Protect current pad keys in the unsafe iframe

2020-04-07 17:12:06 +02:00 · 2020-04-07 17:12:06 +02:00 · 0ccc57f6f7
commit 0ccc57f6f7
parent 43904df0fb
2 changed files with 8 additions and 2 deletions
--- a/www/common/sframe-common-outer.js
+++ b/www/common/sframe-common-outer.js
@ -488,7 +488,7 @@ define([


            // Put in the following function the RPC queries that should also work in filepicker
-            var addCommonRpc = function (sframeChan) {
+            var addCommonRpc = function (sframeChan, safe) {
                sframeChan.on('Q_ANON_RPC_MESSAGE', function (data, cb) {
                    Cryptpad.anonRpcMsg(data.msg, data.content, function (err, response) {
                        cb({error: err, response: response});
@ -595,6 +595,12 @@ define([
                    }
                    if (data.href) { href = data.href; }
                    Cryptpad.getPadAttribute(data.key, function (e, data) {
+                        if (!safe && data) {
+                            // Remove unsafe data for the unsafe iframe
+                            delete data.href;
+                            delete data.roHref;
+                            delete data.password;
+                        }
                        cb({
                            error: e,
                            data: data
--- a/www/secureiframe/main.js
+++ b/www/secureiframe/main.js
@ -106,7 +106,7 @@ define([
                Cryptpad.onMetadataChanged(updateMeta);
                sframeChan.onReg('EV_METADATA_UPDATE', updateMeta);

-                config.addCommonRpc(sframeChan);
+                config.addCommonRpc(sframeChan, true);

                Cryptpad.padRpc.onMetadataEvent.reg(function (data) {
                    sframeChan.event('EV_RT_METADATA', data);