aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorChristian Schneppe <christian@pix-art.de>2018-02-19 20:53:46 +0100
committerChristian Schneppe <christian@pix-art.de>2018-02-19 20:53:46 +0100
commit26ae6626b8f52b10030ad474d4b258ba533b26a9 (patch)
tree6710ee6f997266162d9320f3bef42a81b77e5ce0
parent6c65bb9334673d5821ebc489287c5e6a74bdd328 (diff)
only allow a number of white listed headers according to http upload v0.5
-rw-r--r--src/main/java/de/pixart/messenger/http/HttpUploadConnection.java21
1 files changed, 14 insertions, 7 deletions
diff --git a/src/main/java/de/pixart/messenger/http/HttpUploadConnection.java b/src/main/java/de/pixart/messenger/http/HttpUploadConnection.java
index 658230e3f..8a1d37a3f 100644
--- a/src/main/java/de/pixart/messenger/http/HttpUploadConnection.java
+++ b/src/main/java/de/pixart/messenger/http/HttpUploadConnection.java
@@ -11,7 +11,9 @@ import java.io.OutputStream;
import java.net.HttpURLConnection;
import java.net.MalformedURLException;
import java.net.URL;
+import java.util.Arrays;
import java.util.HashMap;
+import java.util.List;
import javax.net.ssl.HttpsURLConnection;
@@ -32,12 +34,17 @@ import de.pixart.messenger.xmpp.stanzas.IqPacket;
public class HttpUploadConnection implements Transferable {
+ private static final List<String> WHITE_LISTED_HEADERS = Arrays.asList(
+ "Authorization",
+ "Cookie",
+ "Expires"
+ );
+
private HttpConnectionManager mHttpConnectionManager;
private XmppConnectionService mXmppConnectionService;
private boolean canceled = false;
private boolean delayed = false;
- private Account account;
private DownloadableFile file;
private Message message;
private String mime;
@@ -95,7 +102,7 @@ public class HttpUploadConnection implements Transferable {
public void init(Message message, boolean delay) {
this.message = message;
- this.account = message.getConversation().getAccount();
+ final Account account = message.getConversation().getAccount();
this.file = mXmppConnectionService.getFileBackend().getFile(message, false);
if (message.getEncryption() == Message.ENCRYPTION_PGP || message.getEncryption() == Message.ENCRYPTION_DECRYPTED) {
this.mime = "application/pgp-encrypted";
@@ -123,7 +130,7 @@ public class HttpUploadConnection implements Transferable {
this.mFileInputStream = pair.first;
Jid host = account.getXmppConnection().findDiscoItemByFeature(Namespace.HTTP_UPLOAD);
IqPacket request = mXmppConnectionService.getIqGenerator().requestHttpUploadSlot(host, file, mime);
- mXmppConnectionService.sendIqPacket(account, request, (account, packet) -> {
+ mXmppConnectionService.sendIqPacket(account, request, (a, packet) -> {
if (packet.getType() == IqPacket.TYPE.RESULT) {
Element slot = packet.findChild("slot", Namespace.HTTP_UPLOAD);
if (slot != null) {
@@ -138,10 +145,10 @@ public class HttpUploadConnection implements Transferable {
this.mPutHeaders = new HashMap<>();
for (Element child : put.getChildren()) {
if ("header".equals(child.getName())) {
- String name = child.getAttribute("name");
- String value = child.getContent();
- if (name != null && value != null && !name.trim().contains("\n") && !value.trim().contains("\n")) {
- this.mPutHeaders.put(name.trim(), value.trim());
+ final String name = child.getAttribute("name");
+ final String value = child.getContent();
+ if (WHITE_LISTED_HEADERS.contains(name) && value != null && !value.trim().contains("\n")) {
+ this.mPutHeaders.put(name, value.trim());
}
}
}