[Libreoffice-commits] online.git: Branch 'distro/collabora/collabora-online-2-1' - wsd/LOOLWSD.cpp wsd/reference.txt wsd/Storage.cpp

Jan Holesovsky kendy at collabora.com
Wed Aug 2 17:02:57 UTC 2017 

 wsd/LOOLWSD.cpp   |   31 ++++++++++++++++++++++++-------
 wsd/Storage.cpp   |   12 ++++++++++++
 wsd/reference.txt |    7 ++++---
 3 files changed, 40 insertions(+), 10 deletions(-)

New commits:
commit d3a079520e531ee55ce6243e80b5a4fd400092c2
Author: Jan Holesovsky <kendy at collabora.com>
Date:   Wed Aug 2 18:55:43 2017 +0200

    [API CHANGE] Changed how the params are passed to convert-to.
    
    No need for the 'fromat=' parameter any more; use like:
    
    curl -F "data=@test.txt" https://localhost:9980/lool/convert-to/pdf
    
    Change-Id: Ic3080f821c752982f4d22b5e8043b36e6a39fff2
    Reviewed-on: https://gerrit.libreoffice.org/40693
    Reviewed-by: Michael Meeks <michael.meeks at collabora.com>
    Tested-by: Michael Meeks <michael.meeks at collabora.com>

diff --git a/wsd/LOOLWSD.cpp b/wsd/LOOLWSD.cpp
index 074dc643..00eb3248 100644
--- a/wsd/LOOLWSD.cpp
+++ b/wsd/LOOLWSD.cpp
@@ -442,9 +442,14 @@ std::shared_ptr<ChildProcess> getNewChild_Blocks()
 class ConvertToPartHandler : public PartHandler
 {
     std::string& _filename;
+
+    /// Is it really a convert-to, ie. use an especially formed path?
+    bool _convertTo;
+
 public:
-    ConvertToPartHandler(std::string& filename)
+    ConvertToPartHandler(std::string& filename, bool convertTo = false)
         : _filename(filename)
+        , _convertTo(convertTo)
     {
     }
 
@@ -462,7 +467,8 @@ public:
         if (!params.has("filename"))
             return;
 
-        Path tempPath = Path::forDirectory(Poco::TemporaryFile::tempName() + "/");
+        Path tempPath = _convertTo? Path::forDirectory(Poco::TemporaryFile::tempName("/tmp/convert-to") + "/") :
+                                    Path::forDirectory(Poco::TemporaryFile::tempName() + "/");
         File(tempPath).createDirectories();
         // Prevent user inputting anything funny here.
         // A "filename" should always be a filename, not a path
@@ -1723,9 +1729,18 @@ private:
         }
         catch (const std::exception& exc)
         {
-            // TODO: Send back failure.
+            // Bad request.
+            std::ostringstream oss;
+            oss << "HTTP/1.1 400\r\n"
+                << "Date: " << Poco::DateTimeFormatter::format(Poco::Timestamp(), Poco::DateTimeFormat::HTTP_FORMAT) << "\r\n"
+                << "User-Agent: LOOLWSD WOPI Agent\r\n"
+                << "Content-Length: 0\r\n"
+                << "\r\n";
+            socket->send(oss.str());
+            socket->shutdown();
+
             // NOTE: Check _wsState to choose between HTTP response or WebSocket (app-level) error.
-            LOG_ERR("#" << socket->getFD() << " Exception while processing incoming request: [" <<
+            LOG_INF("#" << socket->getFD() << " Exception while processing incoming request: [" <<
                     LOOLProtocol::getAbbreviatedMessage(in) << "]: " << exc.what());
         }
 
@@ -1851,12 +1866,14 @@ private:
         auto socket = _socket.lock();
 
         StringTokenizer tokens(request.getURI(), "/?");
-        if (tokens.count() >= 3 && tokens[2] == "convert-to")
+        if (tokens.count() >= 4 && tokens[2] == "convert-to")
         {
             std::string fromPath;
-            ConvertToPartHandler handler(fromPath);
+            ConvertToPartHandler handler(fromPath, /*convertTo =*/ true);
             HTMLForm form(request, message, handler);
-            const std::string format = (form.has("format") ? form.get("format") : "");
+
+            // extract the target format from the URI
+            const std::string format = tokens[3];
 
             bool sent = false;
             if (!fromPath.empty())
diff --git a/wsd/Storage.cpp b/wsd/Storage.cpp
index 6df6744a..aac3b1d1 100644
--- a/wsd/Storage.cpp
+++ b/wsd/Storage.cpp
@@ -195,6 +195,18 @@ std::unique_ptr<StorageBase> StorageBase::create(const Poco::URI& uri, const std
         {
             return std::unique_ptr<StorageBase>(new LocalStorage(uri, jailRoot, jailPath));
         }
+        else
+        {
+            std::vector<std::string> pathSegments;
+            Poco::URI(uri).getPathSegments(pathSegments);
+
+            // guard against attempts to escape
+            if (pathSegments.size() == 4 && pathSegments[0] == "tmp" && pathSegments[1] == "convert-to" && pathSegments[2] != ".." && pathSegments[3] != "..")
+            {
+                LOG_INF("Public URI [" << uri.toString() << "] is actually a convert-to tempfile.");
+                return std::unique_ptr<StorageBase>(new LocalStorage(uri, jailRoot, jailPath));
+            }
+        }
 
         LOG_ERR("Local Storage is disabled by default. Enable in the config file or on the command-line to enable.");
     }
diff --git a/wsd/reference.txt b/wsd/reference.txt
index 5c706621..6f35c5cb 100644
--- a/wsd/reference.txt
+++ b/wsd/reference.txt
@@ -2,9 +2,10 @@ LibreOffice Online API
 =======================
 
 Document conversion:
-    - API: HTTP POST to /lool/convert-to
-        - parameters: format=<format> (see e.g. "png", "pdf" or "txt"), and the file itself in the payload
-    - example: curl -F "data=@test.txt" -F "format=pdf" https://localhost:9980/lool/convert-to
+    - API: HTTP POST to /lool/convert-to/<format>
+        - the format is e.g. "png", "pdf" or "txt"
+        - the file itself in the payload
+    - example: curl -F "data=@test.txt" https://localhost:9980/lool/convert-to/pdf
 
 WOPI Extensions
 ===============

More information about the Libreoffice-commits mailing list