common/Util.cpp | 28 ++++++++++++++++++++++++++++
common/Util.hpp | 8 ++++++++
configure.ac | 2 +-
wsd/FileServer.cpp | 7 +++++--
4 files changed, 42 insertions(+), 3 deletions(-)
New commits:
commit 28a89d571433505be28086c4f325ccd1031c41e1
Author: Andras Timar <andras.ti...@collabora.com>
Date: Wed Apr 4 13:01:52 2018 +0200
Bump version to 6.0.2.3
Change-Id: Ica38cff171bb157909eb98e639d7c8b213aa519c
diff --git a/configure.ac b/configure.ac
index 58d3d65fa..cec19ee41 100644
--- a/configure.ac
+++ b/configure.ac
@@ -3,7 +3,7 @@
AC_PREREQ([2.63])
-AC_INIT([libreoffice-online], [6.0.2.1], [libreoffice@lists.freedesktop.org])
+AC_INIT([libreoffice-online], [6.0.3.2], [libreoffice@lists.freedesktop.org])
LT_INIT([shared, disable-static, dlopen])
AM_INIT_AUTOMAKE([1.10 subdir-objects tar-pax -Wno-portability])
commit 330c3485fe65bec1dde83cb0c0410095755995e8
Author: Jan Holesovsky <ke...@collabora.com>
Date: Wed Apr 4 12:36:11 2018 +0200
Sanity-check the scheme and host for frame ancestor, POCO does not do that.
Change-Id: Ieea9532ccd2a11e74f370a340e68f46122469848
diff --git a/common/Util.cpp b/common/Util.cpp
index 51c15b744..326c62b95 100644
--- a/common/Util.cpp
+++ b/common/Util.cpp
@@ -399,6 +399,34 @@ namespace Util
return map;
}
+
+ bool isValidURIScheme(const std::string& scheme)
+ {
+ if (scheme.empty())
+ return false;
+
+ for (char c : scheme)
+ {
+ if (!isalpha(c))
+ return false;
+ }
+
+ return true;
+ }
+
+ bool isValidURIHost(const std::string& host)
+ {
+ if (host.empty())
+ return false;
+
+ for (char c : host)
+ {
+ if (!isalnum(c) && c != '_' && c != '-' && c != '.' && c !=':' &&
c != '[' && c != ']')
+ return false;
+ }
+
+ return true;
+ }
}
/* vim:set shiftwidth=4 softtabstop=4 expandtab: */
diff --git a/common/Util.hpp b/common/Util.hpp
index e97d18084..96b3dd6f0 100644
--- a/common/Util.hpp
+++ b/common/Util.hpp
@@ -215,6 +215,14 @@ namespace Util
return trimmed(std::string(s));
}
+ /// Check for the URI scheme validity.
+ /// For now just a basic sanity check, can be extended if necessary.
+ bool isValidURIScheme(const std::string& scheme);
+
+ /// Check for the URI host validity.
+ /// For now just a basic sanity check, can be extended if necessary.
+ bool isValidURIHost(const std::string& host);
+
/// Given one or more patterns to allow, and one or more to deny,
/// the match member will return true if, and only if, the subject
/// matches the allowed list, but not the deny.
diff --git a/wsd/FileServer.cpp b/wsd/FileServer.cpp
index a0e74a2c3..78ae12711 100644
--- a/wsd/FileServer.cpp
+++ b/wsd/FileServer.cpp
@@ -532,9 +532,12 @@ void FileServerRequestHandler::preprocessFile(const
HTTPRequest& request, Poco::
// Keep only the origin, reject everything else
Poco::URI uriFrameAncestor(frameAncestor);
- if (!frameAncestor.empty() && !uriFrameAncestor.getScheme().empty() &&
!uriFrameAncestor.getHost().empty())
+ std::string frameAncestorScheme = uriFrameAncestor.getScheme();
+ std::string frameAncestorHost = uriFrameAncestor.getHost();
+
+ if (!frameAncestor.empty() && Util::isValidURIScheme(frameAncestorScheme)
&& Util::isValidURIHost(frameAncestorHost))
{
- frameAncestor = uriFrameAncestor.getScheme() + "://" +
uriFrameAncestor.getHost() + ":" + std::to_string(uriFrameAncestor.getPort());
+ frameAncestor = frameAncestorScheme + "://" + frameAncestorHost + ":"
+ std::to_string(uriFrameAncestor.getPort());
LOG_TRC("Final frame ancestor: " << frameAncestor);
_______________________________________________
Libreoffice-commits mailing list
libreoffice-comm...@lists.freedesktop.org
https://lists.freedesktop.org/mailman/listinfo/libreoffice-commits
