FreshRSS/rssguard
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

properly sanitize all URLs, also use sanitized URLs in messages base URL deduction

Browse Source
This commit is contained in:
Martin Rotter 2021-07-14 07:49:14 +02:00
parent 03df575fc6
commit b0a11288cb
6 changed files with 17 additions and 20 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
resources/desktop/com.github.rssguard.appdata.xml
View File

@ -30,7 +30,7 @@
<url type="donation">https://martinrotter.github.io/donate/</url>
<content_rating type="oars-1.1" />
<releases>
<release version="3.9.2" date="2021-07-12"/>
<release version="3.9.2" date="2021-07-14"/>
</releases>
<content_rating type="oars-1.0">
<content_attribute id="violence-cartoon">none</content_attribute>

3
src/librssguard/gui/webviewer.cpp
View File

@ -11,6 +11,7 @@
#include "miscellaneous/skinfactory.h"
#include "network-web/adblock/adblockicon.h"
#include "network-web/adblock/adblockmanager.h"
#include "network-web/networkfactory.h"
#include "network-web/webfactory.h"
#include "network-web/webpage.h"
@ -151,7 +152,7 @@ void WebViewer::loadMessages(const QList<Message>& messages, RootItem* root) {
m_messageBaseUrl = QString();
if (feed != nullptr) {
QUrl url(feed->source());
QUrl url(NetworkFactory::sanitizeUrl(feed->source()));
if (url.isValid()) {
m_messageBaseUrl = url.scheme() + QSL("://") + url.host();

18
src/librssguard/network-web/downloader.cpp
View File

@ -5,6 +5,7 @@
#include "miscellaneous/application.h"
#include "miscellaneous/iofactory.h"
#include "network-web/cookiejar.h"
#include "network-web/networkfactory.h"
#include "network-web/silentnetworkaccessmanager.h"
#include "network-web/webfactory.h"
@ -60,15 +61,14 @@ void Downloader::manipulateData(const QString& url,
bool protected_contents,
const QString& username,
const QString& password) {
auto cookies = CookieJar::extractCookiesFromUrl(url);
QString sanitized_url = NetworkFactory::sanitizeUrl(url);
auto cookies = CookieJar::extractCookiesFromUrl(sanitized_url);
if (!cookies.isEmpty()) {
qApp->web()->cookieJar()->setCookiesFromUrl(cookies, url);
qApp->web()->cookieJar()->setCookiesFromUrl(cookies, sanitized_url);
}
QNetworkRequest request;
QString non_const_url = url;
QHashIterator<QByteArray, QByteArray> i(m_customHeaders);
while (i.hasNext()) {
@ -82,15 +82,7 @@ void Downloader::manipulateData(const QString& url,
// Set url for this request and fire it up.
m_timer->setInterval(timeout);
if (non_const_url.startsWith(URI_SCHEME_FEED)) {
qDebugNN << LOGSEC_NETWORK
<< "Replacing URI schemes for"
<< QUOTE_W_SPACE_DOT(non_const_url);
request.setUrl(non_const_url.replace(QRegularExpression(QString('^') + URI_SCHEME_FEED), QString(URI_SCHEME_HTTP)));
}
else {
request.setUrl(non_const_url);
}
request.setUrl(qApp->web()->processFeedUriScheme(sanitized_url));
m_targetProtected = protected_contents;
m_targetUsername = username;

5
src/librssguard/network-web/networkfactory.cpp
View File

@ -137,6 +137,11 @@ QString NetworkFactory::networkErrorText(QNetworkReply::NetworkError error_code)
}
}
QString NetworkFactory::sanitizeUrl(const QString& url) {
return QString(url).replace(QRegularExpression(QSL("[^\\w\\-.~:\\/?#\\[\\]@!$&'()*+,;=%]")),
QString());
}
QNetworkReply::NetworkError NetworkFactory::downloadIcon(const QList<QPair<QString, bool>>& urls, int timeout,
QIcon& output, const QNetworkProxy& custom_proxy) {
QNetworkReply::NetworkError network_result = QNetworkReply::NetworkError::UnknownNetworkError;

1
src/librssguard/network-web/networkfactory.h
View File

@ -28,6 +28,7 @@ class NetworkFactory {
// Returns human readable text for given network error.
static QString networkErrorText(QNetworkReply::NetworkError error_code);
static QString sanitizeUrl(const QString& url);
// Performs SYNCHRONOUS download if favicon for the site,
// given URL belongs to.

8
src/librssguard/services/standard/feedparser.cpp
View File

@ -92,18 +92,16 @@ QString FeedParser::rawXmlChild(const QDomElement& container) const {
auto children = container.childNodes();
for (int i = 0; i < children.size(); i++) {
QString raw_ch;
if (children.at(i).isCDATASection()) {
raw_ch = children.at(i).toCDATASection().data();
raw += children.at(i).toCDATASection().data();
}
else {
QString raw_ch;
QTextStream str(&raw_ch);
children.at(i).save(str, 0);
raw += qApp->web()->unescapeHtml(raw_ch);
}
raw += qApp->web()->unescapeHtml(raw_ch);
}
return raw;