diff options
| author | David Benson <david@draw.io> | 2022-10-17 20:14:55 +0300 |
|---|---|---|
| committer | GitHub <noreply@github.com> | 2022-10-17 20:14:55 +0300 |
| commit | 60171270c79bf4be5dac03ec35c97586c97ea5e6 (patch) | |
| tree | 4e7a6f42bf858a9f6a3469837c113d2e51754c57 | |
| parent | b725015c457a2e2f2b52cf521c06cd11751413a9 (diff) | |
Blocks recursive proxy calls
https://huntr.dev/bounties/d383a6b8-b12a-4893-9b8f-8df18ec679c3/
| -rw-r--r-- | src/main/java/com/mxgraph/online/ProxyServlet.java | 6 |
1 files changed, 6 insertions, 0 deletions
diff --git a/src/main/java/com/mxgraph/online/ProxyServlet.java b/src/main/java/com/mxgraph/online/ProxyServlet.java index 90de9d6f..1223f1e8 100644 --- a/src/main/java/com/mxgraph/online/ProxyServlet.java +++ b/src/main/java/com/mxgraph/online/ProxyServlet.java @@ -78,6 +78,12 @@ public class ProxyServlet extends HttpServlet try(OutputStream out = response.getOutputStream()) { + if ("draw.io".equals(ua)) + { + log.log(Level.SEVERE, "Infinite loop detected, proxy should not call itself"); + throw new UnsupportedContentException(); + } + request.setCharacterEncoding("UTF-8"); response.setCharacterEncoding("UTF-8"); |