fix(imageview): Don't try to load unresolved images#5655
Merged
max-nextcloud merged 1 commit intomainfrom Apr 11, 2024
Merged
Conversation
5 tasks
Antreesy
reviewed
Apr 11, 2024
759b8d4 to
99e7a7a
Compare
Signed-off-by: Joas Schilling <coding@schilljs.com>
99e7a7a to
ec99e9f
Compare
Antreesy
approved these changes
Apr 11, 2024
Antreesy
left a comment
There was a problem hiding this comment.
Should be enough for a fix. Waiting for maintainers input
max-nextcloud
approved these changes
Apr 11, 2024
Collaborator
max-nextcloud
left a comment
There was a problem hiding this comment.
Thanks for looking into this. Code change looks good and matches the description. Let's get this in.
Member
Author
|
/backport to stable29 |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
3 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
📝 Summary
Currently a lot of people on our instance get bruteforce protected in Talk regularly. After some log reading it seems to always happen when interactive widgets are involved.
After some trying the smallest possible test is:
.attachmentlinks with wrong file ids)/f/...link and post it into a chatindex.php/call/undefinedAfter some debugging I found this trace. The problem is the "default" resolver responds:
text/src/components/Editor.provider.js
Lines 91 to 94 in 648cf20
This means that
text/src/nodes/ImageView.vue
Line 245 in 99e7a7a
makes
this.attachment = [this.src]in the Promise it sets
img.src = this.attachment.previewUrlbutpreviewUrlis undefined as only0exists.This will make the browser load
undefinedrelative to the current page which results inhttps://localhost/index.php/call/undefinedThis however looks like you are trying to open a conversation with the token
undefined, but you have no access to it => bruteforce registered.by simply checking if
previewUrlexists and otherwise jumping into the fail mode, it prevents the request to loadindex.php/call/undefinedand so also no bruteforce attempt it registered.🏁 Checklist
npm run lint/npm run stylelint/composer run cs:check)