loolwsd: Escape access token safely, don't be too defensive

Change-Id: I43cb71f418904c0b925722f4d2fe3ac1b0a351f6
This commit is contained in:
Pranav Kant 2016-11-15 20:21:02 +05:30
parent 26adebfcb0
commit 09b33d357d

View file

@ -230,15 +230,13 @@ void FileServerRequestHandler::preprocessFile(HTTPServerRequest& request, HTTPSe
const std::string& accessToken = form.get("access_token", "");
const std::string& accessTokenTtl = form.get("access_token_ttl", "");
// As of now only alphanumeric characters are allowed in access token
// Sanitize user input before replacing
Poco::RegularExpression re("[a-zA-Z0-9_]*", Poco::RegularExpression::RE_ANCHORED);
if (!re.match(accessToken, 0, 0) || !re.match(accessTokenTtl, 0, 0))
{
throw Poco::FileAccessDeniedException("Invalid access token provided. Only alphanumeric and _ are allowed ");
}
// Escape bad characters in access token.
// This is placed directly in javascript in loleaflet.html, we need to make sure
// that no one can do anything nasty with their clever inputs.
std::string escapedAccessToken;
Poco::URI::encode(accessToken, "'", escapedAccessToken);
Poco::replaceInPlace(preprocess, std::string("%ACCESS_TOKEN%"), accessToken);
Poco::replaceInPlace(preprocess, std::string("%ACCESS_TOKEN%"), escapedAccessToken);
Poco::replaceInPlace(preprocess, std::string("%ACCESS_TOKEN_TTL%"), accessTokenTtl);
Poco::replaceInPlace(preprocess, std::string("%HOST%"), host);
Poco::replaceInPlace(preprocess, std::string("%VERSION%"), std::string(LOOLWSD_VERSION_HASH));