wbrawner/server
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

Explicitly cast id and validate type

Browse source
This commit is contained in:
Robin Appelman 2014-08-29 17:33:10 +02:00
parent 65608d7c92
commit 8605e2e6a5
1 changed files with 6 additions and 3 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

9
lib/private/eventsource.php
View file

@ -40,7 +40,7 @@ class OC_EventSource implements \OCP\IEventSource {
header('X-Accel-Buffering: no'); header('X-Accel-Buffering: no');
$this->fallback = isset($_GET['fallback']) and $_GET['fallback'] == 'true'; $this->fallback = isset($_GET['fallback']) and $_GET['fallback'] == 'true';
if ($this->fallback) { if ($this->fallback) {
$this->fallBackId = $_GET['fallback_id']; $this->fallBackId = (int)$_GET['fallback_id'];
header("Content-Type: text/html"); header("Content-Type: text/html");
echo str_repeat('<span></span>' . PHP_EOL, 10); //dummy data to keep IE happy echo str_repeat('<span></span>' . PHP_EOL, 10); //dummy data to keep IE happy
} else { } else {
@ -60,18 +60,21 @@ class OC_EventSource implements \OCP\IEventSource {
* @param string $type * @param string $type
* @param mixed $data * @param mixed $data
* *
* @throws \BadMethodCallException
* if only one parameter is given, a typeless message will be send with that parameter as data * if only one parameter is given, a typeless message will be send with that parameter as data
*/ */
public function send($type, $data = null) { public function send($type, $data = null) {
if ($data and !preg_match('/^[A-Za-z0-9_]+$/', $type)) {
throw new BadMethodCallException('Type needs to be alphanumeric ('. $type .')');
}
$this->init(); $this->init();
if (is_null($data)) { if (is_null($data)) {
$data = $type; $data = $type;
$type = null; $type = null;
} }
if ($this->fallback) { if ($this->fallback) {
$fallBackId = OC_Util::sanitizeHTML($this->fallBackId);
$response = '<script type="text/javascript">window.parent.OC.EventSource.fallBackCallBack(' $response = '<script type="text/javascript">window.parent.OC.EventSource.fallBackCallBack('
. $fallBackId . ',"' . $type . '",' . OCP\JSON::encode($data) . ')</script>' . PHP_EOL; . $this->fallBackId . ',"' . $type . '",' . OCP\JSON::encode($data) . ')</script>' . PHP_EOL;
echo $response; echo $response;
} else { } else {
if ($type) { if ($type) {