[Libreoffice-commits] online.git: loolwsd/FileServer.hpp

2016-07-19 Thread Pranav Kant 
 loolwsd/FileServer.hpp |   18 +++---
 1 file changed, 15 insertions(+), 3 deletions(-)

New commits:
commit 9b29565448806657d3b44597bba6137e72664ad5
Author: Pranav Kant 
Date:   Tue Jul 19 20:50:43 2016 +0530

loolwsd: security: Sanitize user input before generating HTML

Change-Id: I835bc84ba197a31745cd593c22571ae9f9ad7b1a

diff --git a/loolwsd/FileServer.hpp b/loolwsd/FileServer.hpp
index 874db99..574d0b0 100644
--- a/loolwsd/FileServer.hpp
+++ b/loolwsd/FileServer.hpp
@@ -32,6 +32,7 @@
 #include 
 #include 
 #include 
+#include 
 #include 
 #include 
 #include 
@@ -213,7 +214,7 @@ private:
 return path;
 }
 
-void preprocessFile(HTTPServerRequest& request, HTTPServerResponse& 
response)
+void preprocessFile(HTTPServerRequest& request, HTTPServerResponse& 
response) throw(Poco::FileAccessDeniedException)
 {
 HTMLForm form(request, request.stream());
 
@@ -227,8 +228,19 @@ private:
 StreamCopier::copyToString(file, preprocess);
 file.close();
 
-Poco::replaceInPlace(preprocess, std::string("%ACCESS_TOKEN%"), 
form.get("access_token", ""));
-Poco::replaceInPlace(preprocess, std::string("%ACCESS_TOKEN_TTL%"), 
form.get("access_token_ttl", ""));
+const std::string& accessToken = form.get("access_token", "");
+const std::string& accessTokenTtl = form.get("access_token_ttl", "");
+
+// As of now only alphanumeric characters are allowed in access token
+// Sanitize user input before replacing
+Poco::RegularExpression re("[a-zA-Z0-9_]*", 
Poco::RegularExpression::RE_ANCHORED);
+if (!re.match(accessToken, 0, 0) || !re.match(accessTokenTtl, 0, 0))
+{
+throw Poco::FileAccessDeniedException("Invalid access token 
provided. Only alphanumeric and _ are allowed ");
+}
+
+Poco::replaceInPlace(preprocess, std::string("%ACCESS_TOKEN%"), 
accessToken);
+Poco::replaceInPlace(preprocess, std::string("%ACCESS_TOKEN_TTL%"), 
accessTokenTtl);
 Poco::replaceInPlace(preprocess, std::string("%HOST%"), host);
 Poco::replaceInPlace(preprocess, std::string("%VERSION%"), 
std::string(LOOLWSD_VERSION_HASH));
 
___
Libreoffice-commits mailing list
libreoffice-comm...@lists.freedesktop.org
https://lists.freedesktop.org/mailman/listinfo/libreoffice-commits

[Libreoffice-commits] online.git: loolwsd/FileServer.hpp loolwsd/LOOLWSD.cpp loolwsd/LOOLWSD.hpp loolwsd/loolwsd.xml.in loolwsd/Makefile.am loolwsd/Storage.cpp loolwsd/Util.hpp

2016-07-19 Thread Marco Cecchetti 
 loolwsd/FileServer.hpp |2 
 loolwsd/LOOLWSD.cpp|  107 ++---
 loolwsd/LOOLWSD.hpp|   42 ---
 loolwsd/Makefile.am|4 -
 loolwsd/Storage.cpp|   45 ++--
 loolwsd/Util.hpp   |   39 +
 loolwsd/loolwsd.xml.in |1 
 7 files changed, 184 insertions(+), 56 deletions(-)

New commits:
commit 6e616b745f663898810de39141bdc65535c92601
Author: Marco Cecchetti 
Date:   Mon Jul 18 13:45:36 2016 +0200

loolwsd: SSL support can be enabled/disabled on server start

SSL support is enabled by default, it can be disabled by passing the
`--disable-ssl` switch on the command line or by setting `ssl.enable`
property in loolwsd.xml config file.

It is still possible to build loolwsd with no SSL support at all.

Change-Id: I00f952edc64f87f61505af44fdc2a715780dc44c
Reviewed-on: https://gerrit.libreoffice.org/27288
Reviewed-by: Jan Holesovsky 
Tested-by: Jan Holesovsky 

diff --git a/loolwsd/FileServer.hpp b/loolwsd/FileServer.hpp
index 7c19e10..874db99 100644
--- a/loolwsd/FileServer.hpp
+++ b/loolwsd/FileServer.hpp
@@ -217,7 +217,7 @@ private:
 {
 HTMLForm form(request, request.stream());
 
-const auto host = (LOOLWSD::SSLEnabled ? "wss://" : "ws://") + 
(LOOLWSD::ServerName.empty() ? request.getHost() : LOOLWSD::ServerName);
+const auto host = (LOOLWSD::isSSLEnabled() ? "wss://" : "ws://") + 
(LOOLWSD::ServerName.empty() ? request.getHost() : LOOLWSD::ServerName);
 const auto path = Poco::Path(LOOLWSD::FileServerRoot, 
getRequestPathname(request));
 
 Log::debug("Preprocessing file: " + path.toString());
diff --git a/loolwsd/LOOLWSD.cpp b/loolwsd/LOOLWSD.cpp
index 97851ab..ff36b76 100644
--- a/loolwsd/LOOLWSD.cpp
+++ b/loolwsd/LOOLWSD.cpp
@@ -10,6 +10,16 @@
 #include "LOOLWSD.hpp"
 #include "config.h"
 
+/* Default host used in the start test URI */
+#define LOOLWSD_TEST_HOST "localhost"
+
+/* Default loleaflet UI used in the start test URI */
+#define LOOLWSD_TEST_LOLEAFLET_UI "/loleaflet/" LOOLWSD_VERSION_HASH 
"/loleaflet.html"
+
+/* Default document used in the start test URI */
+#define LOOLWSD_TEST_DOCUMENT_RELATIVE_PATH "test/data/hello-world.odt"
+
+
 // This is the main source for the loolwsd program. LOOL uses several loolwsd 
processes: one main
 // parent process that listens on the TCP port and accepts connections from 
LOOL clients, and a
 // number of child processes, each which handles a viewing (editing) session 
for one document.
@@ -787,7 +797,7 @@ private:
 const std::string urlsrc = "urlsrc";
 const auto& config = Application::instance().config();
 const std::string loleafletHtml = config.getString("loleaflet_html", 
"loleaflet.html");
-const std::string uriValue = (LOOLWSD::SSLEnabled ? "https://; : 
"http://;) +
+const std::string uriValue = (LOOLWSD::isSSLEnabled() ? "https://; : 
"http://;) +
 (LOOLWSD::ServerName.empty() ? request.getHost() : 
LOOLWSD::ServerName) +
 "/loleaflet/" LOOLWSD_VERSION_HASH "/" + loleafletHtml + "?";
 
@@ -1207,6 +1217,35 @@ public:
 }
 };
 
+namespace {
+
+static inline
+ServerSocket* lcl_getServerSocket(int nClientPortNumber)
+{
+return (LOOLWSD::isSSLEnabled()) ? new 
SecureServerSocket(nClientPortNumber)
+   : new ServerSocket(nClientPortNumber);
+}
+
+static inline
+std::string lcl_getLaunchURI()
+{
+std::string aAbsTopSrcDir = 
Poco::Path(Application::instance().commandPath()).parent().toString();
+aAbsTopSrcDir = Poco::Path(aAbsTopSrcDir).absolute().toString();
+
+std::string aLaunchURI("");
+aLaunchURI += ((LOOLWSD::isSSLEnabled()) ? "https://; : "http://;);
+aLaunchURI += LOOLWSD_TEST_HOST ":";
+aLaunchURI += std::to_string(ClientPortNumber);
+aLaunchURI += LOOLWSD_TEST_LOLEAFLET_UI;
+aLaunchURI += "?file_path=file://";
+aLaunchURI += aAbsTopSrcDir;
+aLaunchURI += LOOLWSD_TEST_DOCUMENT_RELATIVE_PATH;
+
+return aLaunchURI;
+}
+
+} // anonymous namespace
+
 std::atomic LOOLWSD::NextSessionId;
 int LOOLWSD::ForKitWritePipe = -1;
 std::string LOOLWSD::Cache = LOOLWSD_CACHEDIR;
@@ -1216,12 +1255,8 @@ std::string LOOLWSD::ChildRoot;
 std::string LOOLWSD::ServerName;
 std::string LOOLWSD::FileServerRoot;
 std::string LOOLWSD::LOKitVersion;
-bool LOOLWSD::SSLEnabled =
-#if ENABLE_SSL
-true;
-#else
-false;
-#endif
+Util::RuntimeCostant LOOLWSD::SSLEnabled;
+
 static std::string UnitTestLibrary;
 
 unsigned int LOOLWSD::NumPreSpawnedChildren = 0;
@@ -1279,6 +1314,7 @@ void LOOLWSD::initialize(Application& self)
 { "loleaflet_html", "loleaflet.html" },
 { "logging.color", "true" },
 { "logging.level", "trace" },
+{ "ssl.enable", "true" },
 { "ssl.cert_file_path", LOOLWSD_CONFIGDIR "/cert.pem" },
 {

[Libreoffice-commits] online.git: loolwsd/FileServer.hpp loolwsd/LOOLWSD.cpp loolwsd/LOOLWSD.hpp loolwsd/loolwsd.xml.in loolwsd/Makefile.am

2016-06-25 Thread Ashod Nakashian 
 loolwsd/FileServer.hpp |4 ++--
 loolwsd/LOOLWSD.cpp|   41 +
 loolwsd/LOOLWSD.hpp|2 --
 loolwsd/Makefile.am|5 +++--
 loolwsd/loolwsd.xml.in |6 ++
 5 files changed, 16 insertions(+), 42 deletions(-)

New commits:
commit d281813c06eef8ac00a57ff7de70013619a4f1a1
Author: Ashod Nakashian 
Date:   Sat Jun 25 20:10:48 2016 -0400

bccu#1909 - loolwsd command line options vs. config file and package 
upgrades

Removed admin-console creds and allow-local-storage.

Change-Id: If281b6320caee5d28007063591325eb98ba8e01b
Reviewed-on: https://gerrit.libreoffice.org/26670
Reviewed-by: Ashod Nakashian 
Tested-by: Ashod Nakashian 

diff --git a/loolwsd/FileServer.hpp b/loolwsd/FileServer.hpp
index 2d23a74..7c19e10 100644
--- a/loolwsd/FileServer.hpp
+++ b/loolwsd/FileServer.hpp
@@ -82,8 +82,8 @@ public:
 Log::info("Invalid JWT token, let the administrator re-login");
 }
 
