A critical security bug in Total.js Eshop + CMS

Sat Oct 29 2016 20:03:06 GMT+0200 (Central European Summer Time), Peter Širka

A critical security bug in Total.js Eshop + CMS

We are really sorry, but this is life. Sometimes we are teachers and sometimes we are students. We found a critical security bug in Total.js Eshop and CMS yesterday. Please follow the instructions below:

  • first reinstall Total.js to +v2.2.0 (npm install total.js)
  • check your source-code:

Open yourapp/controllers/default.js and find a file_read function and modify it as shown below:

function file_read() {

    // ...
    // ...
    // ...

    if (req.query.s)
        req.uri.pathname = req.uri.pathname.replace('.', req.query.s + '.');

    // ...
    // ...
    // ...

    // Image processing
    res.image(filename, function(image) {
        image.output(req.extension);
        req.extension === 'jpg' && image.quality(85);
        image.resize(req.query.s + '%');
        image.minify();
    });

    // ...
    // ...
}

FIX:

function file_read() {

    // ...
    // ...
    // ...

    // THIS IS NEW:
    var size;

    if (req.query.s) {
        // THIS IS NEW:
        size = req.query.s.parseInt();
        req.uri.pathname = req.uri.pathname.replace('.', size + '.');
    }

    // ...
    // ...
    // ...

    // Image processing
    res.image(filename, function(image) {
        image.output(req.extension);
        req.extension === 'jpg' && image.quality(85);
        // THIS IS NEW (this was a critical bug):
        size && image.resize(size + '%');
        image.minify();
    });

    // ...
    // ...
}

Do you have any questions? Contact use via our HelpDesk system.
We apologize for the inconvenience.


Tags

Follow us

Latest blogs
Total.js Code Editor v1
Fri Dec 07 2018 22:55:13 GMT+0100 (Central European Standard Time)
New release: Total.js v3.1
Fri Dec 07 2018 11:41:40 GMT+0100 (Central European Standard Time)
New CDN for Flow + Dashboard + Flowboard
Sun Nov 04 2018 09:05:03 GMT+0100 (Central European Standard Time)
OpenPlatform v3
Mon Oct 15 2018 10:11:07 GMT+0200 (Central European Summer Time)
New Single Page Application template
Fri Oct 12 2018 21:25:34 GMT+0200 (Central European Summer Time)

Latest comments
Nice tip
Mauro Junior
Thu Sep 20 2018 21:41:02 GMT+0200 (Central European Summer Time)
Not only for Total.js. You can communicate with different websocket servers.
Peter Širka
Mon Apr 23 2018 20:08:20 GMT+0200 (Central European Summer Time)
Marko: you need to create a buffer with this codepage and write byte-to-byte string. I recommend ...
Peter Širka
Mon Apr 23 2018 20:06:21 GMT+0200 (Central European Summer Time)
Is WEBSOCKETCLIENT only for internal ws connections between totaljs apps?
Stelios Stephanua
Fri Mar 16 2018 06:04:22 GMT+0100 (Central European Standard Time)
Total.js is amazing! ;)
Leonardo Hessel
Tue Dec 19 2017 19:51:15 GMT+0100 (Central European Standard Time)

Pixabay


Read more

Total.js Code Editor v1

Products: Try our real-time collaboration tool for Total Developers. Code Editor offers great features for development.

Fri Dec 07 2018 22:55:13 GMT+0100 (Central European Standard Time)
New release: Total.js v3.1

News: I have released a new version of Total.js with bug fixes and with small improvements.

Fri Dec 07 2018 11:41:40 GMT+0100 (Central European Standard Time)
New CDN for Flow + Dashboard + Flowboard

News: I have changed CDN for Flow + Dashboard + Flowboard components to KeyCDN.

Sun Nov 04 2018 09:05:03 GMT+0100 (Central European Standard Time)
OpenPlatform v3

News: I have published a new version of OpenPlatform. New, better, faster, more secure and more simpler.

Mon Oct 15 2018 10:11:07 GMT+0200 (Central European Summer Time)
New Single Page Application template

News: I have published free, beautiful and simple Total.js + jComponent SPA template under MIT license.

Fri Oct 12 2018 21:25:34 GMT+0200 (Central European Summer Time)
Flow: How to find a specific component?

Tutorials: This tutorial shows you a quick way how to find a specific component in the Flow designer.

Mon Sep 03 2018 20:21:30 GMT+0200 (Central European Summer Time)1