diff --git a/loleaflet/src/map/handler/Map.FileInserter.js b/loleaflet/src/map/handler/Map.FileInserter.js index a8a98f0ec..f6388dbb7 100644 --- a/loleaflet/src/map/handler/Map.FileInserter.js +++ b/loleaflet/src/map/handler/Map.FileInserter.js @@ -14,7 +14,8 @@ L.Map.FileInserter = L.Handler.extend({ this._toInsert = {}; var parser = document.createElement('a'); parser.href = map.options.server; - this._url = map.options.webserver + '/' + map.options.urlPrefix + '/insertfile'; + this._url = map.options.webserver + '/' + map.options.urlPrefix + + '/' + encodeURIComponent(map.options.doc) + '/insertfile'; }, addHooks: function () { diff --git a/loolwsd/LOOLWSD.cpp b/loolwsd/LOOLWSD.cpp index 57ad7f90a..dd05168d5 100644 --- a/loolwsd/LOOLWSD.cpp +++ b/loolwsd/LOOLWSD.cpp @@ -472,7 +472,7 @@ private: return true; } - else if (tokens.count() >= 3 && tokens[2] == "insertfile") + else if (tokens.count() >= 4 && tokens[3] == "insertfile") { Log::info("Insert file request."); response.set("Access-Control-Allow-Origin", "*"); @@ -488,6 +488,20 @@ private: const std::string formChildid(form.get("childid")); const std::string formName(form.get("name")); + // Validate the docKey + std::unique_lock docBrokersLock(docBrokersMutex); + std::string decodedUri; + URI::decode(tokens[2], decodedUri); + const auto docKey = DocumentBroker::getDocKey(DocumentBroker::sanitizeURI(decodedUri)); + auto docBrokerIt = docBrokers.find(docKey); + + // Maybe just free the client from sending childid in form ? + if (docBrokerIt == docBrokers.end() || docBrokerIt->second->getJailId() != formChildid) + { + throw BadRequestException("DocKey [" + docKey + "] or childid [" + formChildid + "] is invalid."); + } + docBrokersLock.unlock(); + // protect against attempts to inject something funny here if (formChildid.find('/') == std::string::npos && formName.find('/') == std::string::npos) {