (req.body) { if (req.body) {
if (typeof (req.body) == "string") { if (typeof (req.body) === "string") {
request_headers.post_data = req.body; request_headers.post_data = req.body;
} else if (req.body.length) { } else if (Buffer.isBuffer(req.body)) {
if (req.body.length > (minisrv_config.config.max_post_length * 1024 * 1024)) { if (req.body.length > (minisrv_config.config.max_post_length * 1024 * 1024)) {
errpage = wtvshared.doErrorPage("400", "POST size too large", null, true); errpage = wtvshared.doErrorPage("400", "POST size too large", null, true);
} else { } else {
@@ -2669,8 +2669,11 @@ Content-type: text/html`;
} }
} }
} else { } else {
request_headers.post_data = ""; request_headers.post_data = req.body.toString();
} }
} else {
request_headers.post_data = ""; // Invalid type (array/object), possible type confusion attack
errpage = wtvshared.doErrorPage("400", "Invalid POST data type", null, true);
} }
if (minisrv_config.config.debug_flags.show_headers) console.debug(" * Incoming " + ((ssl) ? "HTTPS" : "HTTP") + " PC POST Headers on", service_name, "socket ID", req.socket.id, wtvshared.filterRequestLog(request_headers)); if (minisrv_config.config.debug_flags.show_headers) console.debug(" * Incoming " + ((ssl) ? "HTTPS" : "HTTP") + " PC POST Headers on", service_name, "socket ID", req.socket.id, wtvshared.filterRequestLog(request_headers));

2
zefie_wtvp_minisrv/client_sim.js
View File

@@ -63,7 +63,7 @@ class WebTVClientSimulator {
this.previousUrl = null; // Store previous URL for Referer header this.previousUrl = null; // Store previous URL for Referer header
this.debug = debug; this.debug = debug;
this.defaultBox = "plus"; this.defaultBox = "plus";
this.connectSessionId = Math.random().toString(16).slice(2, 10).padEnd(8, '0'); this.connectSessionId = crypto.randomBytes(4).toString('hex');;
this.username = username; this.username = username;
// Load minisrv config to get the initial shared key // Load minisrv config to get the initial shared key