Ticket #12710: BPackageInfo-urlvalidation-2.diff

src/kits/package/PackageInfoParser.cpp

@@ -1 +1 @@
 /*
  * Copyright 2011, Oliver Tappe <zooey@hirschkaefer.de>
+ * Copyright 2016, Andrew Lindesay <apl@lindesay.co.nz>
  * Distributed under the terms of the MIT License.
  */
 
@@ -508 +509 @@
 
 void
 BPackageInfo::Parser::_ParseStringList(BStringList* value,
-    bool requireResolvableName, bool convertToLowerCase)
+    bool requireResolvableName, bool convertToLowerCase,
+    StringValidator* stringValidator)
 {
     struct StringParser : public ListElementParser {
         BStringList* value;
         bool requireResolvableName;
         bool convertToLowerCase;
+        StringValidator* stringValidator;
 
         StringParser(BStringList* value, bool requireResolvableName,
-            bool convertToLowerCase)
+            bool convertToLowerCase, StringValidator* stringValidator)
             :
             value(value),
             requireResolvableName(requireResolvableName),
-            convertToLowerCase(convertToLowerCase)
+            convertToLowerCase(convertToLowerCase),
+            stringValidator(stringValidator)
         {
         }
 
@@ -541 +545 @@
             if (convertToLowerCase)
                 element.ToLower();
 
+            if (stringValidator != NULL)
+                stringValidator->Validate(element, token.pos);
+            
             value->Add(element);
         }
-    } stringParser(value, requireResolvableName, convertToLowerCase);
+    } stringParser(value, requireResolvableName, convertToLowerCase,
+        stringValidator);
 
     _ParseList(stringParser, true);
 }
@@ -1008 +1016 @@
                 break;
 
             case B_PACKAGE_INFO_URLS:
-                _ParseStringList(&packageInfo->fURLList);
+                UrlStringValidator stringValidator;
+                _ParseStringList(&packageInfo->fURLList,
+                    false, false, &stringValidator);
                 break;
 
             case B_PACKAGE_INFO_SOURCE_URLS:
-                _ParseStringList(&packageInfo->fSourceURLList);
+                UrlStringValidator stringValidator;
+                _ParseStringList(&packageInfo->fSourceURLList,
+                    false, false, &stringValidator);
                 break;
 
             case B_PACKAGE_INFO_GLOBAL_WRITABLE_FILES:
@@ -1146 +1158 @@
 }
 
 
+/*static*/ bool
+BPackageInfo::Parser::UrlStringValidator::_HasUrlProtocol(const BString& url)
+{
+    return url.StartsWith("http://")
+        || url.StartsWith("https://")
+        || url.StartsWith("ftp://")
+        || url.StartsWith("file:/");
+}
+
+
+/*static*/ bool
+BPackageInfo::Parser::UrlStringValidator::_IsUrlChar(char ch)
+{
+    if ( (ch >= 'A' && ch <= 'Z') ||
+         (ch >= 'a' && ch <= 'z') ||
+         (ch >= '0' && ch <= '9') ) {
+        return true;
+    }
+    
+    switch (ch) {
+        case '-':
+        case '.':
+        case '_':
+        case '~':
+        case ':':
+        case '/':
+        case '?':
+        case '#':
+        case '[':
+        case ']':
+        case '@':
+        case '!':
+        case '$':
+        case '&':
+        case '\'':
+        case '(':
+        case ')':
+        case '*':
+        case '+':
+        case ',':
+        case ';':
+        case '=':
+            return true;
+    }
+    
+    return false;
+}
+
+
+void
+BPackageInfo::Parser::UrlStringValidator::Validate(const BString& url, const char *pos)
+{
+    for (int32 i = 0; i < url.Length(); i++) {
+        if (!_IsUrlChar(url.ByteAt(i)))
+            throw ParseError("invalid character in url", pos);
+    }
+    
+    if (!_HasUrlProtocol(url))
+        throw ParseError("missing or unrecognized protocol in url", pos);
+}
+
+
 } // namespace BPackageKit

src/kits/package/PackageInfoParser.h

@@ -1 +1 @@
 /*
  * Copyright 2011, Oliver Tappe <zooey@hirschkaefer.de>
+ * Copyright 2016, Andrew Lindesay <apl@lindesay.co.nz>
  * Distributed under the terms of the MIT License.
  */
 #ifndef PACKAGE_INFO_PARSER_H
@@ -31 +32 @@
                                     BPackageResolvableExpression& _expression);
 
 private:
+            struct UrlStringValidator;
+            struct StringValidator;
             struct ParseError;
             struct Token;
             struct ListElementParser;
@@ -74 +77 @@
                                     bool allowSingleNonListElement);
             void                _ParseStringList(BStringList* value,
                                     bool requireResolvableName = false,
-                                    bool convertToLowerCase = false);
+                                    bool convertToLowerCase = false,
+                                    StringValidator* stringValidator = NULL);
             void                _ParseResolvableList(
                                     BObjectList<BPackageResolvable>* value);
             void                _ParseResolvableExprList(
@@ -152 +156 @@
 };
 
 
+struct BPackageInfo::Parser::StringValidator {
+public:
+    virtual void Validate(const BString &string, const char *pos) = 0;
+};
+
+
+struct BPackageInfo::Parser::UrlStringValidator : public BPackageInfo::Parser::StringValidator {
+private:
+    static  bool                _HasUrlProtocol(const BString& url);
+    static  bool                _IsUrlChar(char ch);
+
+public:
+    virtual void                Validate(const BString &string, const char *pos);
+};
+
+
 } // namespace BPackageKit