You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Any field that takes in a data:base64 image is susceptible to crashing the whole server
https://nerimity.com/api/users/
POST body (authorization header required)
What the server expects: {"avatar":"data:image/png;base64,insert+the+b64+encoded+image+here"}
What breaks the server: {"avatar":"qwerty"}
If the avatar has a field that is not equal to a base64 encoded image, it crashes the image processing service and restarts
Not limited to avatar - also affects banner, and pretty much any endpoint that accepts images, and then crashes the whole thing
Simplest solution is to only accept b64 format images with a format check in the server, but alternative damage control could be to force the server to ignore errors and only log them through any service, with a custom error handler
The text was updated successfully, but these errors were encountered:
Any field that takes in a data:base64 image is susceptible to crashing the whole server
https://nerimity.com/api/users/POST body (authorization header required)
What the server expects:
{"avatar":"data:image/png;base64,insert+the+b64+encoded+image+here"}What breaks the server:
{"avatar":"qwerty"}If the avatar has a field that is not equal to a base64 encoded image, it crashes the image processing service and restarts
Not limited to avatar - also affects banner, and pretty much any endpoint that accepts images, and then crashes the whole thing
Simplest solution is to only accept b64 format images with a format check in the server, but alternative damage control could be to force the server to ignore errors and only log them through any service, with a custom error handler
The text was updated successfully, but these errors were encountered: