diff options
author | Christian Schneppe <christian@pix-art.de> | 2018-02-19 20:53:46 +0100 |
---|---|---|
committer | Christian Schneppe <christian@pix-art.de> | 2018-02-19 20:53:46 +0100 |
commit | 26ae6626b8f52b10030ad474d4b258ba533b26a9 (patch) | |
tree | 6710ee6f997266162d9320f3bef42a81b77e5ce0 | |
parent | 6c65bb9334673d5821ebc489287c5e6a74bdd328 (diff) |
only allow a number of white listed headers according to http upload v0.5
-rw-r--r-- | src/main/java/de/pixart/messenger/http/HttpUploadConnection.java | 21 |
1 files changed, 14 insertions, 7 deletions
diff --git a/src/main/java/de/pixart/messenger/http/HttpUploadConnection.java b/src/main/java/de/pixart/messenger/http/HttpUploadConnection.java index 658230e3f..8a1d37a3f 100644 --- a/src/main/java/de/pixart/messenger/http/HttpUploadConnection.java +++ b/src/main/java/de/pixart/messenger/http/HttpUploadConnection.java @@ -11,7 +11,9 @@ import java.io.OutputStream; import java.net.HttpURLConnection; import java.net.MalformedURLException; import java.net.URL; +import java.util.Arrays; import java.util.HashMap; +import java.util.List; import javax.net.ssl.HttpsURLConnection; @@ -32,12 +34,17 @@ import de.pixart.messenger.xmpp.stanzas.IqPacket; public class HttpUploadConnection implements Transferable { + private static final List<String> WHITE_LISTED_HEADERS = Arrays.asList( + "Authorization", + "Cookie", + "Expires" + ); + private HttpConnectionManager mHttpConnectionManager; private XmppConnectionService mXmppConnectionService; private boolean canceled = false; private boolean delayed = false; - private Account account; private DownloadableFile file; private Message message; private String mime; @@ -95,7 +102,7 @@ public class HttpUploadConnection implements Transferable { public void init(Message message, boolean delay) { this.message = message; - this.account = message.getConversation().getAccount(); + final Account account = message.getConversation().getAccount(); this.file = mXmppConnectionService.getFileBackend().getFile(message, false); if (message.getEncryption() == Message.ENCRYPTION_PGP || message.getEncryption() == Message.ENCRYPTION_DECRYPTED) { this.mime = "application/pgp-encrypted"; @@ -123,7 +130,7 @@ public class HttpUploadConnection implements Transferable { this.mFileInputStream = pair.first; Jid host = account.getXmppConnection().findDiscoItemByFeature(Namespace.HTTP_UPLOAD); IqPacket request = mXmppConnectionService.getIqGenerator().requestHttpUploadSlot(host, file, mime); - mXmppConnectionService.sendIqPacket(account, request, (account, packet) -> { + mXmppConnectionService.sendIqPacket(account, request, (a, packet) -> { if (packet.getType() == IqPacket.TYPE.RESULT) { Element slot = packet.findChild("slot", Namespace.HTTP_UPLOAD); if (slot != null) { @@ -138,10 +145,10 @@ public class HttpUploadConnection implements Transferable { this.mPutHeaders = new HashMap<>(); for (Element child : put.getChildren()) { if ("header".equals(child.getName())) { - String name = child.getAttribute("name"); - String value = child.getContent(); - if (name != null && value != null && !name.trim().contains("\n") && !value.trim().contains("\n")) { - this.mPutHeaders.put(name.trim(), value.trim()); + final String name = child.getAttribute("name"); + final String value = child.getContent(); + if (WHITE_LISTED_HEADERS.contains(name) && value != null && !value.trim().contains("\n")) { + this.mPutHeaders.put(name, value.trim()); } } } |