-const auto user = config.getString("admin_console_username", "");
-const auto pass = config.getString("admin_console_password", "");
+const auto user = config.getString("admin_console.username", "");
+const auto pass = config.getString("admin_console.password", "");
 if (user.empty() || pass.empty())
 {
 Log::error("Admin Console credentials missing. Denying access 
until set.");
diff --git a/loolwsd/LOOLWSD.cpp b/loolwsd/LOOLWSD.cpp
index c48e514..8e87bde 100644
--- a/loolwsd/LOOLWSD.cpp
+++ b/loolwsd/LOOLWSD.cpp
@@ -854,6 +854,10 @@ public:
 }
 }
 }
+else
+{
+Log::error("Unknown resource: " + request.getURI());
+}
 }
 catch (const Exception& exc)
 {
@@ -1173,9 +1177,7 @@ std::string LOOLWSD::ChildRoot;
 std::string LOOLWSD::LoSubPath = "lo";
 std::string LOOLWSD::ServerName;
 std::string LOOLWSD::FileServerRoot;
-std::string LOOLWSD::AdminCreds;
 std::string LOOLWSD::LOKitVersion;
-bool LOOLWSD::AllowLocalStorage = false;
 bool LOOLWSD::SSLEnabled =
 #if ENABLE_SSL
 true;
@@ -1264,21 +1266,6 @@ void LOOLWSD::initialize(Application& self)
 AutoPtr pOverrideConfig(new AppConfigMap(_overrideSettings));
 conf.addWriteable(pOverrideConfig, PRIO_APPLICATION); // Highest priority
 
-// This overrides whatever is in the config file,
-// which forces admins to set this flag on the command-line.
-config().setBool("storage.filesystem[@allow]", AllowLocalStorage);
-
-if (!AdminCreds.empty())
-{
-// Set the Admin Console credentials, if provided.
-StringTokenizer tokens(AdminCreds, "/", 
StringTokenizer::TOK_IGNORE_EMPTY | StringTokenizer::TOK_TRIM);
-if (tokens.count() == 2)
-{
-config().setString("admin_console_username", tokens[0]);
-config().setString("admin_console_password", tokens[1]);
-}
-}
-
 // Allow UT to manipulate before using configuration values.
 UnitWSD::get().configure(config());
 
@@ -1366,15 +1353,6 @@ void LOOLWSD::defineOptions(OptionSet& optionSet)
 .repeatable(false)
 .argument("port number"));
 
-optionSet.addOption(Option("admincreds", "", "Admin 'username/password' 
used to access the admin console.")
-.required(false)
-.repeatable(false)
-.argument("credentials"));
-
-optionSet.addOption(Option("allowlocalstorage", "", "When true will allow 
highly insecure loading of files from local storage.")
-.required(false)
-.repeatable(false));
-
 optionSet.addOption(Option("override", "o", "Override any setting by 
providing fullxmlpath=value.")
 .required(false)
 .repeatable(true)
@@ -1411,10 +1389,6 @@ void LOOLWSD::handleOption(const std::string& optionName,
 DisplayVersion = true;
 else if (optionName == "port")
 ClientPortNumber = std::stoi(value);
-else if (optionName == "admincreds")
-AdminCreds = value;
-else if (optionName == "allowlocalstorage")
-AllowLocalStorage = true;
 #if ENABLE_DEBUG
 else if (optionName == "unitlib")
 UnitTestLibrary = value;
@@ -1522,18 +1496,13 @@ int LOOLWSD::main(const std::vector& 
/*args*/)
 ChildRoot += '/';
 
 if (FileServerRoot.empty())
-FileServerRoot = 
Path(Application::instance().commandPath()).parent().parent().toString();
+FileServerRoot = 
Poco::Path(Application::instance().commandPath()).parent().parent().toString();
 FileServerRoot = Poco::Path(FileServerRoot).absolute().toString();
 Log::debug("FileServerRoot: " + FileServerRoot);
 
 if (ClientPortNumber == MasterPortNumber)
 throw

[Libreoffice-commits] online.git: loolwsd/FileServer.hpp

2016-06-05 Thread Andras Timar 
 loolwsd/FileServer.hpp |2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

New commits:
commit 7e625d5f423f9e6dff825f4fe12d7ac464de6cd6
Author: Andras Timar 
Date:   Sun Jun 5 16:37:49 2016 +0200

loolwsd: respect server_name setting

diff --git a/loolwsd/FileServer.hpp b/loolwsd/FileServer.hpp
index da09978..f7462b2 100644
--- a/loolwsd/FileServer.hpp
+++ b/loolwsd/FileServer.hpp
@@ -217,7 +217,7 @@ private:
 {
 HTMLForm form(request, request.stream());
 
-const auto host = (LOOLWSD::SSLEnabled? "wss://": "ws://") + 
request.getHost();
+const auto host = (LOOLWSD::SSLEnabled ? "wss://" : "ws://") + 
(LOOLWSD::ServerName.empty() ? request.getHost() : LOOLWSD::ServerName);
 const auto path = Poco::Path(LOOLWSD::FileServerRoot, 
getRequestPathname(request));
 
 Log::debug("Preprocessing file: " + path.toString());
___
Libreoffice-commits mailing list
libreoffice-comm...@lists.freedesktop.org
https://lists.freedesktop.org/mailman/listinfo/libreoffice-commits

[Libreoffice-commits] online.git: loolwsd/FileServer.hpp loolwsd/LOOLWSD.cpp loolwsd/loolwsd.xml.in

2016-05-11 Thread Andras Timar 
 loolwsd/FileServer.hpp |4 +++-
 loolwsd/LOOLWSD.cpp|4 +++-
 loolwsd/loolwsd.xml.in |2 ++
 3 files changed, 8 insertions(+), 2 deletions(-)

New commits:
commit 2fbcbdfa87bbefc18b0bac87988a1edc73df0cbf
Author: Andras Timar 
Date:   Wed May 11 16:30:05 2016 +0200

loolwsd: enable UI customization by replacing loleaflet.html from config

diff --git a/loolwsd/FileServer.hpp b/loolwsd/FileServer.hpp
index 6c64cd2..da09978 100644
--- a/loolwsd/FileServer.hpp
+++ b/loolwsd/FileServer.hpp
@@ -125,8 +125,10 @@ public:
 throw Poco::FileNotFoundException("Invalid URI request: [" + 
requestUri.toString() + "].");
 }
 
