I am kinda uneased about this piece of code. What's there to keep a malicious actor from sending an x-coordinate of ; rm /very/important/file ? Especially since the server is running as superuser, that is a risk to be careful of.
I would suggest using str(float(JSON['x'])) to make sure only numeric input can be entered.
Rudis1261
commented
5 years ago
https://github.com/drpain/blink-server/blob/80ece1256cb53719f5e056771c2148eafde16415/core.py#L91-L108
I am kinda uneased about this piece of code. What's there to keep a malicious actor from sending an x-coordinate of
; rm /very/important/file? Especially since the server is running as superuser, that is a risk to be careful of.I would suggest using
str(float(JSON['x']))to make sure only numeric input can be entered.