commit 20acb807fb691e2c3f0948c88ef2f95fb00c9f23 Author: cypherpunks cypherpunks@torproject.org Date: Thu Mar 2 14:50:41 2017 +0000
Do not rehash invalid fingerprints
The regular expression only matches the beginning of the fingerprint. This allows passing invalid hexadecimal strings to the JavaScript SHA library which aborts further page loading.
Also rename the function to reflect that it only supports one fingerprint argument, not an array of fingerprints.
Closes #21612. --- js/router.js | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-)
diff --git a/js/router.js b/js/router.js index 2c02dad..65cf8af 100644 --- a/js/router.js +++ b/js/router.js @@ -20,8 +20,8 @@ define([ '*actions': 'defaultAction' },
- hashFingerprints: function(fp){ - if (fp.match(/^[a-f0-9]{40}/i) != null) + hashFingerprint: function(fp){ + if (fp.match(/^[a-f0-9]{40}$/i) != null) return new jsSHA(fp, "HEX").getHash("SHA-1", "HEX").toUpperCase(); else return fp @@ -36,7 +36,7 @@ define([ $("#loading").show(); $("#content").hide();
- mainDetailsView.model.fingerprint = this.hashFingerprints(fingerprint); + mainDetailsView.model.fingerprint = this.hashFingerprint(fingerprint); mainDetailsView.model.lookup({ success: function(relay) { $("#content").show(); @@ -68,7 +68,7 @@ define([ $("#loading").hide(); } else { doSearchView.collection.url = - doSearchView.collection.baseurl + this.hashFingerprints(query); + doSearchView.collection.baseurl + this.hashFingerprint(query); doSearchView.collection.lookup({ success: function(err){ doSearchView.relays = doSearchView.collection.models;