+const auto& config = Application::instance().config();
+const std::string loleafletHtml = 
config.getString("loleaflet_html", "loleaflet.html");
 const std::string endPoint = 
requestSegments[requestSegments.size() - 1];
-if (endPoint == "loleaflet.html")
+if (endPoint == loleafletHtml)
 {
 preprocessFile(request, response);
 return;
diff --git a/loolwsd/LOOLWSD.cpp b/loolwsd/LOOLWSD.cpp
index 3151430..6a726de 100644
--- a/loolwsd/LOOLWSD.cpp
+++ b/loolwsd/LOOLWSD.cpp
@@ -740,9 +740,11 @@ private:
 const std::string mediaType = "text/xml";
 const std::string action = "action";
 const std::string urlsrc = "urlsrc";
+const auto& config = Application::instance().config();
+const std::string loleafletHtml = config.getString("loleaflet_html", 
"loleaflet.html");
 const std::string uriValue = (LOOLWSD::SSLEnabled ? "https://; : 
"http://;) +
 (LOOLWSD::ServerName.empty() ? request.getHost() : 
LOOLWSD::ServerName) +
-"/loleaflet/" LOOLWSD_VERSION_HASH "/loleaflet.html?";
+"/loleaflet/" LOOLWSD_VERSION_HASH "/" + loleafletHtml + "?";
 
 InputSource inputSrc(discoveryPath);
 DOMParser parser;
diff --git a/loolwsd/loolwsd.xml.in b/loolwsd/loolwsd.xml.in
index 6bf4ce1..cb524a8 100644
--- a/loolwsd/loolwsd.xml.in
+++ b/loolwsd/loolwsd.xml.in
@@ -11,6 +11,8 @@
 
 1
 
+loleaflet.html
+
 
 
___
Libreoffice-commits mailing list
libreoffice-comm...@lists.freedesktop.org
https://lists.freedesktop.org/mailman/listinfo/libreoffice-commits

[Libreoffice-commits] online.git: loolwsd/FileServer.hpp

2016-05-04 Thread Henry Castro 
 loolwsd/FileServer.hpp |2 ++
 1 file changed, 2 insertions(+)

New commits:
commit ae80052e805d304cbef6e076cfad9740c9c1f599
Author: Henry Castro 
Date:   Wed May 4 16:15:25 2016 -0400

loolwsd: add mime type svg

diff --git a/loolwsd/FileServer.hpp b/loolwsd/FileServer.hpp
index b7faf4a..c5f57f9 100644
--- a/loolwsd/FileServer.hpp
+++ b/loolwsd/FileServer.hpp
@@ -162,6 +162,8 @@ public:
 mimeType = "text/css";
 else if (fileType == "html")
 mimeType = "text/html";
+else if (fileType == "svg")
+mimeType = "image/svg+xml";
 else
 mimeType = "text/plain";
 
___
Libreoffice-commits mailing list
libreoffice-comm...@lists.freedesktop.org
https://lists.freedesktop.org/mailman/listinfo/libreoffice-commits

[Libreoffice-commits] online.git: loolwsd/FileServer.hpp

2016-04-16 Thread Ashod Nakashian 
 loolwsd/FileServer.hpp |   61 +
 1 file changed, 32 insertions(+), 29 deletions(-)

New commits:
commit fe952794f0a7f04d6ae7a788e1352da00fe1159a
Author: Ashod Nakashian 
Date:   Sat Apr 16 12:26:26 2016 -0400

loolwsd: don't expose private members

Change-Id: I049c92d0ddb296058fad283fffc291348b4608b1
Reviewed-on: https://gerrit.libreoffice.org/24131
Reviewed-by: Ashod Nakashian 
Tested-by: Ashod Nakashian 

diff --git a/loolwsd/FileServer.hpp b/loolwsd/FileServer.hpp
index 6338989..293e34e 100644
--- a/loolwsd/FileServer.hpp
+++ b/loolwsd/FileServer.hpp
@@ -54,6 +54,7 @@ using Poco::Util::Application;
 class FileServerRequestHandler: public HTTPRequestHandler
 {
 public:
+
 /// Evaluate if the cookie exists, and if not, ask for the credentials.
 static bool isAdminLoggedIn(HTTPServerRequest& request, 
HTTPServerResponse& response)
 {
@@ -108,35 +109,6 @@ public:
 return false;
 }
 
-void preprocessFile(HTTPServerRequest& request, HTTPServerResponse& 
response)
-{
-HTMLForm form(request, request.stream());
-
-std::string preprocess;
-const auto host = (LOOLWSD::SSLEnabled? "wss://": "ws://") + 
request.getHost();
-
-Poco::URI requestUri(request.getURI());
-requestUri.normalize(); // avoid .'s and ..'s
-const auto path = Poco::Path(LOOLWSD::FileServerRoot, 
requestUri.getPath());
-
-Log::debug("Preprocessing file: " + path.toString());
-
-FileInputStream file(path.toString());
-StreamCopier::copyToString(file, preprocess);
-file.close();
-
-Poco::replaceInPlace(preprocess, std::string("%ACCESS_TOKEN%"), 
form.get("access_token", ""));
-Poco::replaceInPlace(preprocess, std::string("%ACCESS_TOKEN_TTL%"), 
form.get("access_token_ttl", ""));
-Poco::replaceInPlace(preprocess, std::string("%HOST%"), host);
-
-response.setContentType("text/html");
-response.setContentLength(preprocess.length());
-response.setChunkedTransferEncoding(false);
-
-std::ostream& ostr = response.send();
-ostr << preprocess;
-}
-
 void handleRequest(HTTPServerRequest& request, HTTPServerResponse& 
response) override
 {
 try
@@ -211,6 +183,37 @@ public:
 response.send();
 }
 }
+
+private:
+
+void preprocessFile(HTTPServerRequest& request, HTTPServerResponse& 
response)
+{
+HTMLForm form(request, request.stream());
+
+std::string preprocess;
+const auto host = (LOOLWSD::SSLEnabled? "wss://": "ws://") + 
request.getHost();
+
+Poco::URI requestUri(request.getURI());
+requestUri.normalize(); // avoid .'s and ..'s
+const auto path = Poco::Path(LOOLWSD::FileServerRoot, 
requestUri.getPath());
+
+Log::debug("Preprocessing file: " + path.toString());
+
+FileInputStream file(path.toString());
+StreamCopier::copyToString(file, preprocess);
+file.close();
+
+Poco::replaceInPlace(preprocess, std::string("%ACCESS_TOKEN%"), 
form.get("access_token", ""));
+Poco::replaceInPlace(preprocess, std::string("%ACCESS_TOKEN_TTL%"), 
form.get("access_token_ttl", ""));
+Poco::replaceInPlace(preprocess, std::string("%HOST%"), host);
+
+response.setContentType("text/html");
+response.setContentLength(preprocess.length());
+response.setChunkedTransferEncoding(false);
+
+std::ostream& ostr = response.send();
+ostr << preprocess;
+}
 };
 
