ucb/source/ucp/webdav-curl/DAVResourceAccess.cxx | 16 ++++++++++++++-- ucb/source/ucp/webdav-curl/DAVResourceAccess.hxx | 1 + ucb/source/ucp/webdav-curl/webdavcontent.cxx | 4 ++++ 3 files changed, 19 insertions(+), 2 deletions(-)
New commits: commit 0e9cea7ccdac443a51c81ce6ec3e1115a09b00be Author: Giuseppe Castagno <[email protected]> AuthorDate: Thu Aug 11 22:20:46 2016 +0200 Commit: Michael Stahl <[email protected]> CommitDate: Mon Nov 1 18:42:36 2021 +0100 ucb: webdav-curl: Related: tdf#99499, add a limit to the number of http redirections Check for maximum number of redirections according to <https://tools.ietf.org/html/rfc7231#section-6.4>. A practical limit can be 5, due to old RFC: <https://tools.ietf.org/html/rfc2068#section-10.3>, this limit is reported also in more recent RFCs, see final paragraph of RFC7231, 6.4. [ port of commit 18009fe8fbe3982141ddca3f1fcd0900a63150a6 ] Change-Id: I3a6d1510627434cdff9e4f0af8194a8e6a33c28b Reviewed-on: https://gerrit.libreoffice.org/c/core/+/123476 Tested-by: Michael Stahl <[email protected]> Reviewed-by: Michael Stahl <[email protected]> diff --git a/ucb/source/ucp/webdav-curl/DAVResourceAccess.cxx b/ucb/source/ucp/webdav-curl/DAVResourceAccess.cxx index c81d326207d1..cead9980b4a6 100644 --- a/ucb/source/ucp/webdav-curl/DAVResourceAccess.cxx +++ b/ucb/source/ucp/webdav-curl/DAVResourceAccess.cxx @@ -129,6 +129,7 @@ DAVResourceAccess::DAVResourceAccess( : m_aURL( rURL ), m_xSessionFactory( rSessionFactory ), m_xContext( rContext ) +, m_nRedirectLimit( 5 ) { } @@ -140,7 +141,8 @@ DAVResourceAccess::DAVResourceAccess( const DAVResourceAccess & rOther ) m_xSession( rOther.m_xSession ), m_xSessionFactory( rOther.m_xSessionFactory ), m_xContext( rOther.m_xContext ), - m_aRedirectURIs( rOther.m_aRedirectURIs ) + m_aRedirectURIs( rOther.m_aRedirectURIs ), + m_nRedirectLimit( rOther.m_nRedirectLimit ) { } @@ -155,6 +157,7 @@ DAVResourceAccess & DAVResourceAccess::operator=( m_xSessionFactory = rOther.m_xSessionFactory; m_xContext = rOther.m_xContext; m_aRedirectURIs = rOther.m_aRedirectURIs; + m_nRedirectLimit = rOther.m_nRedirectLimit; return *this; } @@ -1094,7 +1097,7 @@ void DAVResourceAccess::getUserRequestHeaders( } } - +// This function member implements the control on cyclical redirections bool DAVResourceAccess::detectRedirectCycle( ::std::u16string_view const rRedirectURL) { @@ -1102,6 +1105,15 @@ bool DAVResourceAccess::detectRedirectCycle( CurlUri const aUri( rRedirectURL ); + // Check for maximum number of redirections + // according to <https://tools.ietf.org/html/rfc7231#section-6.4>. + // A practical limit may be 5, due to earlier specifications: + // <https://tools.ietf.org/html/rfc2068#section-10.3> + // it can be raised keeping in mind the added net activity. + if( static_cast< size_t >( m_nRedirectLimit ) <= m_aRedirectURIs.size() ) + return true; + + // try to detect a cyclical redirection return std::any_of(m_aRedirectURIs.begin(), m_aRedirectURIs.end(), [&aUri](const CurlUri& rUri) { return aUri == rUri; }); } diff --git a/ucb/source/ucp/webdav-curl/DAVResourceAccess.hxx b/ucb/source/ucp/webdav-curl/DAVResourceAccess.hxx index 86a392e23cf1..051e53c4c8f5 100644 --- a/ucb/source/ucp/webdav-curl/DAVResourceAccess.hxx +++ b/ucb/source/ucp/webdav-curl/DAVResourceAccess.hxx @@ -52,6 +52,7 @@ class DAVResourceAccess rtl::Reference< DAVSessionFactory > m_xSessionFactory; css::uno::Reference< css::uno::XComponentContext > m_xContext; std::vector<CurlUri> m_aRedirectURIs; + sal_uInt32 m_nRedirectLimit; public: DAVResourceAccess() = default; diff --git a/ucb/source/ucp/webdav-curl/webdavcontent.cxx b/ucb/source/ucp/webdav-curl/webdavcontent.cxx index 876a23b7a930..5b1fbd5635e7 100644 --- a/ucb/source/ucp/webdav-curl/webdavcontent.cxx +++ b/ucb/source/ucp/webdav-curl/webdavcontent.cxx @@ -3959,6 +3959,10 @@ void Content::getResourceOptions( } } break; + // The 'DAVException::DAV_HTTP_REDIRECT' means we reached the maximum + // number of redirections, consider the resource type as UNKNOWN + // possibly a normal web site, not DAV + case DAVException::DAV_HTTP_REDIRECT: default: // leave the resource type as UNKNOWN, for now // it means this will be managed as a standard http site SAL_WARN( "ucb.ucp.webdav","OPTIONS - DAVException for URL <" << m_xIdentifier->getContentIdentifier() << ">, DAV error: "
