diff options
| author | Morten Sorvig <msorvig@trolltech.com> | 2009-06-23 07:24:36 +0200 |
|---|---|---|
| committer | Morten Sorvig <msorvig@trolltech.com> | 2009-06-23 07:24:36 +0200 |
| commit | 7d96dfcb3246277970364e8541a032c38eb4b45f (patch) | |
| tree | 89424b90c0115435d0a35fde7634d05e34d9c870 /src | |
| parent | 503aa8b145579cb0a10ffef0585b1da0d96c0476 (diff) | |
Use a filename whitelist when serving files
Diffstat (limited to 'src')
| -rw-r--r-- | src/index.html | 2 | ||||
| -rw-r--r-- | src/qwebclient.js | 13 | ||||
| -rw-r--r-- | src/webclientserver.cpp | 28 | ||||
| -rw-r--r-- | src/webclientserver.h | 4 |
4 files changed, 34 insertions, 13 deletions
diff --git a/src/index.html b/src/index.html index 8b68cfc..e0cb434 100644 --- a/src/index.html +++ b/src/index.html @@ -1 +1 @@ -<html>
<head>
<script type="text/javascript" src=":qwebclient.js"></script>
</head>
<body>
<div class="qwebclient" style="width:10000px" src="INSERT_HOSTNAME"></div>
</body>
</html>
\ No newline at end of file +<html>
<head>
<script type="text/javascript" src="qwebclient.js"></script>
</head>
<body>
<div class="qwebclient" style="width:10000px" src="INSERT_HOSTNAME"></div>
</body>
</html>
\ No newline at end of file diff --git a/src/qwebclient.js b/src/qwebclient.js index 58789f3..4fb72ef 100644 --- a/src/qwebclient.js +++ b/src/qwebclient.js @@ -1,6 +1,7 @@ -document.write("<link rel='stylesheet' href=':qwebclient.css'>"); -document.write("<script type='text/javascript' src=':dojo.js' djConfig='parseOnLoad: true'></scr"+"ipt>"); -document.write("<script type='text/javascript' src=':json2.js'></scr"+"ipt>"); -document.write("<script type='text/javascript' src=':draghandler.js'></scr"+"ipt>"); -document.write("<script type='text/javascript' src=':sessionhandler.js'></scr"+"ipt>"); -document.write("<script type='text/javascript' src=':eventhandler.js'></scr"+"ipt>"); +// When adding files here, add the name to allowedFileNames in webclientserver.cpp as well +document.write("<link rel='stylesheet' href='qwebclient.css'>"); +document.write("<script type='text/javascript' src='dojo.js' djConfig='parseOnLoad: true'></scr"+"ipt>"); +document.write("<script type='text/javascript' src='json2.js'></scr"+"ipt>"); +document.write("<script type='text/javascript' src='draghandler.js'></scr"+"ipt>"); +document.write("<script type='text/javascript' src='sessionhandler.js'></scr"+"ipt>"); +document.write("<script type='text/javascript' src='eventhandler.js'></scr"+"ipt>"); diff --git a/src/webclientserver.cpp b/src/webclientserver.cpp index 6b7ebfa..21c1eb1 100644 --- a/src/webclientserver.cpp +++ b/src/webclientserver.cpp @@ -268,21 +268,36 @@ void Server::dataOnSocket() socket->write(response.toText()); // DEBUG << "socket write response done"; } +FileServer::FileServer() +{ + allowedFileNames = QSet<QString>() + << "index.html" << "qwebclient.js" + << "qwebclient.css" << "dojo.js" + << "json2.js" << "draghandler.js" + << "sessionhandler.js" << "eventhandler.js"; +} + void FileServer::handleRequest(HttpRequest *request, HttpResponse *response) { if (response->body != QByteArray()) return; - + qDebug() << "foo"; + const QByteArray path = request->path(); QByteArray filePath = path.right(path.size() - 1); // remove leading '/' -// DEBUG << "file server handle request" << path << filePath; - + DEBUG << "file server handle request" << path << filePath; + if (filePath == "") - filePath = ":index.html"; - - QFile file(filePath); // ### contain + filePath = "index.html"; + + if (allowedFileNames.contains(filePath) == false) + return; // ### drop connection? + + filePath.prepend(":"); // load from resources. + + QFile file(filePath); if (file.exists() == false) { // DEBUG << "no file" << filePath; return; @@ -292,6 +307,7 @@ void FileServer::handleRequest(HttpRequest *request, HttpResponse *response) QByteArray fileContents = file.readAll(); fileContents.replace("INSERT_HOSTNAME", request->hostName()); static int pageId = 0; + /* if (fileContents.contains("INSERT_PAGE_ID")) fileContents.replace("INSERT_PAGE_ID", QByteArray::number(++pageId)); diff --git a/src/webclientserver.h b/src/webclientserver.h index f121fa6..6d12dd9 100644 --- a/src/webclientserver.h +++ b/src/webclientserver.h @@ -92,8 +92,12 @@ private: class FileServer : public QObject { Q_OBJECT +public: + FileServer(); public slots: virtual void handleRequest(HttpRequest *request, HttpResponse *response); +private: + QSet<QString> allowedFileNames; }; #endif |