 class FileServer
___
Libreoffice-commits mailing list
libreoffice-comm...@lists.freedesktop.org
https://lists.freedesktop.org/mailman/listinfo/libreoffice-commits

[Libreoffice-commits] online.git: loolwsd/FileServer.hpp

2016-04-13 Thread Jan Holesovsky 
 loolwsd/FileServer.hpp |   11 +--
 1 file changed, 9 insertions(+), 2 deletions(-)

New commits:
commit 7e67b388328a9a502e56c4395561564e6972ba8b
Author: Jan Holesovsky 
Date:   Wed Apr 13 13:39:33 2016 +0200

Add some paranoia...

diff --git a/loolwsd/FileServer.hpp b/loolwsd/FileServer.hpp
index 06be9ec..250301b 100644
--- a/loolwsd/FileServer.hpp
+++ b/loolwsd/FileServer.hpp
@@ -111,15 +111,20 @@ public:
 
 void preprocessFile(HTTPServerRequest& request, HTTPServerResponse& 
response)
 {
-Poco::URI requestUri((LOOLWSD::SSLEnabled? "https": "http"), 
request.getHost(), request.getURI());
 HTMLForm form(request, request.stream());
 
 std::string preprocess;
-const auto host = (LOOLWSD::SSLEnabled? "wss://": "ws://") + 
requestUri.getHost() + ":" + std::to_string(requestUri.getPort());
+const auto host = (LOOLWSD::SSLEnabled? "wss://": "ws://") + 
request.getHost();
+
+Poco::URI requestUri(request.getURI());
+requestUri.normalize(); // avoid .'s and ..'s
 const auto path = Poco::Path(LOOLWSD::FileServerRoot, 
requestUri.getPath());
+
 const auto wopi = form.has("WOPISrc") ?
   form.get("WOPISrc") + "?access_token=" + 
form.get("access_token","") : "";
 
+Log::debug("Preprocessing file: " + path.toString());
+
 FileInputStream file(path.toString());
 StreamCopier::copyToString(file, preprocess);
 file.close();
@@ -145,6 +150,8 @@ public:
 try
 {
 Poco::URI requestUri(request.getURI());
+requestUri.normalize(); // avoid .'s and ..'s
+
 std::vector requestSegments;
 requestUri.getPathSegments(requestSegments);
 if (requestSegments.size() < 1)
___
Libreoffice-commits mailing list
libreoffice-comm...@lists.freedesktop.org
https://lists.freedesktop.org/mailman/listinfo/libreoffice-commits

[Libreoffice-commits] online.git: loolwsd/FileServer.hpp loolwsd/LOOLWSD.cpp loolwsd/LOOLWSD.hpp

2016-04-13 Thread Jan Holesovsky 
 loolwsd/FileServer.hpp |4 ++--
 loolwsd/LOOLWSD.cpp|   13 +++--
 loolwsd/LOOLWSD.hpp|1 +
 3 files changed, 10 insertions(+), 8 deletions(-)

New commits:
commit 484335321ff3145b45ac4f2fc162be31eeffcf62
Author: Jan Holesovsky 
Date:   Wed Apr 13 13:08:47 2016 +0200

Introduce LOOLWSD::SSLEnabled for runtime, and allow non-SSL access via 
WOPI.

diff --git a/loolwsd/FileServer.hpp b/loolwsd/FileServer.hpp
index 721768d..06be9ec 100644
--- a/loolwsd/FileServer.hpp
+++ b/loolwsd/FileServer.hpp
@@ -111,11 +111,11 @@ public:
 
 void preprocessFile(HTTPServerRequest& request, HTTPServerResponse& 
response)
 {
-Poco::URI requestUri("https", request.getHost(), request.getURI());
+Poco::URI requestUri((LOOLWSD::SSLEnabled? "https": "http"), 
request.getHost(), request.getURI());
 HTMLForm form(request, request.stream());
 
 std::string preprocess;
-const auto host = "wss://" + requestUri.getHost() + ":" + 
std::to_string(requestUri.getPort());
+const auto host = (LOOLWSD::SSLEnabled? "wss://": "ws://") + 
requestUri.getHost() + ":" + std::to_string(requestUri.getPort());
 const auto path = Poco::Path(LOOLWSD::FileServerRoot, 
requestUri.getPath());
 const auto wopi = form.has("WOPISrc") ?
   form.get("WOPISrc") + "?access_token=" + 
form.get("access_token","") : "";
diff --git a/loolwsd/LOOLWSD.cpp b/loolwsd/LOOLWSD.cpp
index a0fc215..6d68747 100644
--- a/loolwsd/LOOLWSD.cpp
+++ b/loolwsd/LOOLWSD.cpp
@@ -643,17 +643,12 @@ private:
 {
 DOMParser parser;
 DOMWriter writer;
-URI uri("http", request.getHost(), request.getURI());
 
