changeset 1233:4741a93c3473

Verify dpi URLs for instant redirects.
author Jorge Arellano Cid <jcid@dillo.org>
date Thu, 16 Jul 2009 22:01:20 -0400
parents d598ecc970c6
children 938249c22d26
files src/capi.c src/capi.h src/html.cc
diffstat 3 files changed, 14 insertions(+), 12 deletions(-) [+]
line wrap: on
line diff
--- a/src/capi.c	Thu Jul 16 20:35:56 2009 -0400
+++ b/src/capi.c	Thu Jul 16 22:01:20 2009 -0400
@@ -200,19 +200,19 @@
 /* ------------------------------------------------------------------------- */
 
 /*
- * Safety test: only allow dpi-urls from dpi-generated pages.
+ * Safety test: only allow GET|POST dpi-urls from dpi-generated pages.
  */
-static int Capi_dpi_verify_request(DilloWeb *web)
+int a_Capi_dpi_verify_request(BrowserWindow *bw, DilloUrl *url)
 {
    DilloUrl *referer;
    int allow = FALSE;
 
    /* test POST and GET */
-   if (dStrcasecmp(URL_SCHEME(web->url), "dpi") == 0 &&
-       URL_FLAGS(web->url) & (URL_Post + URL_Get)) {
+   if (dStrcasecmp(URL_SCHEME(url), "dpi") == 0 &&
+       URL_FLAGS(url) & (URL_Post + URL_Get)) {
       /* only allow dpi requests from dpi-generated urls */
-      if (a_Nav_stack_size(web->bw)) {
-         referer = a_History_get_url(NAV_TOP_UIDX(web->bw));
+      if (a_Nav_stack_size(bw)) {
+         referer = a_History_get_url(NAV_TOP_UIDX(bw));
          if (dStrcasecmp(URL_SCHEME(referer), "dpi") == 0) {
             allow = TRUE;
          }
@@ -222,10 +222,10 @@
    }
 
    if (!allow) {
-      MSG("Capi_dpi_verify_request: Permission Denied!\n");
-      MSG("  URL_STR : %s\n", URL_STR(web->url));
-      if (URL_FLAGS(web->url) & URL_Post) {
-         MSG("  URL_DATA: %s\n", dStr_printable(URL_DATA(web->url), 1024));
+      MSG("a_Capi_dpi_verify_request: Permission Denied!\n");
+      MSG("  URL_STR : %s\n", URL_STR(url));
+      if (URL_FLAGS(url) & URL_Post) {
+         MSG("  URL_DATA: %s\n", dStr_printable(URL_DATA(url), 1024));
       }
    }
    return allow;
@@ -344,7 +344,7 @@
 
    } else if (Capi_url_uses_dpi(web->url, &server)) {
       /* dpi request */
-      if ((safe = Capi_dpi_verify_request(web))) {
+      if ((safe = a_Capi_dpi_verify_request(web->bw, web->url))) {
          if (dStrcasecmp(scheme, "dpi") == 0) {
             /* make "dpi:/" prefixed urls always reload. */
             a_Url_set_flags(web->url, URL_FLAGS(web->url) | URL_E2EQuery);
--- a/src/capi.h	Thu Jul 16 20:35:56 2009 -0400
+++ b/src/capi.h	Thu Jul 16 22:01:20 2009 -0400
@@ -30,6 +30,7 @@
                                     const char *from);
 int a_Capi_get_flags(const DilloUrl *Url);
 int a_Capi_get_flags_with_redirection(const DilloUrl *Url);
+int a_Capi_dpi_verify_request(BrowserWindow *bw, DilloUrl *url);
 int a_Capi_dpi_send_cmd(DilloUrl *url, void *bw, char *cmd, char *server,
                          int flags);
 void a_Capi_stop_client(int Key, int force);
--- a/src/html.cc	Thu Jul 16 20:35:56 2009 -0400
+++ b/src/html.cc	Thu Jul 16 22:01:20 2009 -0400
@@ -2831,7 +2831,8 @@
             /* zero-delay redirection */
             html->stop_parser = true;
             DilloUrl *new_url = a_Url_new(mr_url, URL_STR(html->base_url));
-            a_UIcmd_redirection0((void*)html->bw, new_url);
+            if (a_Capi_dpi_verify_request(html->bw, new_url))
+               a_UIcmd_redirection0((void*)html->bw, new_url);
             a_Url_free(new_url);
          } else {
             /* Send a custom HTML message.