[Libreoffice-commits] online.git: loolwsd/FileServer.hpp

Tue, 19 Jul 2016 08:25:43 -0700 

 loolwsd/FileServer.hpp |   18 +++++++++++++++---
 1 file changed, 15 insertions(+), 3 deletions(-)

New commits:
commit 9b29565448806657d3b44597bba6137e72664ad5
Author: Pranav Kant <pran...@collabora.co.uk>
Date:   Tue Jul 19 20:50:43 2016 +0530

    loolwsd: security: Sanitize user input before generating HTML
    
    Change-Id: I835bc84ba197a31745cd593c22571ae9f9ad7b1a

diff --git a/loolwsd/FileServer.hpp b/loolwsd/FileServer.hpp
index 874db99..574d0b0 100644
--- a/loolwsd/FileServer.hpp
+++ b/loolwsd/FileServer.hpp
@@ -32,6 +32,7 @@
 #include <Poco/StringTokenizer.h>
 #include <Poco/URI.h>
 #include <Poco/FileStream.h>
+#include <Poco/RegularExpression.h>
 #include <Poco/StreamCopier.h>
 #include <Poco/Util/ServerApplication.h>
 #include <Poco/Util/Timer.h>
@@ -213,7 +214,7 @@ private:
         return path;
     }
 
-    void preprocessFile(HTTPServerRequest& request, HTTPServerResponse& 
response)
+    void preprocessFile(HTTPServerRequest& request, HTTPServerResponse& 
response) throw(Poco::FileAccessDeniedException)
     {
         HTMLForm form(request, request.stream());
 
@@ -227,8 +228,19 @@ private:
         StreamCopier::copyToString(file, preprocess);
         file.close();
 
-        Poco::replaceInPlace(preprocess, std::string("%ACCESS_TOKEN%"), 
form.get("access_token", ""));
-        Poco::replaceInPlace(preprocess, std::string("%ACCESS_TOKEN_TTL%"), 
form.get("access_token_ttl", ""));
+        const std::string& accessToken = form.get("access_token", "");
+        const std::string& accessTokenTtl = form.get("access_token_ttl", "");
+
+        // As of now only alphanumeric characters are allowed in access token
+        // Sanitize user input before replacing
+        Poco::RegularExpression re("[a-zA-Z0-9_]*", 
Poco::RegularExpression::RE_ANCHORED);
+        if (!re.match(accessToken, 0, 0) || !re.match(accessTokenTtl, 0, 0))
+        {
+            throw Poco::FileAccessDeniedException("Invalid access token 
provided. Only alphanumeric and _ are allowed ");
+        }
+
+        Poco::replaceInPlace(preprocess, std::string("%ACCESS_TOKEN%"), 
accessToken);
+        Poco::replaceInPlace(preprocess, std::string("%ACCESS_TOKEN_TTL%"), 
accessTokenTtl);
         Poco::replaceInPlace(preprocess, std::string("%HOST%"), host);
         Poco::replaceInPlace(preprocess, std::string("%VERSION%"), 
std::string(LOOLWSD_VERSION_HASH));
 
_______________________________________________
Libreoffice-commits mailing list
libreoffice-comm...@lists.freedesktop.org
https://lists.freedesktop.org/mailman/listinfo/libreoffice-commits

Reply via email to