diff options
| author | Jorge Arellano Cid <jcid@dillo.org> | 2009-07-16 22:01:20 -0400 |
|---|---|---|
| committer | Jorge Arellano Cid <jcid@dillo.org> | 2009-07-16 22:01:20 -0400 |
| commit | 26b1a102575efb7f812f4b0c16ccdfbffe0085b3 (patch) | |
| tree | a0127169102ac5f61e546dd1d280acdb349400eb | |
| parent | c5440a6b044de78bee086d2527cd067ea99f546b (diff) | |
Verify dpi URLs for instant redirects.
| -rw-r--r-- | src/capi.c | 22 | ||||
| -rw-r--r-- | src/capi.h | 1 | ||||
| -rw-r--r-- | src/html.cc | 3 |
3 files changed, 14 insertions, 12 deletions
@@ -200,19 +200,19 @@ void a_Capi_conn_abort_by_url(const DilloUrl *url) /* ------------------------------------------------------------------------- */ /* - * Safety test: only allow dpi-urls from dpi-generated pages. + * Safety test: only allow GET|POST dpi-urls from dpi-generated pages. */ -static int Capi_dpi_verify_request(DilloWeb *web) +int a_Capi_dpi_verify_request(BrowserWindow *bw, DilloUrl *url) { DilloUrl *referer; int allow = FALSE; /* test POST and GET */ - if (dStrcasecmp(URL_SCHEME(web->url), "dpi") == 0 && - URL_FLAGS(web->url) & (URL_Post + URL_Get)) { + if (dStrcasecmp(URL_SCHEME(url), "dpi") == 0 && + URL_FLAGS(url) & (URL_Post + URL_Get)) { /* only allow dpi requests from dpi-generated urls */ - if (a_Nav_stack_size(web->bw)) { - referer = a_History_get_url(NAV_TOP_UIDX(web->bw)); + if (a_Nav_stack_size(bw)) { + referer = a_History_get_url(NAV_TOP_UIDX(bw)); if (dStrcasecmp(URL_SCHEME(referer), "dpi") == 0) { allow = TRUE; } @@ -222,10 +222,10 @@ static int Capi_dpi_verify_request(DilloWeb *web) } if (!allow) { - MSG("Capi_dpi_verify_request: Permission Denied!\n"); - MSG(" URL_STR : %s\n", URL_STR(web->url)); - if (URL_FLAGS(web->url) & URL_Post) { - MSG(" URL_DATA: %s\n", dStr_printable(URL_DATA(web->url), 1024)); + MSG("a_Capi_dpi_verify_request: Permission Denied!\n"); + MSG(" URL_STR : %s\n", URL_STR(url)); + if (URL_FLAGS(url) & URL_Post) { + MSG(" URL_DATA: %s\n", dStr_printable(URL_DATA(url), 1024)); } } return allow; @@ -344,7 +344,7 @@ int a_Capi_open_url(DilloWeb *web, CA_Callback_t Call, void *CbData) } else if (Capi_url_uses_dpi(web->url, &server)) { /* dpi request */ - if ((safe = Capi_dpi_verify_request(web))) { + if ((safe = a_Capi_dpi_verify_request(web->bw, web->url))) { if (dStrcasecmp(scheme, "dpi") == 0) { /* make "dpi:/" prefixed urls always reload. */ a_Url_set_flags(web->url, URL_FLAGS(web->url) | URL_E2EQuery); @@ -30,6 +30,7 @@ const char *a_Capi_set_content_type(const DilloUrl *url, const char *ctype, const char *from); int a_Capi_get_flags(const DilloUrl *Url); int a_Capi_get_flags_with_redirection(const DilloUrl *Url); +int a_Capi_dpi_verify_request(BrowserWindow *bw, DilloUrl *url); int a_Capi_dpi_send_cmd(DilloUrl *url, void *bw, char *cmd, char *server, int flags); void a_Capi_stop_client(int Key, int force); diff --git a/src/html.cc b/src/html.cc index 68465b08..abb3c416 100644 --- a/src/html.cc +++ b/src/html.cc @@ -2831,7 +2831,8 @@ static void Html_tag_open_meta(DilloHtml *html, const char *tag, int tagsize) /* zero-delay redirection */ html->stop_parser = true; DilloUrl *new_url = a_Url_new(mr_url, URL_STR(html->base_url)); - a_UIcmd_redirection0((void*)html->bw, new_url); + if (a_Capi_dpi_verify_request(html->bw, new_url)) + a_UIcmd_redirection0((void*)html->bw, new_url); a_Url_free(new_url); } else { /* Send a custom HTML message. |