only allow a number of white listed headers according to http upload v0.5

This commit is contained in:
Daniel Gultsch 2018-02-16 11:14:16 +01:00
parent 3fa205d463
commit a3f3cfa0bb
1 changed files with 15 additions and 8 deletions

View File

@ -11,7 +11,9 @@ import java.io.OutputStream;
import java.net.HttpURLConnection; import java.net.HttpURLConnection;
import java.net.MalformedURLException; import java.net.MalformedURLException;
import java.net.URL; import java.net.URL;
import java.util.Arrays;
import java.util.HashMap; import java.util.HashMap;
import java.util.List;
import javax.net.ssl.HttpsURLConnection; import javax.net.ssl.HttpsURLConnection;
@ -32,12 +34,17 @@ import eu.siacs.conversations.xmpp.stanzas.IqPacket;
public class HttpUploadConnection implements Transferable { public class HttpUploadConnection implements Transferable {
private static final List<String> WHITE_LISTED_HEADERS = Arrays.asList(
"Authorization",
"Cookie",
"Expires"
);
private HttpConnectionManager mHttpConnectionManager; private HttpConnectionManager mHttpConnectionManager;
private XmppConnectionService mXmppConnectionService; private XmppConnectionService mXmppConnectionService;
private boolean canceled = false; private boolean canceled = false;
private boolean delayed = false; private boolean delayed = false;
private Account account;
private DownloadableFile file; private DownloadableFile file;
private Message message; private Message message;
private String mime; private String mime;
@ -95,7 +102,7 @@ public class HttpUploadConnection implements Transferable {
public void init(Message message, boolean delay) { public void init(Message message, boolean delay) {
this.message = message; this.message = message;
this.account = message.getConversation().getAccount(); final Account account = message.getConversation().getAccount();
this.file = mXmppConnectionService.getFileBackend().getFile(message, false); this.file = mXmppConnectionService.getFileBackend().getFile(message, false);
if (message.getEncryption() == Message.ENCRYPTION_PGP || message.getEncryption() == Message.ENCRYPTION_DECRYPTED) { if (message.getEncryption() == Message.ENCRYPTION_PGP || message.getEncryption() == Message.ENCRYPTION_DECRYPTED) {
this.mime = "application/pgp-encrypted"; this.mime = "application/pgp-encrypted";
@ -123,7 +130,7 @@ public class HttpUploadConnection implements Transferable {
this.mFileInputStream = pair.first; this.mFileInputStream = pair.first;
Jid host = account.getXmppConnection().findDiscoItemByFeature(Namespace.HTTP_UPLOAD); Jid host = account.getXmppConnection().findDiscoItemByFeature(Namespace.HTTP_UPLOAD);
IqPacket request = mXmppConnectionService.getIqGenerator().requestHttpUploadSlot(host,file,mime); IqPacket request = mXmppConnectionService.getIqGenerator().requestHttpUploadSlot(host,file,mime);
mXmppConnectionService.sendIqPacket(account, request, (account, packet) -> { mXmppConnectionService.sendIqPacket(account, request, (a, packet) -> {
if (packet.getType() == IqPacket.TYPE.RESULT) { if (packet.getType() == IqPacket.TYPE.RESULT) {
Element slot = packet.findChild("slot", Namespace.HTTP_UPLOAD); Element slot = packet.findChild("slot", Namespace.HTTP_UPLOAD);
if (slot != null) { if (slot != null) {
@ -138,10 +145,10 @@ public class HttpUploadConnection implements Transferable {
this.mPutHeaders = new HashMap<>(); this.mPutHeaders = new HashMap<>();
for(Element child : put.getChildren()) { for(Element child : put.getChildren()) {
if ("header".equals(child.getName())) { if ("header".equals(child.getName())) {
String name = child.getAttribute("name"); final String name = child.getAttribute("name");
String value = child.getContent(); final String value = child.getContent();
if (name != null && value != null && !name.trim().contains("\n") && !value.trim().contains("\n")) { if (WHITE_LISTED_HEADERS.contains(name) && value != null && !value.trim().contains("\n")) {
this.mPutHeaders.put(name.trim(),value.trim()); this.mPutHeaders.put(name,value.trim());
} }
} }
} }