diff options
| author | Michael Meeks <michael.meeks@collabora.com> | 2018-05-13 13:35:32 +0100 |
|---|---|---|
| committer | Michael Meeks <michael.meeks@collabora.com> | 2018-05-14 12:03:17 +0100 |
| commit | 41238c5d1a9fa3f26f66252736f7986e83c389a9 (patch) | |
| tree | f18f155c33af07ed2c26ca8dc709e6e666c7551c | |
| parent | 98bb6f420b06ef4cc379481e549eca15fd17fa92 (diff) | |
Restrict convert-to to known hosts - not all insert / downloads.
Change-Id: Ief26c80bf7e9e96f3c5dce0d8739a825f6fac629
| -rw-r--r-- | wsd/LOOLWSD.cpp | 80 |
1 files changed, 44 insertions, 36 deletions
diff --git a/wsd/LOOLWSD.cpp b/wsd/LOOLWSD.cpp index 9f4e56405..7004cf795 100644 --- a/wsd/LOOLWSD.cpp +++ b/wsd/LOOLWSD.cpp @@ -1728,6 +1728,33 @@ public: StaticFileContentCache["discovery.xml"] = getDiscoveryXML(); } + /// Does this address feature in the allowed hosts list. + bool allowPostFrom(const std::string &address) + { + static bool init = false; + static Util::RegexListMatcher hosts; + if (!init) + { + const auto& app = Poco::Util::Application::instance(); + // Parse the host allow settings. + for (size_t i = 0; ; ++i) + { + const std::string path = "post_allow.host[" + std::to_string(i) + "]"; + const auto host = app.config().getString(path, ""); + if (!host.empty()) + { + LOG_INF("Adding trusted POST_ALLOW host: [" << host << "]."); + hosts.allow(host); + } + else if (!app.config().has(path)) + { + break; + } + } + } + return hosts.match(address); + } + private: /// Set the socket associated with this ResponseClient. @@ -1805,42 +1832,8 @@ private: if (!(request.find("Upgrade") != request.end() && Poco::icompare(request["Upgrade"], "websocket") == 0) && reqPathTokens.count() > 0 && reqPathTokens[0] == "lool") { - // allow/deny for POST - const auto& app = Poco::Util::Application::instance(); - Util::RegexListMatcher hosts; - // Parse the host allow settings. - for (size_t i = 0; ; ++i) - { - const std::string path = "post_allow.host[" + std::to_string(i) + "]"; - const auto host = app.config().getString(path, ""); - if (!host.empty()) - { - LOG_INF("Adding trusted POST_ALLOW host: [" << host << "]."); - hosts.allow(host); - } - else if (!app.config().has(path)) - { - break; - } - } - if (!hosts.match(socket->clientAddress())) - { - LOG_ERR("client address DENY: " << socket->clientAddress().c_str()); - - std::ostringstream oss; - oss << "HTTP/1.1 403\r\n" - << "Date: " << Poco::DateTimeFormatter::format(Poco::Timestamp(), Poco::DateTimeFormat::HTTP_FORMAT) << "\r\n" - << "User-Agent: " << HTTP_AGENT_STRING << "\r\n" - << "Content-Length: 0\r\n" - << "\r\n"; - socket->send(oss.str()); - socket->shutdown(); - } - else - { - // All post requests have url prefix 'lool'. - handlePostRequest(request, message, disposition); - } + // All post requests have url prefix 'lool'. + handlePostRequest(request, message, disposition); } else if (reqPathTokens.count() > 2 && reqPathTokens[0] == "lool" && reqPathTokens[2] == "ws" && request.find("Upgrade") != request.end() && Poco::icompare(request["Upgrade"], "websocket") == 0) @@ -2036,6 +2029,21 @@ private: std::string format = (form.has("format") ? form.get("format") : ""); + if (!allowPostFrom(socket->clientAddress())) + { + LOG_ERR("client address DENY: " << socket->clientAddress().c_str()); + + std::ostringstream oss; + oss << "HTTP/1.1 403\r\n" + << "Date: " << Poco::DateTimeFormatter::format(Poco::Timestamp(), Poco::DateTimeFormat::HTTP_FORMAT) << "\r\n" + << "User-Agent: " << HTTP_AGENT_STRING << "\r\n" + << "Content-Length: 0\r\n" + << "\r\n"; + socket->send(oss.str()); + socket->shutdown(); + return; + } + // prefer what is in the URI if (tokens.count() > 3) format = tokens[3]; |