 const std::string discoveryPath = 
Path(Application::instance().commandPath()).parent().toString() + 
"discovery.xml";
 const std::string mediaType = "text/xml";
 const std::string action = "action";
 const std::string urlsrc = "urlsrc";
-#ifdef ENABLE_SSL
-const std::string uriValue = "https://; + uri.getHost() + ":" + 
std::to_string(uri.getPort()) + "/loleaflet/dist/loleaflet.html?";
-#else
-const std::string uriValue = "http://; + uri.getHost() + ":" + 
std::to_string(uri.getPort()) + "/loleaflet/dist/loleaflet.html?";
-#endif
+const std::string uriValue = (LOOLWSD::SSLEnabled? "https://": 
"http://;) + request.getHost() + "/loleaflet/dist/loleaflet.html?";
 
 InputSource inputSrc(discoveryPath);
 AutoPtr docXML = parser.parse();
@@ -993,6 +988,12 @@ std::string LOOLWSD::LoSubPath = "lo";
 std::string LOOLWSD::FileServerRoot;
 std::string LOOLWSD::AdminCreds;
 bool LOOLWSD::AllowLocalStorage = false;
+bool LOOLWSD::SSLEnabled =
+#ifdef ENABLE_SSL
+true;
+#else
+false;
+#endif
 static std::string UnitTestLibrary;
 
 unsigned int LOOLWSD::NumPreSpawnedChildren = 0;
diff --git a/loolwsd/LOOLWSD.hpp b/loolwsd/LOOLWSD.hpp
index 105f115..4e1c127 100644
--- a/loolwsd/LOOLWSD.hpp
+++ b/loolwsd/LOOLWSD.hpp
@@ -46,6 +46,7 @@ public:
 static std::string FileServerRoot;
 static std::string AdminCreds;
 static bool AllowLocalStorage;
+static bool SSLEnabled;
 
 static
 std::string GenSessionId()
___
Libreoffice-commits mailing list
libreoffice-comm...@lists.freedesktop.org
https://lists.freedesktop.org/mailman/listinfo/libreoffice-commits

[Libreoffice-commits] online.git: loolwsd/FileServer.hpp loolwsd/LOOLWSD.cpp

2016-04-06 Thread Ashod Nakashian 
 loolwsd/FileServer.hpp |   24 
 loolwsd/LOOLWSD.cpp|2 ++
 2 files changed, 18 insertions(+), 8 deletions(-)

New commits:
commit 29c9ecba2a589417b0d5757e6169ba9c7d4332ea
Author: Ashod Nakashian 
Date:   Wed Apr 6 23:38:08 2016 -0400

loolwsd: deny access to directories outside of FileServerRoot

Change-Id: Iea92982ebd5f111c946eb1b12f5dfd7602fffd70
Reviewed-on: https://gerrit.libreoffice.org/23879
Reviewed-by: Ashod Nakashian 
Tested-by: Ashod Nakashian 

diff --git a/loolwsd/FileServer.hpp b/loolwsd/FileServer.hpp
index 2dbbc4c..5a79793 100644
--- a/loolwsd/FileServer.hpp
+++ b/loolwsd/FileServer.hpp
@@ -110,13 +110,14 @@ public:
 Poco::URI requestUri(request.getURI());
 std::vector requestSegments;
 requestUri.getPathSegments(requestSegments);
-
-// TODO: We might want to package all files from leaflet to some 
other dir and restrict
-// file serving to it (?)
-const std::string endPoint = 
requestSegments[requestSegments.size() - 1];
+if (requestSegments.size() < 1)
+{
+throw Poco::FileNotFoundException("Invalid file.");
+}
 
 if (request.getMethod() == HTTPRequest::HTTP_GET)
 {
+const std::string endPoint = 
requestSegments[requestSegments.size() - 1];
 if (endPoint == "admin.html" ||
 endPoint == "adminSettings.html" ||
 endPoint == "adminAnalytics.html")
@@ -125,7 +126,14 @@ public:
 throw Poco::Net::NotAuthenticatedException("Invalid 
admin login");
 }
 
-const std::string filePath = requestUri.getPath();
+const auto path = Poco::Path(LOOLWSD::FileServerRoot, 
requestUri.getPath());
+const auto filepath = path.absolute().toString();
+if (filepath.find(LOOLWSD::FileServerRoot) != 0)
+{
+// Accessing unauthorized path.
+throw Poco::FileNotFoundException("Invalid file path.");
+}
+
 const std::size_t extPoint = endPoint.find_last_of(".");
 if (extPoint == std::string::npos)
 throw Poco::FileNotFoundException("Invalid file.");
@@ -142,12 +150,12 @@ public:
 mimeType = "text/plain";
 
 response.setContentType(mimeType);
-response.sendFile(LOOLWSD::FileServerRoot + 
requestUri.getPath(), mimeType);
+response.sendFile(filepath, mimeType);
 }
 }
 catch (Poco::Net::NotAuthenticatedException& exc)
 {
-Log::info ("FileServerRequestHandler::NotAuthenticated");
+Log::error("FileServerRequestHandler::NotAuthenticated");
 response.set("WWW-Authenticate", "Basic realm=\"online\"");
 response.setStatus(HTTPResponse::HTTP_UNAUTHORIZED);
 response.setContentLength(0);
@@ -155,7 +163,7 @@ public:
 }
 catch (Poco::FileNotFoundException& exc)
 {
-Log::info("FileServerRequestHandler:: File " + request.getURI() + 
" not found.");
+Log::error("FileServerRequestHandler:: File [" + request.getURI() 
+ "] not found.");
 response.setStatus(HTTPResponse::HTTP_NOT_FOUND);
 response.setContentLength(0);
 response.send();
diff --git a/loolwsd/LOOLWSD.cpp b/loolwsd/LOOLWSD.cpp
index 78b3915..91bbf4d 100644
--- a/loolwsd/LOOLWSD.cpp
+++ b/loolwsd/LOOLWSD.cpp
@@ -1219,6 +1219,8 @@ int LOOLWSD::main(const std::vector& 
/*args*/)
 
