mirrors/nextcloud-desktop
1
0
Fork 0
mirror of https://github.com/nextcloud/desktop.git synced 2024-11-26 15:06:08 +03:00
Code Issues Projects Releases Packages Wiki Activity

Validate edit locally token before sending to server

Browse source 
Signed-off-by: Claudio Cambra <claudio.cambra@nextcloud.com>
This commit is contained in:
Claudio Cambra 2022-10-25 15:56:53 +02:00
parent 8c37bf2711
commit 8683ee08e7
No known key found for this signature in database
GPG key ID: C839200C384636B0
1 changed files with 15 additions and 2 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

17
src/gui/folderman.cpp
View file

@ -1513,7 +1513,18 @@ void FolderMan::editFileLocally(const QString &userId, const QString &relPath, c
showError(accountFound, tr("Could not find a folder to sync."), relPath); showError(accountFound, tr("Could not find a folder to sync."), relPath);
return; return;
} }
// Token is an alphanumeric string 128 chars long.
// Ensure that is what we received and what we are sending to the server.
const QRegularExpression tokenRegex("^[a-zA-Z0-9]{128}$");
const auto regexMatch = tokenRegex.match(token);
// Means invalid token type received, be cautious with bad token
if(!regexMatch.hasMatch()) {
showError(accountFound, tr("Invalid token received."), tr("Please try again."));
return;
}
const auto relPathSplit = relPath.split(QLatin1Char('/')); const auto relPathSplit = relPath.split(QLatin1Char('/'));
if (relPathSplit.size() > 0) { if (relPathSplit.size() > 0) {
Systray::instance()->createEditFileLocallyLoadingDialog(relPathSplit.last()); Systray::instance()->createEditFileLocallyLoadingDialog(relPathSplit.last());
@ -1522,7 +1533,9 @@ void FolderMan::editFileLocally(const QString &userId, const QString &relPath, c
return; return;
} }
const auto checkTokenForEditLocally = new SimpleApiJob(accountFound->account(), QStringLiteral("/ocs/v2.php/apps/files/api/v1/openlocaleditor/%1").arg(token)); // Sanitise the token
const auto encodedToken = QString(QUrl::toPercentEncoding(token));
const auto checkTokenForEditLocally = new SimpleApiJob(accountFound->account(), QStringLiteral("/ocs/v2.php/apps/files/api/v1/openlocaleditor/%1").arg(encodedToken));
checkTokenForEditLocally->setVerb(SimpleApiJob::Verb::Post); checkTokenForEditLocally->setVerb(SimpleApiJob::Verb::Post);
checkTokenForEditLocally->setBody(QByteArray{"path=/"}.append(relPath.toUtf8())); checkTokenForEditLocally->setBody(QByteArray{"path=/"}.append(relPath.toUtf8()));
connect(checkTokenForEditLocally, &SimpleApiJob::resultReceived, checkTokenForEditLocally, [this, folderForFile, localFilePath, showError, accountFound, relPath] (int statusCode) { connect(checkTokenForEditLocally, &SimpleApiJob::resultReceived, checkTokenForEditLocally, [this, folderForFile, localFilePath, showError, accountFound, relPath] (int statusCode) {