mirror of
https://github.com/1f349/dendrite.git
synced 2024-11-22 11:41:38 +00:00
mediaapi/writers/download: Allow only media IDs matching [A-Za-z0-9_=-]+
This commit is contained in:
parent
0affdae889
commit
4dfbae81cd
@ -16,7 +16,9 @@ package writers
|
|||||||
|
|
||||||
import (
|
import (
|
||||||
"encoding/json"
|
"encoding/json"
|
||||||
|
"fmt"
|
||||||
"net/http"
|
"net/http"
|
||||||
|
"regexp"
|
||||||
|
|
||||||
log "github.com/Sirupsen/logrus"
|
log "github.com/Sirupsen/logrus"
|
||||||
"github.com/matrix-org/dendrite/clientapi/jsonerror"
|
"github.com/matrix-org/dendrite/clientapi/jsonerror"
|
||||||
@ -26,6 +28,11 @@ import (
|
|||||||
"github.com/matrix-org/util"
|
"github.com/matrix-org/util"
|
||||||
)
|
)
|
||||||
|
|
||||||
|
const mediaIDCharacters = "A-Za-z0-9_=-"
|
||||||
|
|
||||||
|
// Note: unfortunately regex.MustCompile() cannot be assigned to a const
|
||||||
|
var mediaIDRegex = regexp.MustCompile("[" + mediaIDCharacters + "]+")
|
||||||
|
|
||||||
// downloadRequest metadata included in or derivable from an download request
|
// downloadRequest metadata included in or derivable from an download request
|
||||||
// https://matrix.org/docs/spec/client_server/r0.2.0.html#get-matrix-media-r0-download-servername-mediaid
|
// https://matrix.org/docs/spec/client_server/r0.2.0.html#get-matrix-media-r0-download-servername-mediaid
|
||||||
type downloadRequest struct {
|
type downloadRequest struct {
|
||||||
@ -78,11 +85,10 @@ func (r *downloadRequest) jsonErrorResponse(w http.ResponseWriter, res util.JSON
|
|||||||
|
|
||||||
// Validate validates the downloadRequest fields
|
// Validate validates the downloadRequest fields
|
||||||
func (r *downloadRequest) Validate() *util.JSONResponse {
|
func (r *downloadRequest) Validate() *util.JSONResponse {
|
||||||
// maybe give the URL pattern in the routing, these are not even possible as the handler would not be hit...?
|
if mediaIDRegex.MatchString(string(r.MediaMetadata.MediaID)) == false {
|
||||||
if r.MediaMetadata.MediaID == "" {
|
|
||||||
return &util.JSONResponse{
|
return &util.JSONResponse{
|
||||||
Code: 404,
|
Code: 404,
|
||||||
JSON: jsonerror.NotFound("mediaId must be a non-empty string"),
|
JSON: jsonerror.NotFound(fmt.Sprintf("mediaId must be a non-empty string using only characters in %v", mediaIDCharacters)),
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
if r.MediaMetadata.Origin == "" {
|
if r.MediaMetadata.Origin == "" {
|
||||||
|
Loading…
Reference in New Issue
Block a user