loolwsd: security: Sanitize user input before generating HTML

Change-Id: I835bc84ba197a31745cd593c22571ae9f9ad7b1a
This commit is contained in:
Pranav Kant 2016-07-19 20:50:43 +05:30
parent 6457d779da
commit 9b29565448

View file

@ -32,6 +32,7 @@
#include <Poco/StringTokenizer.h>
#include <Poco/URI.h>
#include <Poco/FileStream.h>
#include <Poco/RegularExpression.h>
#include <Poco/StreamCopier.h>
#include <Poco/Util/ServerApplication.h>
#include <Poco/Util/Timer.h>
@ -213,7 +214,7 @@ private:
return path;
}
void preprocessFile(HTTPServerRequest& request, HTTPServerResponse& response)
void preprocessFile(HTTPServerRequest& request, HTTPServerResponse& response) throw(Poco::FileAccessDeniedException)
{
HTMLForm form(request, request.stream());
@ -227,8 +228,19 @@ private:
StreamCopier::copyToString(file, preprocess);
file.close();
Poco::replaceInPlace(preprocess, std::string("%ACCESS_TOKEN%"), form.get("access_token", ""));
Poco::replaceInPlace(preprocess, std::string("%ACCESS_TOKEN_TTL%"), form.get("access_token_ttl", ""));
const std::string& accessToken = form.get("access_token", "");
const std::string& accessTokenTtl = form.get("access_token_ttl", "");
// As of now only alphanumeric characters are allowed in access token
// Sanitize user input before replacing
Poco::RegularExpression re("[a-zA-Z0-9_]*", Poco::RegularExpression::RE_ANCHORED);
if (!re.match(accessToken, 0, 0) || !re.match(accessTokenTtl, 0, 0))
{
throw Poco::FileAccessDeniedException("Invalid access token provided. Only alphanumeric and _ are allowed ");
}
Poco::replaceInPlace(preprocess, std::string("%ACCESS_TOKEN%"), accessToken);
Poco::replaceInPlace(preprocess, std::string("%ACCESS_TOKEN_TTL%"), accessTokenTtl);
Poco::replaceInPlace(preprocess, std::string("%HOST%"), host);
Poco::replaceInPlace(preprocess, std::string("%VERSION%"), std::string(LOOLWSD_VERSION_HASH));