loolwsd/FileServer.cpp | 14 ++++++--------
1 file changed, 6 insertions(+), 8 deletions(-)
New commits:
commit 09b33d357d1335f7657e94228a6b6a4d00762094
Author: Pranav Kant <pran...@collabora.co.uk>
Date: Tue Nov 15 20:21:02 2016 +0530
loolwsd: Escape access token safely, don't be too defensive
Change-Id: I43cb71f418904c0b925722f4d2fe3ac1b0a351f6
diff --git a/loolwsd/FileServer.cpp b/loolwsd/FileServer.cpp
index d56824f..5c71764 100644
--- a/loolwsd/FileServer.cpp
+++ b/loolwsd/FileServer.cpp
@@ -230,15 +230,13 @@ void
FileServerRequestHandler::preprocessFile(HTTPServerRequest& request, HTTPSe
const std::string& accessToken = form.get("access_token", "");
const std::string& accessTokenTtl = form.get("access_token_ttl", "");
- // As of now only alphanumeric characters are allowed in access token
- // Sanitize user input before replacing
- Poco::RegularExpression re("[a-zA-Z0-9_]*",
Poco::RegularExpression::RE_ANCHORED);
- if (!re.match(accessToken, 0, 0) || !re.match(accessTokenTtl, 0, 0))
- {
- throw Poco::FileAccessDeniedException("Invalid access token provided.
Only alphanumeric and _ are allowed ");
- }
+ // Escape bad characters in access token.
+ // This is placed directly in javascript in loleaflet.html, we need to
make sure
+ // that no one can do anything nasty with their clever inputs.
+ std::string escapedAccessToken;
+ Poco::URI::encode(accessToken, "'", escapedAccessToken);
- Poco::replaceInPlace(preprocess, std::string("%ACCESS_TOKEN%"),
accessToken);
+ Poco::replaceInPlace(preprocess, std::string("%ACCESS_TOKEN%"),
escapedAccessToken);
Poco::replaceInPlace(preprocess, std::string("%ACCESS_TOKEN_TTL%"),
accessTokenTtl);
Poco::replaceInPlace(preprocess, std::string("%HOST%"), host);
Poco::replaceInPlace(preprocess, std::string("%VERSION%"),
std::string(LOOLWSD_VERSION_HASH));
_______________________________________________
Libreoffice-commits mailing list
libreoffice-comm...@lists.freedesktop.org
https://lists.freedesktop.org/mailman/listinfo/libreoffice-commits
