KASM-6773 Escape JSON filenames in WebSocket file list responses

2025-06-27 05:01:41 +02:00 · 2025-03-17 17:20:26 +05:00 · 2025-03-17 17:20:26 +05:00 · 0df5d5bd72
commit 0df5d5bd72
parent 4973781a8f
1 changed files with 34 additions and 22 deletions
--- a/common/network/websocket.c
+++ b/common/network/websocket.c
@ -1711,7 +1711,21 @@ static uint8_t ownerapi(ws_ctx_t *ws_ctx, const char *in, const char * const use
                strcpy(grp, grpt.gr_name);
            }

-            sprintf(buf, "%s{ \"filename\": \"%s\", "
+            sprintf(buf, "%s{ \"filename\": \"", sent ? ",\n" : "");
+            ws_send(ws_ctx, buf, strlen(buf));
+            len += strlen(buf);
+
+            size_t max_out_length = 2 * strlen(ent->d_name) + 1; // worst case scenario
+            char *filename = malloc(max_out_length);
+
+            JSON_escape(ent->d_name, filename);
+            size_t size = strlen(filename);
+            ws_send(ws_ctx, filename, size);
+            len += size;
+
+            free(filename);
+
+            sprintf(buf, "\", "
                    "\"date_modified\": %lu, "
                    "\"date_created\": %lu, "
                    "\"is_dir\": %s, "
@ -1719,8 +1733,6 @@ static uint8_t ownerapi(ws_ctx_t *ws_ctx, const char *in, const char * const use
                    "\"owner\": \"%s\", "
                    "\"group\": \"%s\", "
                    "\"perms\": \"%s\" }",
-                         sent ? ",\n" : "",
-                         ent->d_name,
                    st.st_mtime,
                    st.st_ctime,
                    S_ISDIR(st.st_mode) ? "true" : "false",