update format get -> 'GET@...', url -> 'URL#...' + prevent parameter name injection (if begin with 'GET@' or 'URL#' in POST or GET)
This commit is contained in:
parent
32520a1591
commit
b0002a034d
|
|
@ -24,11 +24,30 @@ func buildRequest(req *http.Request) (*Request, error) {
|
|||
}
|
||||
inst.ControllerUri = make([]string, 0, len(inst.Uri))
|
||||
|
||||
/* (2) Fill 'Data' with all data */
|
||||
/* (2) Fill 'Data' with GET data */
|
||||
for name, data := range inst.GetData {
|
||||
inst.Data[fmt.Sprintf("GET_%s", name)] = data
|
||||
// prevent injections
|
||||
if isParameterNameInjection(name) {
|
||||
log.Printf("get.name_injection: '%s'\n", name)
|
||||
delete(inst.GetData, name)
|
||||
continue
|
||||
}
|
||||
|
||||
// add into data
|
||||
inst.Data[fmt.Sprintf("GET@%s", name)] = data
|
||||
}
|
||||
|
||||
/* (3) Fill 'Data' with POST data */
|
||||
for name, data := range inst.FormData {
|
||||
|
||||
// prevent injections
|
||||
if isParameterNameInjection(name) {
|
||||
log.Printf("post.name_injection: '%s'\n", name)
|
||||
delete(inst.FormData, name)
|
||||
continue
|
||||
}
|
||||
|
||||
// add into data
|
||||
inst.Data[name] = data
|
||||
}
|
||||
|
||||
|
|
@ -122,3 +141,11 @@ func FetchFormData(req *http.Request) map[string]interface{} {
|
|||
|
||||
return res
|
||||
}
|
||||
|
||||
// isParameterNameInjection returns whether there is
|
||||
// a parameter name injection:
|
||||
// - inferred GET parameters
|
||||
// - inferred URL parameters
|
||||
func isParameterNameInjection(pName string) bool {
|
||||
return strings.HasPrefix(pName, "GET@") || strings.HasPrefix(pName, "URL#")
|
||||
}
|
||||
|
|
|
|||
|
|
@ -51,7 +51,7 @@ func (s Server) route(res http.ResponseWriter, req *http.Request) {
|
|||
/* (4) Store them as Data */
|
||||
for i, data := range uriParams {
|
||||
request.UrlData[i] = data
|
||||
request.Data[fmt.Sprintf("URL%d", i)] = data
|
||||
request.Data[fmt.Sprintf("URL#%d", i)] = data
|
||||
}
|
||||
|
||||
/* (3) Check method
|
||||
|
|
@ -94,6 +94,11 @@ func (s Server) route(res http.ResponseWriter, req *http.Request) {
|
|||
|
||||
/* (4) Check arguments
|
||||
---------------------------------------------------------*/
|
||||
for name, data := range request.Data {
|
||||
fmt.Printf("- %s: %v\n", name, data)
|
||||
}
|
||||
fmt.Printf("\n")
|
||||
|
||||
fmt.Printf("OK\nplugin: '%si.so'\n", strings.Join(request.ControllerUri, "/"))
|
||||
return
|
||||
}
|
||||
|
|
|
|||
Loading…
Reference in New Issue