diff options
| author | Roland Reichwein <mail@reichwein.it> | 2023-02-12 13:35:27 +0100 |
|---|---|---|
| committer | Roland Reichwein <mail@reichwein.it> | 2023-02-12 13:35:27 +0100 |
| commit | 139f0cee972ecd2928b78fdbbc0635b183b1728f (patch) | |
| tree | 16d767d2742cc37dc2c46a27ee200a3d1698d058 /whiteboard.cpp | |
| parent | b0f8b28977e59b7fbfc1ce57ee5c102b8e4e0690 (diff) | |
Validate ids, server-side
Diffstat (limited to 'whiteboard.cpp')
| -rw-r--r-- | whiteboard.cpp | 22 |
1 files changed, 22 insertions, 0 deletions
diff --git a/whiteboard.cpp b/whiteboard.cpp index 5424a79..8fb5415 100644 --- a/whiteboard.cpp +++ b/whiteboard.cpp @@ -76,6 +76,8 @@ Whiteboard::Whiteboard() { } +namespace { + pt::ptree make_ptree(const std::initializer_list<std::pair<std::string, std::string>>& key_values) { pt::ptree ptree; @@ -92,6 +94,21 @@ std::string make_xml(const std::initializer_list<std::pair<std::string, std::str return Reichwein::XML::plain_xml(ptree); } +// throws on invalid id +void validate_id(const std::string& id) { + if (!id.size()) + throw std::runtime_error("Invalid id (empty)"); + + if (id.size() > 16) + throw std::runtime_error("Invalid id (size > 16)"); + + for (const auto c: id) { + if (!((c >= '0' && c <= '9') || (c >= 'a' && c <= 'z'))) + throw std::runtime_error("Invalid id char: "s + c); + } +} + +} // namespace class session: public std::enable_shared_from_this<session> { @@ -316,6 +333,7 @@ public: if (command == "modify") { std::string id {xml.get<std::string>("request.id")}; + validate_id(id); int baserev {xml.get<int>("request.baserev")}; if (baserev != m_storage.getRevision(id)) @@ -341,6 +359,7 @@ public: return make_xml({{"type", "modify"}, {"revision", std::to_string(m_storage.getRevision(id)) }}); } else if (command == "cursorpos") { std::string id {xml.get<std::string>("request.id")}; + validate_id(id); int pos {xml.get<int>("request.pos")}; if (m_storage.getCursorPos(id) != pos) { m_storage.setCursorPos(id, pos); @@ -349,6 +368,7 @@ public: return {}; } else if (command == "getfile") { std::string id {xml.get<std::string>("request.id")}; + validate_id(id); std::string filedata; try { @@ -369,6 +389,7 @@ public: }); } else if (command == "getpos") { std::string id {xml.get<std::string>("request.id")}; + validate_id(id); return make_xml({ {"type", "getpos"}, @@ -395,6 +416,7 @@ public: return stats_xml(); } else if (command == "pdf") { std::string id {xml.get<std::string>("request.id")}; + validate_id(id); Reichwein::Tempfile mdFilePath{".md"}; Reichwein::File::setFile(mdFilePath.getPath(), m_storage.getDocument(id)); Reichwein::Tempfile pdfFilePath{".pdf"}; |