vultr/openclaw
1
0
Fork 0
mirror of https://github.com/openclaw/openclaw.git synced 2026-05-06 09:00:42 +00:00
Code Issues Packages Projects Releases Wiki Activity

fix(media): scan full buffer for null bytes in CSV/Markdown host-read check

Browse Source 
The previous check only scanned the first 8 KiB, leaving a window where a
file with a null-free prefix followed by binary content could pass the guard.
Scan the entire buffer to close that gap.
This commit is contained in:
Chen Chia Yang
2026-04-15 16:00:18 +08:00
committed by Frank Yang
parent f653bcc54e
commit f66e08a23f
1 changed files with 2 additions and 2 deletions
Download Patch File Download Diff File Expand all files Collapse all files

4
src/media/web-media.ts
View File

@@ -143,13 +143,13 @@ function assertHostReadMediaAllowed(params: {
// plain-text buffers that have no binary magic bytes. Allow these formats when:
// - sniffedMime is undefined (no binary signature detected by file-type)
// - The extension-derived MIME is text/csv or text/markdown (operator intent)
// - The buffer contains no null bytes (rules out binary data with no known signature)
// - The full buffer contains no null bytes (rules out binary data with no known signature)
if (
!sniffedMime &&
normalizedMime &&
HOST_READ_TEXT_PLAIN_ALIASES.has(normalizedMime) &&
params.buffer &&
!params.buffer.subarray(0, 8192).includes(0x00)
!params.buffer.includes(0x00)
) {
return;
}