 if (FileServerRoot.empty())
 FileServerRoot = 
Path(Application::instance().commandPath()).parent().parent().toString();
+FileServerRoot = Poco::Path(FileServerRoot).absolute().toString();
+Log::debug("FileServerRoot: " + FileServerRoot);
 
 if (ClientPortNumber == MASTER_PORT_NUMBER)
 throw IncompatibleOptionsException("port");
___
Libreoffice-commits mailing list
libreoffice-comm...@lists.freedesktop.org
https://lists.freedesktop.org/mailman/listinfo/libreoffice-commits

[Libreoffice-commits] online.git: loolwsd/FileServer.hpp loolwsd/LOOLWSD.cpp loolwsd/LOOLWSD.hpp

2016-04-06 Thread Ashod Nakashian 
 loolwsd/FileServer.hpp |   14 ++
 loolwsd/LOOLWSD.cpp|   29 +++--
 loolwsd/LOOLWSD.hpp|2 +-
 3 files changed, 38 insertions(+), 7 deletions(-)

New commits:
commit 1f88aede00b2b5a48e91d3cc652cb0a9ea0770ab
Author: Ashod Nakashian 
Date:   Wed Apr 6 23:36:54 2016 -0400

loolwsd: Admin Console credentials passed on the command line

A new command-line argument, admincreds, must be provided
to set the Admin Console credentials.

The new command-line argument specifies the username
and password in the following format: username/password

If not provided, Admin Console is disabled for security
reasons. A warning is emitted at startup and an error
on every invocation of Admin Console is logged when
no credentials are defined.

Change-Id: I348623949fd0b292f5066e4955759c708204540f
Reviewed-on: https://gerrit.libreoffice.org/23878
Reviewed-by: Ashod Nakashian 
Tested-by: Ashod Nakashian 

diff --git a/loolwsd/FileServer.hpp b/loolwsd/FileServer.hpp
index 52d4429..2dbbc4c 100644
--- a/loolwsd/FileServer.hpp
+++ b/loolwsd/FileServer.hpp
@@ -72,11 +72,17 @@ public:
 Log::info("Invalid JWT token, let the administrator re-login");
 }
 
-HTTPBasicCredentials credentials(request);
+const auto user = 
Application::instance().config().getString("admin_console_username", "");
+const auto pass = 
Application::instance().config().getString("admin_console_password", "");
+if (user.empty() || pass.empty())
+{
+Log::error("Admin Console credentials missing. Denying access 
until set.");
+return false;
+}
 
-// TODO: Read username and password from config file
-if (credentials.getUsername() == "admin"
-&& credentials.getPassword() == "admin")
+HTTPBasicCredentials credentials(request);
+if (credentials.getUsername() == user &&
+credentials.getPassword() == pass)
 {
 const std::string htmlMimeType = "text/html";
 // generate and set the cookie
diff --git a/loolwsd/LOOLWSD.cpp b/loolwsd/LOOLWSD.cpp
index ef4775c..78b3915 100644
--- a/loolwsd/LOOLWSD.cpp
+++ b/loolwsd/LOOLWSD.cpp
@@ -963,6 +963,7 @@ std::string LOOLWSD::LoTemplate;
 std::string LOOLWSD::ChildRoot;
 std::string LOOLWSD::LoSubPath = "lo";
 std::string LOOLWSD::FileServerRoot;
+std::string LOOLWSD::AdminCreds;
 
 int LOOLWSD::NumPreSpawnedChildren = 10;
 bool LOOLWSD::DoTest = false;
@@ -977,13 +978,25 @@ LOOLWSD::~LOOLWSD()
 
 void LOOLWSD::initialize(Application& self)
 {
-// load default configuration files, if present
+// Load default configuration files, if present.
 if (loadConfiguration() == 0)
 {
-std::string configPath = LOOLWSD_CONFIGDIR "/loolwsd.xml";
+// Fallback to the default path.
+const std::string configPath = LOOLWSD_CONFIGDIR "/loolwsd.xml";
 loadConfiguration(configPath);
 }
 
+if (!AdminCreds.empty())
+{
+// Set the Admin Console credentials, if provided.
+StringTokenizer tokens(AdminCreds, "/", 
StringTokenizer::TOK_IGNORE_EMPTY | StringTokenizer::TOK_TRIM);
+if (tokens.count() == 2)
+{
+config().setString("admin_console_username", tokens[0]);
+config().setString("admin_console_password", tokens[1]);
+}
+}
+
 ServerApplication::initialize(self);
 }
 
@@ -1084,6 +1097,11 @@ void LOOLWSD::defineOptions(OptionSet& optionSet)
 .repeatable(false)
 .argument("number"));
 
+optionSet.addOption(Option("admincreds", "", "Admin 'username/password' 
used to access the admin console.")
+.required(false)
+.repeatable(false)
+.argument("directory"));
+
 optionSet.addOption(Option("test", "", "Interactive testing.")
 .required(false)
 .repeatable(false));
@@ -1119,6 +1137,8 @@ void LOOLWSD::handleOption(const std::string& optionName, 
const std::string& val
 FileServerRoot = value;
 else if (optionName == "numprespawns")
 NumPreSpawnedChildren = std::stoi(value);
+else if (optionName == "admincreds")
+AdminCreds = value;
 else if (optionName == "test")
 LOOLWSD::DoTest = true;
 }
@@ -1206,6 +1226,11 @@ int LOOLWSD::main(const std::vector& 
/*args*/)
 if (LOOLWSD::DoTest)
 NumPreSpawnedChildren = 1;
 
