common/Util.cpp | 28 ++++++++++++++++++++++++++++ common/Util.hpp | 8 ++++++++ debian/changelog | 6 ++++++ loolwsd.spec.in | 2 +- wsd/FileServer.cpp | 7 +++++-- 5 files changed, 48 insertions(+), 3 deletions(-)
New commits: commit 173a97446a78027606f9754295799829dea466f6 Author: Andras Timar <[email protected]> Date: Wed Apr 4 13:19:18 2018 +0200 Bump package version to 3.1.0-8 Change-Id: I8f682a5ddbb42807856614a1dd8846b27c86ddb0 diff --git a/debian/changelog b/debian/changelog index b0cfbad83..f38b68711 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,9 @@ +loolwsd (3.1.0-8) unstable; urgency=medium + + * see the git log: http://col.la/cool31 + + -- Andras Timar <[email protected]> Thu, 04 Apr 2018 13:00:00 +0200 + loolwsd (3.1.0-7) unstable; urgency=medium * see the git log: http://col.la/cool31 diff --git a/loolwsd.spec.in b/loolwsd.spec.in index 7f789cc16..3ed6be36a 100644 --- a/loolwsd.spec.in +++ b/loolwsd.spec.in @@ -12,7 +12,7 @@ Name: loolwsd%{name_suffix} Name: loolwsd %endif Version: @PACKAGE_VERSION@ -Release: 7%{?dist} +Release: 8%{?dist} %if 0%{?suse_version} == 1110 Group: Productivity/Office/Suite BuildRoot: %{_tmppath}/%{name}-%{version}-build commit 87cef44661ad8ef57cd35dc6bc490011035581fd Author: Jan Holesovsky <[email protected]> Date: Wed Apr 4 12:36:11 2018 +0200 Sanity-check the scheme and host for frame ancestor, POCO does not do that. Change-Id: Ieea9532ccd2a11e74f370a340e68f46122469848 (cherry picked from commit c8ef63253a94a4f74cc4238d7d070f75e26bec3e) Signed-off-by: Andras Timar <[email protected]> (cherry picked from commit 4527163351325befbe8032edf0829edbedbb982d) Signed-off-by: Andras Timar <[email protected]> diff --git a/common/Util.cpp b/common/Util.cpp index b9ca5951c..10f0f7e66 100644 --- a/common/Util.cpp +++ b/common/Util.cpp @@ -489,6 +489,34 @@ namespace Util return map; } + + bool isValidURIScheme(const std::string& scheme) + { + if (scheme.empty()) + return false; + + for (char c : scheme) + { + if (!isalpha(c)) + return false; + } + + return true; + } + + bool isValidURIHost(const std::string& host) + { + if (host.empty()) + return false; + + for (char c : host) + { + if (!isalnum(c) && c != '_' && c != '-' && c != '.' && c !=':' && c != '[' && c != ']') + return false; + } + + return true; + } } /* vim:set shiftwidth=4 softtabstop=4 expandtab: */ diff --git a/common/Util.hpp b/common/Util.hpp index b4c59f981..d45a5e028 100644 --- a/common/Util.hpp +++ b/common/Util.hpp @@ -220,6 +220,14 @@ namespace Util return trimmed(std::string(s)); } + /// Check for the URI scheme validity. + /// For now just a basic sanity check, can be extended if necessary. + bool isValidURIScheme(const std::string& scheme); + + /// Check for the URI host validity. + /// For now just a basic sanity check, can be extended if necessary. + bool isValidURIHost(const std::string& host); + /// Given one or more patterns to allow, and one or more to deny, /// the match member will return true if, and only if, the subject /// matches the allowed list, but not the deny. diff --git a/wsd/FileServer.cpp b/wsd/FileServer.cpp index c5f258f43..c0899ce88 100644 --- a/wsd/FileServer.cpp +++ b/wsd/FileServer.cpp @@ -601,9 +601,12 @@ void FileServerRequestHandler::preprocessFile(const HTTPRequest& request, Poco:: // Keep only the origin, reject everything else Poco::URI uriFrameAncestor(frameAncestor); - if (!frameAncestor.empty() && !uriFrameAncestor.getScheme().empty() && !uriFrameAncestor.getHost().empty()) + std::string frameAncestorScheme = uriFrameAncestor.getScheme(); + std::string frameAncestorHost = uriFrameAncestor.getHost(); + + if (!frameAncestor.empty() && Util::isValidURIScheme(frameAncestorScheme) && Util::isValidURIHost(frameAncestorHost)) { - frameAncestor = uriFrameAncestor.getScheme() + "://" + uriFrameAncestor.getHost() + ":" + std::to_string(uriFrameAncestor.getPort()); + frameAncestor = frameAncestorScheme + "://" + frameAncestorHost + ":" + std::to_string(uriFrameAncestor.getPort()); LOG_TRC("Final frame ancestor: " << frameAncestor); _______________________________________________ Libreoffice-commits mailing list [email protected] https://lists.freedesktop.org/mailman/listinfo/libreoffice-commits
