diff options
| author | Claudio Cambra <claudio.cambra@nextcloud.com> | 2022-10-25 16:56:53 +0300 |
|---|---|---|
| committer | Claudio Cambra <claudio.cambra@nextcloud.com> | 2022-10-28 13:37:26 +0300 |
| commit | 8683ee08e7755e5a750f265b0387bfdfe144ea42 (patch) | |
| tree | 37f023cc7f4f1e8ab4e213e3544aa92bfb920a79 | |
| parent | 8c37bf271174caaf44604d1645df8fdf6b0d84fe (diff) | |
Validate edit locally token before sending to server
Signed-off-by: Claudio Cambra <claudio.cambra@nextcloud.com>
| -rw-r--r-- | src/gui/folderman.cpp | 17 |
1 files changed, 15 insertions, 2 deletions
diff --git a/src/gui/folderman.cpp b/src/gui/folderman.cpp index 00818e80a..da1785897 100644 --- a/src/gui/folderman.cpp +++ b/src/gui/folderman.cpp @@ -1513,7 +1513,18 @@ void FolderMan::editFileLocally(const QString &userId, const QString &relPath, c showError(accountFound, tr("Could not find a folder to sync."), relPath); return; } - + + // Token is an alphanumeric string 128 chars long. + // Ensure that is what we received and what we are sending to the server. + const QRegularExpression tokenRegex("^[a-zA-Z0-9]{128}$"); + const auto regexMatch = tokenRegex.match(token); + + // Means invalid token type received, be cautious with bad token + if(!regexMatch.hasMatch()) { + showError(accountFound, tr("Invalid token received."), tr("Please try again.")); + return; + } + const auto relPathSplit = relPath.split(QLatin1Char('/')); if (relPathSplit.size() > 0) { Systray::instance()->createEditFileLocallyLoadingDialog(relPathSplit.last()); @@ -1522,7 +1533,9 @@ void FolderMan::editFileLocally(const QString &userId, const QString &relPath, c return; } - const auto checkTokenForEditLocally = new SimpleApiJob(accountFound->account(), QStringLiteral("/ocs/v2.php/apps/files/api/v1/openlocaleditor/%1").arg(token)); + // Sanitise the token + const auto encodedToken = QString(QUrl::toPercentEncoding(token)); + const auto checkTokenForEditLocally = new SimpleApiJob(accountFound->account(), QStringLiteral("/ocs/v2.php/apps/files/api/v1/openlocaleditor/%1").arg(encodedToken)); checkTokenForEditLocally->setVerb(SimpleApiJob::Verb::Post); checkTokenForEditLocally->setBody(QByteArray{"path=/"}.append(relPath.toUtf8())); connect(checkTokenForEditLocally, &SimpleApiJob::resultReceived, checkTokenForEditLocally, [this, folderForFile, localFilePath, showError, accountFound, relPath] (int statusCode) { |