From 96619a4b58a9ba3664b2588aa0960c80282f32c0 Mon Sep 17 00:00:00 2001
From: Kyle K <doctor.whom@gmail.com>
Date: Thu, 26 Sep 2019 22:06:47 +0000
Subject: [PATCH] Don't accept fancy lookin letters.

Backstory, Unified configs mean we can embed arbitrary text into the firmware, what is one source of text? Project Gutenberg!
I tried attaching a snippet of the text into the config (as comments, I am a careful deviant) and ended up learning a little about how text is encoded and handled these days.

Given a character with a value higher than 1 byte, the value gets cropped off, so 0x2018 would get flashed as 0x18, and would fail validation, because we'd be checking 0x2018 against 0x18

Asking Notepad++ to convert the document to ANSI was no good either, it decided to use Code page 1252, which still has fancy quotes, and when loaded into the configurator, instead of 0x92, it'd be converted to a replacement character FFFD if you want to look something up.
---
 locales/en/messages.json        |  3 +++
 src/js/tabs/firmware_flasher.js | 18 ++++++++++++++----
 2 files changed, 17 insertions(+), 4 deletions(-)

diff --git a/locales/en/messages.json b/locales/en/messages.json
index 2bff6ee2..82bbf005 100644
--- a/locales/en/messages.json
+++ b/locales/en/messages.json
@@ -2812,6 +2812,9 @@
     "firmwareFlasherHexCorrupted": {
         "message": "HEX file appears to be corrupted"
     },
+    "firmwareFlasherConfigCorrupted": {
+        "message": "Config file appears to be corrupted, ASCII accepted (chars 0-127)"
+    },
     "firmwareFlasherRemoteFirmwareLoaded": {
         "message": "<span class=\"message-positive\">Remote Firmware loaded, ready for flashing</span>"
     },
diff --git a/src/js/tabs/firmware_flasher.js b/src/js/tabs/firmware_flasher.js
index f4ceefdb..2fc28445 100644
--- a/src/js/tabs/firmware_flasher.js
+++ b/src/js/tabs/firmware_flasher.js
@@ -587,6 +587,12 @@ TABS.firmware_flasher.initialize = function (callback) {
                 self.flashingMessage(i18n.getMessage('firmwareFlasherFirmwareLocalLoaded', self.parsed_hex.bytes_total), self.FLASH_MESSAGE_TYPES.NEUTRAL);
             }
         }
+        function checkAsciiLimits(input) {
+            for (let i=0; i < input.length; i++) {
+                if (input.charCodeAt(i) > 127) { return false; }
+            }
+            return true;
+        }
         // UI Hooks
         $('a.load_file').click(function () {
             self.enableFlashing(false);
@@ -641,10 +647,14 @@ TABS.firmware_flasher.initialize = function (callback) {
                                     });
                                 } else {
                                     clearBufferedFirmware();
-                                    self.unifiedTargetConfig = e.target.result;
-                                    self.unifiedTargetConfigName = file.name;
-                                    self.isConfigLocal = true;
-                                    flashingMessageLocal();
+                                    if (checkAsciiLimits(e.target.result)) {
+                                        self.unifiedTargetConfig = e.target.result;
+                                        self.unifiedTargetConfigName = file.name;
+                                        self.isConfigLocal = true;
+                                        flashingMessageLocal();
+                                    } else {
+                                        self.flashingMessage('firmwareFlasherConfigCorrupted', self.FLASH_MESSAGE_TYPES.INVALID);
+                                    }
                                 }
                             }
                         };