pengjunjie/server
1
0
Fork 1
mirror of https://github.com/ONLYOFFICE/server.git synced 2026-04-07 14:04:35 +08:00
Code Issues Packages Projects Releases Wiki Activity

[fix] For bug 49783;set password limit for DoS protection with long password

Browse Source
This commit is contained in:
Sergey Konovalov
2021-09-22 17:05:50 +03:00
parent 2146725ea4
commit 88e0153ca4
3 changed files with 13 additions and 1 deletions
Download Patch File Download Diff File Expand all files Collapse all files

1
Common/sources/constants.js
View File

@ -36,6 +36,7 @@ exports.DOC_ID_PATTERN = '0-9-.a-zA-Z_=';
exports.DOC_ID_REGEX = new RegExp("^[" + exports.DOC_ID_PATTERN + "]*$", 'i');
exports.DOC_ID_REPLACE_REGEX = new RegExp("[^" + exports.DOC_ID_PATTERN + "]", 'g');
exports.DOC_ID_MAX_LENGTH = 240;
exports.PASSWORD_MAX_LENGTH = 255;//set password limit for DoS protection with long password
exports.EXTENTION_REGEX = /^[a-zA-Z0-9]*$/;
exports.CHAR_DELIMITER = String.fromCharCode(5);
exports.OUTPUT_NAME = 'output';

8
DocService/sources/DocsCoServer.js
View File

@ -2045,7 +2045,13 @@ exports.install = function(server, callbackFunction) {
dataWithPassword = data.openCmd;
}
if (dataWithPassword && dataWithPassword.password) {
dataWithPassword.password = yield utils.encryptPassword(dataWithPassword.password);
if (dataWithPassword.password.length > constants.PASSWORD_MAX_LENGTH) {
//todo send back error
logger.warn('encryptPasswordParams password too long actual = %s; max = %s', dataWithPassword.password.length, constants.PASSWORD_MAX_LENGTH);
dataWithPassword.password = null;
} else {
dataWithPassword.password = yield utils.encryptPassword(dataWithPassword.password);
}
}
}

5
DocService/sources/converterservice.js
View File

@ -256,6 +256,11 @@ function convertRequest(req, res, isJson) {
cmd.setJsonParams(JSON.stringify({'spreadsheetLayout': params.spreadsheetLayout}));
}
if (params.password) {
if (params.password.length > constants.PASSWORD_MAX_LENGTH) {
logger.warn('convertRequest password too long actual = %s; max = %s;docId = %s', params.password.length, constants.PASSWORD_MAX_LENGTH, docId);
utils.fillResponse(req, res, new commonDefines.ConvertStatus(constants.CONVERT_PARAMS), isJson);
return;
}
let encryptedPassword = yield utils.encryptPassword(params.password);
cmd.setPassword(encryptedPassword);
}