[freenet-cvs] r11290 - trunk/freenet/src/freenet/clients/http/filter
toad at freenetproject.org
toad at freenetproject.org
Thu Dec 7 21:24:31 UTC 2006
Author: toad
Date: 2006-12-07 21:24:30 +0000 (Thu, 07 Dec 2006)
New Revision: 11290
Modified:
trunk/freenet/src/freenet/clients/http/filter/FilterCallback.java
trunk/freenet/src/freenet/clients/http/filter/GenericReadFilterCallback.java
trunk/freenet/src/freenet/clients/http/filter/HTMLFilter.java
Log:
Allow freesites to post to plugins.
External sites can do this, after all.. so it's not a great security risk.
Any dangerous operations should 1) be POSTs and 2) be confirmed via the formPassword (which isn't known to either external sites or freesite authors).
Modified: trunk/freenet/src/freenet/clients/http/filter/FilterCallback.java
===================================================================
--- trunk/freenet/src/freenet/clients/http/filter/FilterCallback.java 2006-12-07 21:08:20 UTC (rev 11289)
+++ trunk/freenet/src/freenet/clients/http/filter/FilterCallback.java 2006-12-07 21:24:30 UTC (rev 11290)
@@ -32,7 +32,8 @@
* @param method The form sending method. Normally GET or POST.
* @param action The URI to send the form to.
* @return The new action URI, or null if the form is not allowed.
+ * @throws CommentException
*/
- public String processForm(String method, String action);
+ public String processForm(String method, String action) throws CommentException;
}
Modified: trunk/freenet/src/freenet/clients/http/filter/GenericReadFilterCallback.java
===================================================================
--- trunk/freenet/src/freenet/clients/http/filter/GenericReadFilterCallback.java 2006-12-07 21:08:20 UTC (rev 11289)
+++ trunk/freenet/src/freenet/clients/http/filter/GenericReadFilterCallback.java 2006-12-07 21:24:30 UTC (rev 11290)
@@ -216,13 +216,16 @@
cb.onText(s, type, baseURI);
}
+ static final String PLUGINS_PREFIX = "/plugins/";
+
/**
* Process a form.
* Current strategy:
* - Both POST and GET forms are allowed to /
* Anything that is hazardous should be protected through formPassword.
+ * @throws CommentException If the form element could not be parsed and the user should be told.
*/
- public String processForm(String method, String action) {
+ public String processForm(String method, String action) throws CommentException {
if(action == null) return null;
method = method.toUpperCase();
if(!(method.equals("POST") || method.equals("GET")))
@@ -233,6 +236,21 @@
// FIXME what about /queue/ /darknet/ etc?
if(action.equals("/"))
return action;
+ try {
+ URI uri = URIPreEncoder.encodeURI(action);
+ if(uri.getScheme() != null || uri.getHost() != null || uri.getPort() != -1 || uri.getUserInfo() != null)
+ throw new CommentException("Invalid form URI had scheme, user-info, host or port");
+ String path = uri.getPath();
+ if(path.startsWith(PLUGINS_PREFIX)) {
+ String after = path.substring(PLUGINS_PREFIX.length());
+ if(after.indexOf("/../") > -1)
+ throw new CommentException("Attempt to escape directory structure");
+ if(after.matches("[A-Za-z0-9\\.]+"))
+ return uri.toASCIIString();
+ }
+ } catch (URISyntaxException e) {
+ throw new CommentException("Could not encode form URI");
+ }
// Otherwise disallow.
return null;
}
Modified: trunk/freenet/src/freenet/clients/http/filter/HTMLFilter.java
===================================================================
--- trunk/freenet/src/freenet/clients/http/filter/HTMLFilter.java 2006-12-07 21:08:20 UTC (rev 11289)
+++ trunk/freenet/src/freenet/clients/http/filter/HTMLFilter.java 2006-12-07 21:24:30 UTC (rev 11290)
@@ -1570,7 +1570,13 @@
Hashtable hn = super.sanitizeHash(h, p, pc);
String method = (String) h.get("method");
String action = (String) h.get("action");
- String finalAction = pc.cb.processForm(method, action);
+ String finalAction;
+ try {
+ finalAction = pc.cb.processForm(method, action);
+ } catch (CommentException e) {
+ pc.writeAfterTag.append("<!-- ").append(HTMLEncoder.encode(e.toString())).append(" -->");
+ return null;
+ }
if(finalAction == null) return null;
hn.put("method", method);
hn.put("action", finalAction);
More information about the cvs
mailing list