[Libreoffice-commits] online.git: loolwsd/FileServer.hpp

Pranav Kant pranavk at collabora.co.uk
Tue Jul 19 15:25:11 UTC 2016 

 loolwsd/FileServer.hpp |   18 +++++++++++++++---
 1 file changed, 15 insertions(+), 3 deletions(-)

New commits:
commit 9b29565448806657d3b44597bba6137e72664ad5
Author: Pranav Kant <pranavk at collabora.co.uk>
Date:   Tue Jul 19 20:50:43 2016 +0530

    loolwsd: security: Sanitize user input before generating HTML
    
    Change-Id: I835bc84ba197a31745cd593c22571ae9f9ad7b1a

diff --git a/loolwsd/FileServer.hpp b/loolwsd/FileServer.hpp
index 874db99..574d0b0 100644
--- a/loolwsd/FileServer.hpp
+++ b/loolwsd/FileServer.hpp
@@ -32,6 +32,7 @@
 #include <Poco/StringTokenizer.h>
 #include <Poco/URI.h>
 #include <Poco/FileStream.h>
+#include <Poco/RegularExpression.h>
 #include <Poco/StreamCopier.h>
 #include <Poco/Util/ServerApplication.h>
 #include <Poco/Util/Timer.h>
@@ -213,7 +214,7 @@ private:
         return path;
     }
 
-    void preprocessFile(HTTPServerRequest& request, HTTPServerResponse& response)
+    void preprocessFile(HTTPServerRequest& request, HTTPServerResponse& response) throw(Poco::FileAccessDeniedException)
     {
         HTMLForm form(request, request.stream());
 
@@ -227,8 +228,19 @@ private:
         StreamCopier::copyToString(file, preprocess);
         file.close();
 
-        Poco::replaceInPlace(preprocess, std::string("%ACCESS_TOKEN%"), form.get("access_token", ""));
-        Poco::replaceInPlace(preprocess, std::string("%ACCESS_TOKEN_TTL%"), form.get("access_token_ttl", ""));
+        const std::string& accessToken = form.get("access_token", "");
+        const std::string& accessTokenTtl = form.get("access_token_ttl", "");
+
+        // As of now only alphanumeric characters are allowed in access token
+        // Sanitize user input before replacing
+        Poco::RegularExpression re("[a-zA-Z0-9_]*", Poco::RegularExpression::RE_ANCHORED);
+        if (!re.match(accessToken, 0, 0) || !re.match(accessTokenTtl, 0, 0))
+        {
+            throw Poco::FileAccessDeniedException("Invalid access token provided. Only alphanumeric and _ are allowed ");
+        }
+
+        Poco::replaceInPlace(preprocess, std::string("%ACCESS_TOKEN%"), accessToken);
+        Poco::replaceInPlace(preprocess, std::string("%ACCESS_TOKEN_TTL%"), accessTokenTtl);
         Poco::replaceInPlace(preprocess, std::string("%HOST%"), host);
         Poco::replaceInPlace(preprocess, std::string("%VERSION%"), std::string(LOOLWSD_VERSION_HASH));

More information about the Libreoffice-commits mailing list