update format get -> 'GET@...', url -> 'URL#...' + prevent parameter name injection (if begin with 'GET@' or 'URL#' in POST or GET)
This commit is contained in:
parent
32520a1591
commit
b0002a034d
|
@ -24,11 +24,30 @@ func buildRequest(req *http.Request) (*Request, error) {
|
||||||
}
|
}
|
||||||
inst.ControllerUri = make([]string, 0, len(inst.Uri))
|
inst.ControllerUri = make([]string, 0, len(inst.Uri))
|
||||||
|
|
||||||
/* (2) Fill 'Data' with all data */
|
/* (2) Fill 'Data' with GET data */
|
||||||
for name, data := range inst.GetData {
|
for name, data := range inst.GetData {
|
||||||
inst.Data[fmt.Sprintf("GET_%s", name)] = data
|
// prevent injections
|
||||||
|
if isParameterNameInjection(name) {
|
||||||
|
log.Printf("get.name_injection: '%s'\n", name)
|
||||||
|
delete(inst.GetData, name)
|
||||||
|
continue
|
||||||
|
}
|
||||||
|
|
||||||
|
// add into data
|
||||||
|
inst.Data[fmt.Sprintf("GET@%s", name)] = data
|
||||||
}
|
}
|
||||||
|
|
||||||
|
/* (3) Fill 'Data' with POST data */
|
||||||
for name, data := range inst.FormData {
|
for name, data := range inst.FormData {
|
||||||
|
|
||||||
|
// prevent injections
|
||||||
|
if isParameterNameInjection(name) {
|
||||||
|
log.Printf("post.name_injection: '%s'\n", name)
|
||||||
|
delete(inst.FormData, name)
|
||||||
|
continue
|
||||||
|
}
|
||||||
|
|
||||||
|
// add into data
|
||||||
inst.Data[name] = data
|
inst.Data[name] = data
|
||||||
}
|
}
|
||||||
|
|
||||||
|
@ -122,3 +141,11 @@ func FetchFormData(req *http.Request) map[string]interface{} {
|
||||||
|
|
||||||
return res
|
return res
|
||||||
}
|
}
|
||||||
|
|
||||||
|
// isParameterNameInjection returns whether there is
|
||||||
|
// a parameter name injection:
|
||||||
|
// - inferred GET parameters
|
||||||
|
// - inferred URL parameters
|
||||||
|
func isParameterNameInjection(pName string) bool {
|
||||||
|
return strings.HasPrefix(pName, "GET@") || strings.HasPrefix(pName, "URL#")
|
||||||
|
}
|
||||||
|
|
|
@ -51,7 +51,7 @@ func (s Server) route(res http.ResponseWriter, req *http.Request) {
|
||||||
/* (4) Store them as Data */
|
/* (4) Store them as Data */
|
||||||
for i, data := range uriParams {
|
for i, data := range uriParams {
|
||||||
request.UrlData[i] = data
|
request.UrlData[i] = data
|
||||||
request.Data[fmt.Sprintf("URL%d", i)] = data
|
request.Data[fmt.Sprintf("URL#%d", i)] = data
|
||||||
}
|
}
|
||||||
|
|
||||||
/* (3) Check method
|
/* (3) Check method
|
||||||
|
@ -94,6 +94,11 @@ func (s Server) route(res http.ResponseWriter, req *http.Request) {
|
||||||
|
|
||||||
/* (4) Check arguments
|
/* (4) Check arguments
|
||||||
---------------------------------------------------------*/
|
---------------------------------------------------------*/
|
||||||
|
for name, data := range request.Data {
|
||||||
|
fmt.Printf("- %s: %v\n", name, data)
|
||||||
|
}
|
||||||
|
fmt.Printf("\n")
|
||||||
|
|
||||||
fmt.Printf("OK\nplugin: '%si.so'\n", strings.Join(request.ControllerUri, "/"))
|
fmt.Printf("OK\nplugin: '%si.so'\n", strings.Join(request.ControllerUri, "/"))
|
||||||
return
|
return
|
||||||
}
|
}
|
||||||
|
|
Loading…
Reference in New Issue