[Libreoffice-commits] online.git: loolwsd/FileServer.hpp

Jan Holesovsky kendy at collabora.com
Wed Apr 13 11:45:20 UTC 2016


 loolwsd/FileServer.hpp |   11 +++++++++--
 1 file changed, 9 insertions(+), 2 deletions(-)

New commits:
commit 7e67b388328a9a502e56c4395561564e6972ba8b
Author: Jan Holesovsky <kendy at collabora.com>
Date:   Wed Apr 13 13:39:33 2016 +0200

    Add some paranoia...

diff --git a/loolwsd/FileServer.hpp b/loolwsd/FileServer.hpp
index 06be9ec..250301b 100644
--- a/loolwsd/FileServer.hpp
+++ b/loolwsd/FileServer.hpp
@@ -111,15 +111,20 @@ public:
 
     void preprocessFile(HTTPServerRequest& request, HTTPServerResponse& response)
     {
-        Poco::URI requestUri((LOOLWSD::SSLEnabled? "https": "http"), request.getHost(), request.getURI());
         HTMLForm form(request, request.stream());
 
         std::string preprocess;
-        const auto host = (LOOLWSD::SSLEnabled? "wss://": "ws://") + requestUri.getHost() + ":" + std::to_string(requestUri.getPort());
+        const auto host = (LOOLWSD::SSLEnabled? "wss://": "ws://") + request.getHost();
+
+        Poco::URI requestUri(request.getURI());
+        requestUri.normalize(); // avoid .'s and ..'s
         const auto path = Poco::Path(LOOLWSD::FileServerRoot, requestUri.getPath());
+
         const auto wopi = form.has("WOPISrc") ?
                           form.get("WOPISrc") + "?access_token=" + form.get("access_token","") : "";
 
+        Log::debug("Preprocessing file: " + path.toString());
+
         FileInputStream file(path.toString());
         StreamCopier::copyToString(file, preprocess);
         file.close();
@@ -145,6 +150,8 @@ public:
         try
         {
             Poco::URI requestUri(request.getURI());
+            requestUri.normalize(); // avoid .'s and ..'s
+
             std::vector<std::string> requestSegments;
             requestUri.getPathSegments(requestSegments);
             if (requestSegments.size() < 1)


More information about the Libreoffice-commits mailing list