[Libreoffice-commits] online.git: Branch 'distro/collabora/collabora-online-cd-3-1' - 2 commits - common/Util.cpp common/Util.hpp debian/changelog loolwsd.spec.in wsd/FileServer.cpp

Andras Timar andras.timar at collabora.com
Wed Apr 4 11:19:42 UTC 2018 

 common/Util.cpp    |   28 ++++++++++++++++++++++++++++
 common/Util.hpp    |    8 ++++++++
 debian/changelog   |    6 ++++++
 loolwsd.spec.in    |    2 +-
 wsd/FileServer.cpp |    7 +++++--
 5 files changed, 48 insertions(+), 3 deletions(-)

New commits:
commit 173a97446a78027606f9754295799829dea466f6
Author: Andras Timar <andras.timar at collabora.com>
Date:   Wed Apr 4 13:19:18 2018 +0200

    Bump package version to 3.1.0-8
    
    Change-Id: I8f682a5ddbb42807856614a1dd8846b27c86ddb0

diff --git a/debian/changelog b/debian/changelog
index b0cfbad83..f38b68711 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,9 @@
+loolwsd (3.1.0-8) unstable; urgency=medium
+
+  * see the git log: http://col.la/cool31
+
+ -- Andras Timar <andras.timar at collabora.com>  Thu, 04 Apr 2018 13:00:00 +0200
+
 loolwsd (3.1.0-7) unstable; urgency=medium
 
   * see the git log: http://col.la/cool31
diff --git a/loolwsd.spec.in b/loolwsd.spec.in
index 7f789cc16..3ed6be36a 100644
--- a/loolwsd.spec.in
+++ b/loolwsd.spec.in
@@ -12,7 +12,7 @@ Name:           loolwsd%{name_suffix}
 Name:           loolwsd
 %endif
 Version:        @PACKAGE_VERSION@
-Release:        7%{?dist}
+Release:        8%{?dist}
 %if 0%{?suse_version} == 1110
 Group:          Productivity/Office/Suite
 BuildRoot:      %{_tmppath}/%{name}-%{version}-build
commit 87cef44661ad8ef57cd35dc6bc490011035581fd
Author: Jan Holesovsky <kendy at collabora.com>
Date:   Wed Apr 4 12:36:11 2018 +0200

    Sanity-check the scheme and host for frame ancestor, POCO does not do that.
    
    Change-Id: Ieea9532ccd2a11e74f370a340e68f46122469848
    (cherry picked from commit c8ef63253a94a4f74cc4238d7d070f75e26bec3e)
    Signed-off-by: Andras Timar <andras.timar at collabora.com>
    (cherry picked from commit 4527163351325befbe8032edf0829edbedbb982d)
    Signed-off-by: Andras Timar <andras.timar at collabora.com>

diff --git a/common/Util.cpp b/common/Util.cpp
index b9ca5951c..10f0f7e66 100644
--- a/common/Util.cpp
+++ b/common/Util.cpp
@@ -489,6 +489,34 @@ namespace Util
 
         return map;
     }
+
+    bool isValidURIScheme(const std::string& scheme)
+    {
+        if (scheme.empty())
+            return false;
+
+        for (char c : scheme)
+        {
+            if (!isalpha(c))
+                return false;
+        }
+
+        return true;
+    }
+
+    bool isValidURIHost(const std::string& host)
+    {
+        if (host.empty())
+            return false;
+
+        for (char c : host)
+        {
+            if (!isalnum(c) && c != '_' && c != '-' && c != '.' && c !=':' && c != '[' && c != ']')
+                return false;
+        }
+
+        return true;
+    }
 }
 
 /* vim:set shiftwidth=4 softtabstop=4 expandtab: */
diff --git a/common/Util.hpp b/common/Util.hpp
index b4c59f981..d45a5e028 100644
--- a/common/Util.hpp
+++ b/common/Util.hpp
@@ -220,6 +220,14 @@ namespace Util
         return trimmed(std::string(s));
     }
 
+    /// Check for the URI scheme validity.
+    /// For now just a basic sanity check, can be extended if necessary.
+    bool isValidURIScheme(const std::string& scheme);
+
+    /// Check for the URI host validity.
+    /// For now just a basic sanity check, can be extended if necessary.
+    bool isValidURIHost(const std::string& host);
+
     /// Given one or more patterns to allow, and one or more to deny,
     /// the match member will return true if, and only if, the subject
     /// matches the allowed list, but not the deny.
diff --git a/wsd/FileServer.cpp b/wsd/FileServer.cpp
index c5f258f43..c0899ce88 100644
--- a/wsd/FileServer.cpp
+++ b/wsd/FileServer.cpp
@@ -601,9 +601,12 @@ void FileServerRequestHandler::preprocessFile(const HTTPRequest& request, Poco::
 
     // Keep only the origin, reject everything else
     Poco::URI uriFrameAncestor(frameAncestor);
-    if (!frameAncestor.empty() && !uriFrameAncestor.getScheme().empty() && !uriFrameAncestor.getHost().empty())
+    std::string frameAncestorScheme = uriFrameAncestor.getScheme();
+    std::string frameAncestorHost = uriFrameAncestor.getHost();
+
+    if (!frameAncestor.empty() && Util::isValidURIScheme(frameAncestorScheme) && Util::isValidURIHost(frameAncestorHost))
     {
-        frameAncestor = uriFrameAncestor.getScheme() + "://" + uriFrameAncestor.getHost() + ":" + std::to_string(uriFrameAncestor.getPort());
+        frameAncestor = frameAncestorScheme + "://" + frameAncestorHost + ":" + std::to_string(uriFrameAncestor.getPort());
 
         LOG_TRC("Final frame ancestor: " << frameAncestor);

More information about the Libreoffice-commits mailing list