loolwsd: security: Sanitize user input before generating HTML
Change-Id: I835bc84ba197a31745cd593c22571ae9f9ad7b1a
This commit is contained in:
parent
6457d779da
commit
9b29565448
1 changed files with 15 additions and 3 deletions
|
@ -32,6 +32,7 @@
|
|||
#include <Poco/StringTokenizer.h>
|
||||
#include <Poco/URI.h>
|
||||
#include <Poco/FileStream.h>
|
||||
#include <Poco/RegularExpression.h>
|
||||
#include <Poco/StreamCopier.h>
|
||||
#include <Poco/Util/ServerApplication.h>
|
||||
#include <Poco/Util/Timer.h>
|
||||
|
@ -213,7 +214,7 @@ private:
|
|||
return path;
|
||||
}
|
||||
|
||||
void preprocessFile(HTTPServerRequest& request, HTTPServerResponse& response)
|
||||
void preprocessFile(HTTPServerRequest& request, HTTPServerResponse& response) throw(Poco::FileAccessDeniedException)
|
||||
{
|
||||
HTMLForm form(request, request.stream());
|
||||
|
||||
|
@ -227,8 +228,19 @@ private:
|
|||
StreamCopier::copyToString(file, preprocess);
|
||||
file.close();
|
||||
|
||||
Poco::replaceInPlace(preprocess, std::string("%ACCESS_TOKEN%"), form.get("access_token", ""));
|
||||
Poco::replaceInPlace(preprocess, std::string("%ACCESS_TOKEN_TTL%"), form.get("access_token_ttl", ""));
|
||||
const std::string& accessToken = form.get("access_token", "");
|
||||
const std::string& accessTokenTtl = form.get("access_token_ttl", "");
|
||||
|
||||
// As of now only alphanumeric characters are allowed in access token
|
||||
// Sanitize user input before replacing
|
||||
Poco::RegularExpression re("[a-zA-Z0-9_]*", Poco::RegularExpression::RE_ANCHORED);
|
||||
if (!re.match(accessToken, 0, 0) || !re.match(accessTokenTtl, 0, 0))
|
||||
{
|
||||
throw Poco::FileAccessDeniedException("Invalid access token provided. Only alphanumeric and _ are allowed ");
|
||||
}
|
||||
|
||||
Poco::replaceInPlace(preprocess, std::string("%ACCESS_TOKEN%"), accessToken);
|
||||
Poco::replaceInPlace(preprocess, std::string("%ACCESS_TOKEN_TTL%"), accessTokenTtl);
|
||||
Poco::replaceInPlace(preprocess, std::string("%HOST%"), host);
|
||||
Poco::replaceInPlace(preprocess, std::string("%VERSION%"), std::string(LOOLWSD_VERSION_HASH));
|
||||
|
||||
|
|
Loading…
Reference in a new issue