From dc23c6494fd211f90540582f7560b2c60be50caf Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Aur=C3=A9lien=20Hernandez?= Date: Tue, 24 Oct 2017 09:42:12 +0200 Subject: [PATCH] Improved Json sanitization It was important to fix this bug. It can let someone to prevent the esp8266 from scanning for APs just by sending beacons containing specifics characters in AP name. Those characters will make the browser to misunderstand the json result of APScan. For exemple if you put an anti-slash at the end of an AP name, you're browser will think that the " character of json delimitation is escaped and will interpret it as a ascii character. -Created a sanitize method. APScan::sanitizeJson(String) to escape specific characters. -SanitizeJson is used each time the result of getAPName is sent using Json data format. - Removed _ssid.replace("\"", "\\\"") It's important to not sanitize Ap names before saving them into a limited 33 chararacters array. Sanitize an AP name increase his size and so it can potentially decrease his final size when casted to a 33 chars array. --- esp8266_deauther/APScan.cpp | 19 +++++++++++++++---- esp8266_deauther/APScan.h | 2 ++ 2 files changed, 17 insertions(+), 4 deletions(-) diff --git a/esp8266_deauther/APScan.cpp b/esp8266_deauther/APScan.cpp index 0053478..654c78c 100644 --- a/esp8266_deauther/APScan.cpp +++ b/esp8266_deauther/APScan.cpp @@ -29,7 +29,6 @@ bool APScan::start() { encryption[i] = WiFi.encryptionType(i); hidden[i] = WiFi.isHidden(i); String _ssid = WiFi.SSID(i); - _ssid.replace("\"", "\\\""); _ssid.toCharArray(names[i], 33); //data_getVendor(WiFi.BSSID(i)[0],WiFi.BSSID(i)[1],WiFi.BSSID(i)[2]).toCharArray(vendors[i],9); if (debug) { @@ -136,6 +135,18 @@ int APScan::getFirstTarget() { return -1; } +String APScan::sanitizeJson(String input){ + input.replace("\\","\\\\"); + input.replace("\"","\\\""); + input.replace("/","\\/"); + input.replace("\b","\\b"); + input.replace("\f","\\f"); + input.replace("\n","\\n"); + input.replace("\r","\\r"); + input.replace("\t","\\t"); + return input; +} + void APScan::sendResults() { if (debug) Serial.print("sending AP scan result JSON "); @@ -158,7 +169,7 @@ void APScan::sendResults() { _size += 61; _size += String(i).length(); _size += String(getAPChannel(i)).length(); - _size += getAPName(i).length(); + _size += sanitizeJson(getAPName(i)).length(); _size += String(getAPRSSI(i)).length(); if ((i != results - 1) && (i != maxAPScanResults - 1)) _size++; // , @@ -178,7 +189,7 @@ void APScan::sendResults() { json += "\"i\":" + (String)i + ","; json += "\"c\":" + (String)getAPChannel(i) + ","; json += "\"m\":\"" + getAPMac(i) + "\","; - json += "\"ss\":\"" + getAPName(i) + "\","; + json += "\"ss\":\"" + sanitizeJson(getAPName(i)) + "\","; json += "\"r\":" + (String)getAPRSSI(i) + ","; json += "\"e\":" + (String)encryption[i] + ","; //json += "\"v\":\""+getAPVendor(i)+"\","; @@ -211,7 +222,7 @@ String APScan::getResultsJSON() { json += "\"i\":" + (String)i + ","; json += "\"c\":" + (String)getAPChannel(i) + ","; json += "\"m\":\"" + getAPMac(i) + "\","; - json += "\"ss\":\"" + getAPName(i) + "\","; + json += "\"ss\":\"" + sanitizeJson(getAPName(i)) + "\","; json += "\"r\":" + (String)getAPRSSI(i) + ","; json += "\"e\":" + (String)encryption[i] + ","; //json += "\"v\":\""+getAPVendor(i)+"\","; diff --git a/esp8266_deauther/APScan.h b/esp8266_deauther/APScan.h index dccd113..7abbaf7 100644 --- a/esp8266_deauther/APScan.h +++ b/esp8266_deauther/APScan.h @@ -39,6 +39,8 @@ class APScan { int getFirstTarget(); bool isSelected(int num); + String sanitizeJson(String input); + int results = 0; int selectedSum; MacList aps;