common/Util.cpp | 28 ++++++++++++++++++++++++++++ common/Util.hpp | 8 ++++++++ configure.ac | 2 +- wsd/FileServer.cpp | 7 +++++-- 4 files changed, 42 insertions(+), 3 deletions(-)
New commits: commit eb6f500a856c000e1bc30eb6302bbdf054b02a23 Author: Andras Timar <[email protected]> Date: Fri Apr 13 12:19:32 2018 +0200 Bump version to 5.4.7.2 Change-Id: Ie32b61cab9099ff4f0df123a5a6c850fe26bf9e8 diff --git a/configure.ac b/configure.ac index 8aab94d7e..14a5a5b1a 100644 --- a/configure.ac +++ b/configure.ac @@ -3,7 +3,7 @@ AC_PREREQ([2.63]) -AC_INIT([libreoffice-online], [5.4.2.2], [[email protected]]) +AC_INIT([libreoffice-online], [5.4.7.2], [[email protected]]) LT_INIT([shared, disable-static, dlopen]) AM_INIT_AUTOMAKE([1.10 subdir-objects tar-pax -Wno-portability]) commit 18fbb1e10858013f5e3fe40254b49c9db02939c1 Author: Jan Holesovsky <[email protected]> Date: Wed Apr 4 12:36:11 2018 +0200 Sanity-check the scheme and host for frame ancestor, POCO does not do that. Change-Id: Ieea9532ccd2a11e74f370a340e68f46122469848 (cherry picked from commit c8ef63253a94a4f74cc4238d7d070f75e26bec3e) Signed-off-by: Andras Timar <[email protected]> diff --git a/common/Util.cpp b/common/Util.cpp index 803ebfb06..6d9c45f06 100644 --- a/common/Util.cpp +++ b/common/Util.cpp @@ -321,6 +321,34 @@ namespace Util static std::atomic_int counter(0); return std::to_string(Poco::Process::id()) + "/" + std::to_string(counter++); } + + bool isValidURIScheme(const std::string& scheme) + { + if (scheme.empty()) + return false; + + for (char c : scheme) + { + if (!isalpha(c)) + return false; + } + + return true; + } + + bool isValidURIHost(const std::string& host) + { + if (host.empty()) + return false; + + for (char c : host) + { + if (!isalnum(c) && c != '_' && c != '-' && c != '.' && c !=':' && c != '[' && c != ']') + return false; + } + + return true; + } } /* vim:set shiftwidth=4 softtabstop=4 expandtab: */ diff --git a/common/Util.hpp b/common/Util.hpp index d2803a425..c86b3d940 100644 --- a/common/Util.hpp +++ b/common/Util.hpp @@ -203,6 +203,14 @@ namespace Util return trimmed(std::string(s)); } + /// Check for the URI scheme validity. + /// For now just a basic sanity check, can be extended if necessary. + bool isValidURIScheme(const std::string& scheme); + + /// Check for the URI host validity. + /// For now just a basic sanity check, can be extended if necessary. + bool isValidURIHost(const std::string& host); + /// Given one or more patterns to allow, and one or more to deny, /// the match member will return true if, and only if, the subject /// matches the allowed list, but not the deny. diff --git a/wsd/FileServer.cpp b/wsd/FileServer.cpp index 49e36b568..8477794ea 100644 --- a/wsd/FileServer.cpp +++ b/wsd/FileServer.cpp @@ -507,9 +507,12 @@ void FileServerRequestHandler::preprocessFile(const HTTPRequest& request, Poco:: // Keep only the origin, reject everything else Poco::URI uriFrameAncestor(frameAncestor); - if (!frameAncestor.empty() && !uriFrameAncestor.getScheme().empty() && !uriFrameAncestor.getHost().empty()) + std::string frameAncestorScheme = uriFrameAncestor.getScheme(); + std::string frameAncestorHost = uriFrameAncestor.getHost(); + + if (!frameAncestor.empty() && Util::isValidURIScheme(frameAncestorScheme) && Util::isValidURIHost(frameAncestorHost)) { - frameAncestor = uriFrameAncestor.getScheme() + "://" + uriFrameAncestor.getHost() + ":" + std::to_string(uriFrameAncestor.getPort()); + frameAncestor = frameAncestorScheme + "://" + frameAncestorHost + ":" + std::to_string(uriFrameAncestor.getPort()); LOG_TRC("Final frame ancestor: " << frameAncestor); _______________________________________________ Libreoffice-commits mailing list [email protected] https://lists.freedesktop.org/mailman/listinfo/libreoffice-commits
