From 4ef0d2390085c6f1d080892248172b5dcfdf2fb4 Mon Sep 17 00:00:00 2001 From: Christian Muehlhaeuser Date: Tue, 26 Jun 2012 23:15:26 +0200 Subject: [PATCH] * Don't accept empty queries from web API. --- src/web/Api_v1.cpp | 67 ++++++++++++++++++++++++++++------------------ 1 file changed, 41 insertions(+), 26 deletions(-) diff --git a/src/web/Api_v1.cpp b/src/web/Api_v1.cpp index 7008d0e2a..47b2215f6 100644 --- a/src/web/Api_v1.cpp +++ b/src/web/Api_v1.cpp @@ -44,6 +44,7 @@ Api_v1::auth_1( QxtWebRequestEvent* event, QString arg ) { qDebug() << "Malformed HTTP resolve request"; send404( event ); + return; } QString formToken = uuid(); @@ -60,7 +61,7 @@ Api_v1::auth_1( QxtWebRequestEvent* event, QString arg ) // webpage request QString authPage = RESPATH "www/auth.html"; QHash< QString, QString > args; - if( event->url.hasQueryItem( "receiverurl" ) ) + if ( event->url.hasQueryItem( "receiverurl" ) ) args[ "url" ] = QUrl::fromPercentEncoding( event->url.queryItemValue( "receiverurl" ).toUtf8() ); args[ "formtoken" ] = formToken; @@ -75,7 +76,7 @@ void Api_v1::auth_2( QxtWebRequestEvent* event, QString arg ) { qDebug() << "AUTH_2 HTTP" << event->url.toString() << arg; - if( event->content.isNull() ) + if ( event->content.isNull() ) { qDebug() << "Null content"; send404( event ); @@ -90,14 +91,14 @@ Api_v1::auth_2( QxtWebRequestEvent* event, QString arg ) foreach ( const QString& part, pieces ) { QStringList keyval = part.split( '=' ); - if( keyval.size() == 2 ) + if ( keyval.size() == 2 ) queryItems.insert( keyval.first(), keyval.last() ); else qDebug() << "Failed parsing url parameters: " << part; } qDebug() << "has query items:" << pieces; - if( !params.contains( "website" ) || !params.contains( "name" ) || !params.contains( "formtoken" ) ) + if ( !params.contains( "website" ) || !params.contains( "name" ) || !params.contains( "formtoken" ) ) { qDebug() << "Malformed HTTP resolve request"; send404( event ); @@ -108,10 +109,10 @@ Api_v1::auth_2( QxtWebRequestEvent* event, QString arg ) QString name = queryItems[ "name" ]; QByteArray authtoken = uuid().toLatin1(); qDebug() << "HEADERS:" << event->headers; - if( !queryItems.contains( "receiverurl" ) || queryItems.value( "receiverurl" ).isEmpty() ) + if ( !queryItems.contains( "receiverurl" ) || queryItems.value( "receiverurl" ).isEmpty() ) { //no receiver url, so do it ourselves - if( queryItems.contains( "json" ) ) + if ( queryItems.contains( "json" ) ) { QVariantMap m; m[ "authtoken" ] = authtoken; @@ -152,13 +153,13 @@ Api_v1::api( QxtWebRequestEvent* event ) qDebug() << "HTTP" << event->url.toString(); const QUrl& url = event->url; - if( url.hasQueryItem( "method" ) ) + if ( url.hasQueryItem( "method" ) ) { const QString method = url.queryItemValue( "method" ); - if( method == "stat" ) return stat( event ); - if( method == "resolve" ) return resolve( event ); - if( method == "get_results" ) return get_results( event ); + if ( method == "stat" ) return stat( event ); + if ( method == "resolve" ) return resolve( event ); + if ( method == "get_results" ) return get_results( event ); } send404( event ); @@ -175,13 +176,13 @@ Api_v1::sid( QxtWebRequestEvent* event, QString unused ) qDebug() << "Request for sid " << rid; result_ptr rp = Pipeline::instance()->result( rid ); - if( rp.isNull() ) + if ( rp.isNull() ) { return send404( event ); } QSharedPointer iodev = Servent::instance()->getIODeviceForUrl( rp ); - if( iodev.isNull() ) + if ( iodev.isNull() ) { return send404( event ); // 503? } @@ -189,7 +190,7 @@ Api_v1::sid( QxtWebRequestEvent* event, QString unused ) QxtWebPageEvent* e = new QxtWebPageEvent( event->sessionID, event->requestID, iodev ); e->streaming = iodev->isSequential(); e->contentType = rp->mimetype().toAscii(); - if( rp->size() > 0 ) + if ( rp->size() > 0 ) e->headers.insert( "Content-Length", QString::number( rp->size() ) ); postEvent( e ); } @@ -212,10 +213,10 @@ Api_v1::stat( QxtWebRequestEvent* event ) qDebug() << "Got Stat request:" << event->url.toString(); m_storedEvent = event; - if( !event->content.isNull() ) + if ( !event->content.isNull() ) qDebug() << "BODY:" << event->content->readAll(); - if( event->url.hasQueryItem( "auth" ) ) + if ( event->url.hasQueryItem( "auth" ) ) { // check for auth status DatabaseCommand_ClientAuthValid* dbcmd = new DatabaseCommand_ClientAuthValid( event->url.queryItemValue( "auth" ) ); @@ -248,11 +249,24 @@ Api_v1::statResult( const QString& clientToken, const QString& name, bool valid void Api_v1::resolve( QxtWebRequestEvent* event ) { - if( !event->url.hasQueryItem( "artist" ) || - !event->url.hasQueryItem( "track" ) ) + if ( !event->url.hasQueryItem( "artist" ) || + !event->url.hasQueryItem( "track" ) ) { qDebug() << "Malformed HTTP resolve request"; send404( event ); + return; + } + + const QString artist = QUrl::fromPercentEncoding( event->url.queryItemValue( "artist" ).toUtf8() ); + const QString track = QUrl::fromPercentEncoding( event->url.queryItemValue( "track" ).toUtf8() ); + const QString album = QUrl::fromPercentEncoding( event->url.queryItemValue( "album" ).toUtf8() ); + + if ( artist.trimmed().isEmpty() || + track.trimmed().isEmpty() ) + { + qDebug() << "Malformed HTTP resolve request"; + send404( event ); + return; } QString qid; @@ -261,7 +275,7 @@ Api_v1::resolve( QxtWebRequestEvent* event ) else qid = uuid(); - query_ptr qry = Query::get( QUrl::fromPercentEncoding( event->url.queryItemValue( "artist" ).toUtf8() ), QUrl::fromPercentEncoding( event->url.queryItemValue( "track" ).toUtf8() ), QUrl::fromPercentEncoding( event->url.queryItemValue( "album" ).toUtf8() ), qid, false ); + query_ptr qry = Query::get( artist, track, album, qid, false ); Pipeline::instance()->resolve( qry, true, true ); QVariantMap r; @@ -274,7 +288,7 @@ void Api_v1::staticdata( QxtWebRequestEvent* event, const QString& str ) { qDebug() << "STATIC request:" << event << str; - if( str.contains( "tomahawk_auth_logo.png" ) ) + if ( str.contains( "tomahawk_auth_logo.png" ) ) { QFile f( RESPATH "www/tomahawk_banner_small.png" ); f.open( QIODevice::ReadOnly ); @@ -289,14 +303,15 @@ Api_v1::staticdata( QxtWebRequestEvent* event, const QString& str ) void Api_v1::get_results( QxtWebRequestEvent* event ) { - if( !event->url.hasQueryItem("qid") ) + if ( !event->url.hasQueryItem( "qid" ) ) { - qDebug() << "Malformed HTTP get_results request"; - send404(event); + tDebug() << "Malformed HTTP get_results request"; + send404( event ); + return; } query_ptr qry = Pipeline::instance()->query( event->url.queryItemValue( "qid" ) ); - if( qry.isNull() ) + if ( qry.isNull() ) { send404( event ); return; @@ -328,7 +343,7 @@ Api_v1::sendJSON( const QVariantMap& m, QxtWebRequestEvent* event ) QByteArray ctype; QByteArray body = ser.serialize( m ); - if( event->url.hasQueryItem("jsonp") && !event->url.queryItemValue( "jsonp" ).isEmpty() ) + if ( event->url.hasQueryItem("jsonp") && !event->url.queryItemValue( "jsonp" ).isEmpty() ) { ctype = "text/javascript; charset=utf-8"; body.prepend( QString("%1( ").arg( event->url.queryItemValue( "jsonp" ) ).toAscii() ); @@ -352,7 +367,7 @@ Api_v1::sendJSON( const QVariantMap& m, QxtWebRequestEvent* event ) void Api_v1::sendWebpageWithArgs( QxtWebRequestEvent* event, const QString& filenameSource, const QHash< QString, QString >& args ) { - if( !QFile::exists( filenameSource ) ) + if ( !QFile::exists( filenameSource ) ) qWarning() << "Passed invalid file for html source:" << filenameSource; QFile f( filenameSource ); @@ -364,7 +379,7 @@ Api_v1::sendWebpageWithArgs( QxtWebRequestEvent* event, const QString& filenameS html.replace( QString( "<%%1%>" ).arg( param.toUpper() ), args.value( param ).toUtf8() ); } // workaround for receiverurl - if( !args.keys().contains( "URL" ) ) + if ( !args.keys().contains( "URL" ) ) html.replace( QString( "<%URL%>" ).toLatin1(), QByteArray() );