common/Util.cpp | 28 ++++++++++++++++++++++++++++
common/Util.hpp | 8 ++++++++
wsd/FileServer.cpp | 7 +++++--
3 files changed, 41 insertions(+), 2 deletions(-)
New commits:
commit c8ef63253a94a4f74cc4238d7d070f75e26bec3e
Author: Jan Holesovsky <ke...@collabora.com>
Date: Wed Apr 4 12:36:11 2018 +0200
Sanity-check the scheme and host for frame ancestor, POCO does not do that.
Change-Id: Ieea9532ccd2a11e74f370a340e68f46122469848
diff --git a/common/Util.cpp b/common/Util.cpp
index 37edd665f..962b5b4c1 100644
--- a/common/Util.cpp
+++ b/common/Util.cpp
@@ -538,6 +538,34 @@ namespace Util
return map;
}
+
+ bool isValidURIScheme(const std::string& scheme)
+ {
+ if (scheme.empty())
+ return false;
+
+ for (char c : scheme)
+ {
+ if (!isalpha(c))
+ return false;
+ }
+
+ return true;
+ }
+
+ bool isValidURIHost(const std::string& host)
+ {
+ if (host.empty())
+ return false;
+
+ for (char c : host)
+ {
+ if (!isalnum(c) && c != '_' && c != '-' && c != '.' && c !=':' &&
c != '[' && c != ']')
+ return false;
+ }
+
+ return true;
+ }
}
/* vim:set shiftwidth=4 softtabstop=4 expandtab: */
diff --git a/common/Util.hpp b/common/Util.hpp
index 6bbcd3d03..db5217fbe 100644
--- a/common/Util.hpp
+++ b/common/Util.hpp
@@ -302,6 +302,14 @@ namespace Util
return s.length() >= t.length() && memcmp(s.c_str(), t.c_str(),
t.length()) == 0;
}
+ /// Check for the URI scheme validity.
+ /// For now just a basic sanity check, can be extended if necessary.
+ bool isValidURIScheme(const std::string& scheme);
+
+ /// Check for the URI host validity.
+ /// For now just a basic sanity check, can be extended if necessary.
+ bool isValidURIHost(const std::string& host);
+
/// Given one or more patterns to allow, and one or more to deny,
/// the match member will return true if, and only if, the subject
/// matches the allowed list, but not the deny.
diff --git a/wsd/FileServer.cpp b/wsd/FileServer.cpp
index 9ceb86ba5..f45a4d852 100644
--- a/wsd/FileServer.cpp
+++ b/wsd/FileServer.cpp
@@ -601,9 +601,12 @@ void FileServerRequestHandler::preprocessFile(const
HTTPRequest& request, Poco::
// Keep only the origin, reject everything else
Poco::URI uriFrameAncestor(frameAncestor);
- if (!frameAncestor.empty() && !uriFrameAncestor.getScheme().empty() &&
!uriFrameAncestor.getHost().empty())
+ std::string frameAncestorScheme = uriFrameAncestor.getScheme();
+ std::string frameAncestorHost = uriFrameAncestor.getHost();
+
+ if (!frameAncestor.empty() && Util::isValidURIScheme(frameAncestorScheme)
&& Util::isValidURIHost(frameAncestorHost))
{
- frameAncestor = uriFrameAncestor.getScheme() + "://" +
uriFrameAncestor.getHost() + ":" + std::to_string(uriFrameAncestor.getPort());
+ frameAncestor = frameAncestorScheme + "://" + frameAncestorHost + ":"
+ std::to_string(uriFrameAncestor.getPort());
LOG_TRC("Final frame ancestor: " << frameAncestor);
_______________________________________________
Libreoffice-commits mailing list
libreoffice-comm...@lists.freedesktop.org
https://lists.freedesktop.org/mailman/listinfo/libreoffice-commits
