mediaapi/writers/download: Allow only media IDs matching [A-Za-z0-9_=-]+

This commit is contained in:
Robert Swain 2017-05-26 14:42:51 +02:00
parent 0affdae889
commit 4dfbae81cd

View file

@ -16,7 +16,9 @@ package writers
import ( import (
"encoding/json" "encoding/json"
"fmt"
"net/http" "net/http"
"regexp"
log "github.com/Sirupsen/logrus" log "github.com/Sirupsen/logrus"
"github.com/matrix-org/dendrite/clientapi/jsonerror" "github.com/matrix-org/dendrite/clientapi/jsonerror"
@ -26,6 +28,11 @@ import (
"github.com/matrix-org/util" "github.com/matrix-org/util"
) )
const mediaIDCharacters = "A-Za-z0-9_=-"
// Note: unfortunately regex.MustCompile() cannot be assigned to a const
var mediaIDRegex = regexp.MustCompile("[" + mediaIDCharacters + "]+")
// downloadRequest metadata included in or derivable from an download request // downloadRequest metadata included in or derivable from an download request
// https://matrix.org/docs/spec/client_server/r0.2.0.html#get-matrix-media-r0-download-servername-mediaid // https://matrix.org/docs/spec/client_server/r0.2.0.html#get-matrix-media-r0-download-servername-mediaid
type downloadRequest struct { type downloadRequest struct {
@ -78,11 +85,10 @@ func (r *downloadRequest) jsonErrorResponse(w http.ResponseWriter, res util.JSON
// Validate validates the downloadRequest fields // Validate validates the downloadRequest fields
func (r *downloadRequest) Validate() *util.JSONResponse { func (r *downloadRequest) Validate() *util.JSONResponse {
// maybe give the URL pattern in the routing, these are not even possible as the handler would not be hit...? if mediaIDRegex.MatchString(string(r.MediaMetadata.MediaID)) == false {
if r.MediaMetadata.MediaID == "" {
return &util.JSONResponse{ return &util.JSONResponse{
Code: 404, Code: 404,
JSON: jsonerror.NotFound("mediaId must be a non-empty string"), JSON: jsonerror.NotFound(fmt.Sprintf("mediaId must be a non-empty string using only characters in %v", mediaIDCharacters)),
} }
} }
if r.MediaMetadata.Origin == "" { if r.MediaMetadata.Origin == "" {