diff options
author | Maximilian Goldstein <max.goldstein@qt.io> | 2020-01-08 13:17:34 +0100 |
---|---|---|
committer | Maximilian Goldstein <max.goldstein@qt.io> | 2020-01-15 10:17:59 +0100 |
commit | a07251df7c1e6158cb323e60cb08e687ead15b19 (patch) | |
tree | 9739d44b36a8e48f8db4bec1ec4abe99db9b9d13 /src/qml/qml/qqmlxmlhttprequest.cpp | |
parent | 7d2c0a90beec2be610ad5eff00da7138ef2a84e5 (diff) |
qqmlxmlhttprequest: Add ability to disable file:// requests
Introduces two new flags:
QML_XHR_ALLOW_FILE_READ: Controls whether GET can be used with file://.
QML_XHR_ALLOW_FILE_WRITE: Controls whether PUT can be used with file://.
In Qt 6 these will be off by default. At the moment having these unset
while using either GET or PUT on file:// will just result in a warning.
Change-Id: I2d85e88f1ddba8153ccbbd833ec7de5c1d0d8b5b
Reviewed-by: Fabian Kosmale <fabian.kosmale@qt.io>
Diffstat (limited to 'src/qml/qml/qqmlxmlhttprequest.cpp')
-rw-r--r-- | src/qml/qml/qqmlxmlhttprequest.cpp | 36 |
1 files changed, 35 insertions, 1 deletions
diff --git a/src/qml/qml/qqmlxmlhttprequest.cpp b/src/qml/qml/qqmlxmlhttprequest.cpp index c2e7be73e7..2afbdb616b 100644 --- a/src/qml/qml/qqmlxmlhttprequest.cpp +++ b/src/qml/qml/qqmlxmlhttprequest.cpp @@ -54,6 +54,7 @@ #include <QtCore/qobject.h> #include <QtQml/qjsvalue.h> #include <QtQml/qjsengine.h> +#include <QtQml/qqmlfile.h> #include <QtNetwork/qnetworkreply.h> #include <QtCore/qtextcodec.h> #include <QtCore/qxmlstream.h> @@ -77,6 +78,8 @@ using namespace QV4; QT_BEGIN_NAMESPACE DEFINE_BOOL_CONFIG_OPTION(xhrDump, QML_XHR_DUMP); +DEFINE_BOOL_CONFIG_OPTION(xhrFileWrite, QML_XHR_ALLOW_FILE_WRITE); +DEFINE_BOOL_CONFIG_OPTION(xhrFileRead, QML_XHR_ALLOW_FILE_READ); struct QQmlXMLHttpRequestData { QQmlXMLHttpRequestData(); @@ -1195,6 +1198,37 @@ void QQmlXMLHttpRequest::fillHeadersList() void QQmlXMLHttpRequest::requestFromUrl(const QUrl &url) { QNetworkRequest request = m_request; + + if (QQmlFile::isLocalFile(url)) { + if (m_method == QLatin1String("PUT")) + { + if (!xhrFileWrite()) { + if (qEnvironmentVariableIsSet("QML_XHR_ALLOW_FILE_WRITE")) { + qWarning("XMLHttpRequest: Tried to use PUT on a local file despite being disabled."); + return; + } else { + qWarning("XMLHttpRequest: Using PUT on a local file is dangerous " + "and will be disabled by default in a future Qt version." + "Set QML_XHR_ALLOW_FILE_WRITE to 1 if you wish to continue using this feature."); + } + } + } else if (m_method == QLatin1String("GET")) { + if (!xhrFileRead()) { + if (qEnvironmentVariableIsSet("QML_XHR_ALLOW_FILE_READ")) { + qWarning("XMLHttpRequest: Tried to use GET on a local file despite being disabled."); + return; + } else { + qWarning("XMLHttpRequest: Using GET on a local file is dangerous " + "and will be disabled by default in a future Qt version." + "Set QML_XHR_ALLOW_FILE_READ to 1 if you wish to continue using this feature."); + } + } + } else { + qWarning("XMLHttpRequest: Unsupported method used on a local file"); + return; + } + } + request.setUrl(url); if(m_method == QLatin1String("POST") || m_method == QLatin1String("PUT")) { @@ -1389,7 +1423,7 @@ void QQmlXMLHttpRequest::finished() QVariant redirect = m_network->attribute(QNetworkRequest::RedirectionTargetAttribute); if (redirect.isValid()) { QUrl url = m_network->url().resolved(redirect.toUrl()); - if (url.scheme() != QLatin1String("file")) { + if (!QQmlFile::isLocalFile(url)) { // See http://www.ietf.org/rfc/rfc2616.txt, section 10.3.4 "303 See Other": // Result of 303 redirection should be a new "GET" request. const QVariant code = m_network->attribute(QNetworkRequest::HttpStatusCodeAttribute); |