+if (AdminCreds.empty())
+{
+Log::warn("No admin credentials set via 'admincreds' command-line 
argument. Admin Console will be disabled.");
+}
+
 const Path pipePath = Path::forDirectory(ChildRoot + Path::separator() + 
FIFO_PATH);
 if (!File(pipePath).exists() && !File(pipePath).createDirectory())
 {
diff

[Libreoffice-commits] online.git: loolwsd/FileServer.hpp loolwsd/LOOLWSD.cpp loolwsd/LOOLWSD.hpp

2016-03-21 Thread Pranav Kant 
 loolwsd/FileServer.hpp |   19 +--
 loolwsd/LOOLWSD.cpp|   11 +++
 loolwsd/LOOLWSD.hpp|1 +
 3 files changed, 21 insertions(+), 10 deletions(-)

New commits:
commit a5f8ba44a2b9bb26ec9196a306f9f1b4d60afc79
Author: Pranav Kant 
Date:   Sun Mar 20 19:37:24 2016 +0530

loolwsd: Allow specifying custom file server root

By default, use git directory root.

Change-Id: I4ee1173c43f313de3abb1732e6a7401169896189

diff --git a/loolwsd/FileServer.hpp b/loolwsd/FileServer.hpp
index 9c62e41..102ace1 100644
--- a/loolwsd/FileServer.hpp
+++ b/loolwsd/FileServer.hpp
@@ -32,6 +32,7 @@
 #include 
 
 #include "Common.hpp"
+#include "LOOLWSD.hpp"
 
 using Poco::Net::HTTPRequest;
 using Poco::Net::HTTPRequestHandler;
@@ -55,8 +56,8 @@ public:
 std::vector requestSegments;
 requestUri.getPathSegments(requestSegments);
 
-// FIXME: We might want to package all dist files from leaflet to 
some other dir (?)
-const std::string loleafletPath = 
Poco::Path(Application::instance().commandPath()).parent().parent().toString() 
+ "loleaflet";
+// TODO: We might want to package all files from leaflet to some 
other dir and restrict
+// file serving to it (?)
 const std::string endPoint = 
requestSegments[requestSegments.size() - 1];
 
 if (request.getMethod() == HTTPRequest::HTTP_GET)
@@ -79,7 +80,7 @@ public:
 Poco::Net::HTTPCookie cookie("jwt", jwtToken);
 response.addCookie(cookie);
 response.setContentType(htmlMimeType);
-response.sendFile(loleafletPath + "/debug/document/" + 
endPoint, htmlMimeType);
+response.sendFile(LOOLWSD::FileServerRoot + 
requestUri.getPath(), htmlMimeType);
 }
 else
 {
@@ -87,12 +88,12 @@ public:
 throw Poco::Net::NotAuthenticatedException("Wrong 
credentials.");
 }
 }
-else if (requestSegments.size() > 1 && requestSegments[0] == 
"dist")
+else
 {
 const std::string filePath = requestUri.getPath();
 const std::size_t extPoint = endPoint.find_last_of(".");
 if (extPoint == std::string::npos)
-return;
+throw Poco::FileNotFoundException("Invalid file.");
 
 const std::string fileType = endPoint.substr(extPoint + 1);
 std::string mimeType;
@@ -100,15 +101,13 @@ public:
 mimeType = "application/javascript";
 else if (fileType == "css")
 mimeType = "text/css";
+else if (fileType == "html")
+mimeType = "text/html";
 else
 mimeType = "text/plain";
 
 response.setContentType(mimeType);
-response.sendFile(loleafletPath + request.getURI(), 
mimeType);
-}
-else
-{
-throw Poco::FileNotFoundException("");
+response.sendFile(LOOLWSD::FileServerRoot + 
requestUri.getPath(), mimeType);
 }
 }
 }
diff --git a/loolwsd/LOOLWSD.cpp b/loolwsd/LOOLWSD.cpp
index ba30f41..eb499cc 100644
--- a/loolwsd/LOOLWSD.cpp
+++ b/loolwsd/LOOLWSD.cpp
@@ -935,6 +935,7 @@ std::string LOOLWSD::SysTemplate;
 std::string LOOLWSD::LoTemplate;
 std::string LOOLWSD::ChildRoot;
 std::string LOOLWSD::LoSubPath = "lo";
+std::string LOOLWSD::FileServerRoot;
 
 int LOOLWSD::NumPreSpawnedChildren = 10;
 bool LOOLWSD::DoTest = false;
@@ -1009,6 +1010,11 @@ void LOOLWSD::defineOptions(OptionSet& optionSet)
 .repeatable(false)
 .argument("relative path"));
 
+optionSet.addOption(Option("fileserverroot", "", "Path to the directory 
that should be considered root for the file server (default: '../loleaflet/').")
+.required(false)
+.repeatable(false)
+.argument("directory"));
+
 optionSet.addOption(Option("numprespawns", "", "Number of child processes 
to keep started in advance and waiting for new clients.")
 .required(false)
 .repeatable(false)
@@ -1045,6 +1051,8 @@ void LOOLWSD::handleOption(const std::string& optionName, 
const std::string& val
 ChildRoot = value;
 else if (optionName == "losubpath")
 LoSubPath = value;
+else if (optionName == "fileserverroot")
+FileServerRoot = value;
 else if (optionName == "numprespawns")
 NumPreSpawnedChildren = std::stoi(value);
 else if (optionName == "test")
@@ -1140,6 +1148,9 @@ int