[Libreoffice-commits] online.git: loolwsd/FileServer.cpp

[Pranav Kant]

 loolwsd/FileServer.cpp |   14 ++++++--------
 1 file changed, 6 insertions(+), 8 deletions(-)

New commits:
commit 09b33d357d1335f7657e94228a6b6a4d00762094
Author: Pranav Kant <pranavk at collabora.co.uk>
Date:   Tue Nov 15 20:21:02 2016 +0530

    loolwsd: Escape access token safely, don't be too defensive
    
    Change-Id: I43cb71f418904c0b925722f4d2fe3ac1b0a351f6

diff --git a/loolwsd/FileServer.cpp b/loolwsd/FileServer.cpp
index d56824f..5c71764 100644
--- a/loolwsd/FileServer.cpp
+++ b/loolwsd/FileServer.cpp
@@ -230,15 +230,13 @@ void FileServerRequestHandler::preprocessFile(HTTPServerRequest& request, HTTPSe
     const std::string& accessToken = form.get("access_token", "");
     const std::string& accessTokenTtl = form.get("access_token_ttl", "");
 
-    // As of now only alphanumeric characters are allowed in access token
-    // Sanitize user input before replacing
-    Poco::RegularExpression re("[a-zA-Z0-9_]*", Poco::RegularExpression::RE_ANCHORED);
-    if (!re.match(accessToken, 0, 0) || !re.match(accessTokenTtl, 0, 0))
-    {
-        throw Poco::FileAccessDeniedException("Invalid access token provided. Only alphanumeric and _ are allowed ");
-    }
+    // Escape bad characters in access token.
+    // This is placed directly in javascript in loleaflet.html, we need to make sure
+    // that no one can do anything nasty with their clever inputs.
+    std::string escapedAccessToken;
+    Poco::URI::encode(accessToken, "'", escapedAccessToken);
 
-    Poco::replaceInPlace(preprocess, std::string("%ACCESS_TOKEN%"), accessToken);
+    Poco::replaceInPlace(preprocess, std::string("%ACCESS_TOKEN%"), escapedAccessToken);
     Poco::replaceInPlace(preprocess, std::string("%ACCESS_TOKEN_TTL%"), accessTokenTtl);
     Poco::replaceInPlace(preprocess, std::string("%HOST%"), host);
     Poco::replaceInPlace(preprocess, std::string("%VERSION%"), std::string(LOOLWSD_VERSION_HASH));