[Libreoffice-commits] online.git: Branch 'libreoffice-5-4' - 2 commits - common/Util.cpp common/Util.hpp configure.ac wsd/FileServer.cpp
Andras Timar
andras.timar at collabora.com
Fri Apr 13 10:30:52 UTC 2018
common/Util.cpp | 28 ++++++++++++++++++++++++++++
common/Util.hpp | 8 ++++++++
configure.ac | 2 +-
wsd/FileServer.cpp | 7 +++++--
4 files changed, 42 insertions(+), 3 deletions(-)
New commits:
commit eb6f500a856c000e1bc30eb6302bbdf054b02a23
Author: Andras Timar <andras.timar at collabora.com>
Date: Fri Apr 13 12:19:32 2018 +0200
Bump version to 5.4.7.2
Change-Id: Ie32b61cab9099ff4f0df123a5a6c850fe26bf9e8
diff --git a/configure.ac b/configure.ac
index 8aab94d7e..14a5a5b1a 100644
--- a/configure.ac
+++ b/configure.ac
@@ -3,7 +3,7 @@
AC_PREREQ([2.63])
-AC_INIT([libreoffice-online], [5.4.2.2], [libreoffice at lists.freedesktop.org])
+AC_INIT([libreoffice-online], [5.4.7.2], [libreoffice at lists.freedesktop.org])
LT_INIT([shared, disable-static, dlopen])
AM_INIT_AUTOMAKE([1.10 subdir-objects tar-pax -Wno-portability])
commit 18fbb1e10858013f5e3fe40254b49c9db02939c1
Author: Jan Holesovsky <kendy at collabora.com>
Date: Wed Apr 4 12:36:11 2018 +0200
Sanity-check the scheme and host for frame ancestor, POCO does not do that.
Change-Id: Ieea9532ccd2a11e74f370a340e68f46122469848
(cherry picked from commit c8ef63253a94a4f74cc4238d7d070f75e26bec3e)
Signed-off-by: Andras Timar <andras.timar at collabora.com>
diff --git a/common/Util.cpp b/common/Util.cpp
index 803ebfb06..6d9c45f06 100644
--- a/common/Util.cpp
+++ b/common/Util.cpp
@@ -321,6 +321,34 @@ namespace Util
static std::atomic_int counter(0);
return std::to_string(Poco::Process::id()) + "/" + std::to_string(counter++);
}
+
+ bool isValidURIScheme(const std::string& scheme)
+ {
+ if (scheme.empty())
+ return false;
+
+ for (char c : scheme)
+ {
+ if (!isalpha(c))
+ return false;
+ }
+
+ return true;
+ }
+
+ bool isValidURIHost(const std::string& host)
+ {
+ if (host.empty())
+ return false;
+
+ for (char c : host)
+ {
+ if (!isalnum(c) && c != '_' && c != '-' && c != '.' && c !=':' && c != '[' && c != ']')
+ return false;
+ }
+
+ return true;
+ }
}
/* vim:set shiftwidth=4 softtabstop=4 expandtab: */
diff --git a/common/Util.hpp b/common/Util.hpp
index d2803a425..c86b3d940 100644
--- a/common/Util.hpp
+++ b/common/Util.hpp
@@ -203,6 +203,14 @@ namespace Util
return trimmed(std::string(s));
}
+ /// Check for the URI scheme validity.
+ /// For now just a basic sanity check, can be extended if necessary.
+ bool isValidURIScheme(const std::string& scheme);
+
+ /// Check for the URI host validity.
+ /// For now just a basic sanity check, can be extended if necessary.
+ bool isValidURIHost(const std::string& host);
+
/// Given one or more patterns to allow, and one or more to deny,
/// the match member will return true if, and only if, the subject
/// matches the allowed list, but not the deny.
diff --git a/wsd/FileServer.cpp b/wsd/FileServer.cpp
index 49e36b568..8477794ea 100644
--- a/wsd/FileServer.cpp
+++ b/wsd/FileServer.cpp
@@ -507,9 +507,12 @@ void FileServerRequestHandler::preprocessFile(const HTTPRequest& request, Poco::
// Keep only the origin, reject everything else
Poco::URI uriFrameAncestor(frameAncestor);
- if (!frameAncestor.empty() && !uriFrameAncestor.getScheme().empty() && !uriFrameAncestor.getHost().empty())
+ std::string frameAncestorScheme = uriFrameAncestor.getScheme();
+ std::string frameAncestorHost = uriFrameAncestor.getHost();
+
+ if (!frameAncestor.empty() && Util::isValidURIScheme(frameAncestorScheme) && Util::isValidURIHost(frameAncestorHost))
{
- frameAncestor = uriFrameAncestor.getScheme() + "://" + uriFrameAncestor.getHost() + ":" + std::to_string(uriFrameAncestor.getPort());
+ frameAncestor = frameAncestorScheme + "://" + frameAncestorHost + ":" + std::to_string(uriFrameAncestor.getPort());
LOG_TRC("Final frame ancestor: " << frameAncestor);
More information about the Libreoffice-commits
mailing list