[Libreoffice-commits] online.git: Branch 'distro/collabora/collabora-online-2-1' - wsd/FileServer.cpp
Pranav Kant
pranavk at collabora.co.uk
Wed May 10 12:29:30 UTC 2017
wsd/FileServer.cpp | 46 ++++++++++++++++++++++++++++++++--------------
1 file changed, 32 insertions(+), 14 deletions(-)
New commits:
commit 8516e96e38774443cef320f20afe69a404f20ef4
Author: Pranav Kant <pranavk at collabora.co.uk>
Date: Mon May 8 15:26:16 2017 +0530
wsd: Use HTTP Referer and then WOPISrc for frame ancestor
This is required in those setup where the document is not served from
the same host user is currently connected to. Use the Referer[sic]
header to set the frame ancestors and if they are absent, fallback to
WOPISrc value provided by the WOPI host.
(cherry picked from commit 624fc5c5de03c730ce31fa07126097d688725d81)
Change-Id: Ia63a213d10aca2df56a2884e07322c1cd8056ff8
Reviewed-on: https://gerrit.libreoffice.org/37382
Reviewed-by: Jan Holesovsky <kendy at collabora.com>
Tested-by: Jan Holesovsky <kendy at collabora.com>
diff --git a/wsd/FileServer.cpp b/wsd/FileServer.cpp
index e69d8df6..e18864c1 100644
--- a/wsd/FileServer.cpp
+++ b/wsd/FileServer.cpp
@@ -264,19 +264,9 @@ void FileServerRequestHandler::preprocessFile(const HTTPRequest& request, Poco::
{
const auto host = ((LOOLWSD::isSSLEnabled() || LOOLWSD::isSSLTermination()) ? "wss://" : "ws://") + (LOOLWSD::ServerName.empty() ? request.getHost() : LOOLWSD::ServerName);
const auto params = Poco::URI(request.getURI()).getQueryParameters();
- std::string wopiDomain;
- for (const auto& param : params)
- {
- if (param.first == "WOPISrc")
- {
- std::string wopiHost;
- Poco::URI::decode(param.second, wopiHost);
- wopiDomain = Poco::URI(wopiHost).getScheme() + "://" + Poco::URI(wopiHost).getHost();
- }
- }
+
const auto path = Poco::Path(LOOLWSD::FileServerRoot, getRequestPathname(request));
LOG_DBG("Preprocessing file: " << path.toString());
-
if (!Poco::File(path).exists())
{
LOG_ERR("File [" << path.toString() << "] does not exist.");
@@ -360,14 +350,42 @@ void FileServerRequestHandler::preprocessFile(const HTTPRequest& request, Poco::
<< "style-src 'self' 'unsafe-inline'; "
<< "font-src 'self' data:; "
<< "img-src 'self' data:; ";
- if (!wopiDomain.empty())
+
+ std::string frameAncestor;
+ const auto it = request.find("Referer"); // Referer[sic]
+ if (it != request.end())
+ {
+ frameAncestor = it->second;
+ LOG_TRC("Picking frame ancestor from HTTP Referer header: " << frameAncestor);
+ }
+ else // Use WOPISrc value if Referer is absent
{
+ for (const auto& param : params)
+ {
+ if (param.first == "WOPISrc")
+ {
+ Poco::URI::decode(param.second, frameAncestor);
+ LOG_TRC("Picking frame ancestor from WOPISrc: " << frameAncestor);
+ break;
+ }
+ }
+ }
+
+ // Keep only the origin, reject everything else
+ Poco::URI uriFrameAncestor(frameAncestor);
+ if (!frameAncestor.empty() && !uriFrameAncestor.getScheme().empty() && !uriFrameAncestor.getHost().empty())
+ {
+ frameAncestor = uriFrameAncestor.getScheme() + "://" + uriFrameAncestor.getHost();
+ LOG_TRC("Final frame ancestor: " << frameAncestor);
+
// Replaced by frame-ancestors in CSP but some oldies don't know about that
- oss << "X-Frame-Options: allow-from " << wopiDomain << "\r\n";
- cspOss << "frame-ancestors " << wopiDomain;
+ oss << "X-Frame-Options: allow-from " << frameAncestor << "\r\n";
+ cspOss << "frame-ancestors " << frameAncestor;
}
else
{
+ LOG_TRC("Denied frame ancestor: " << frameAncestor);
+
oss << "X-Frame-Options: deny\r\n";
}
More information about the Libreoffice-commits
mailing list