showError(accountFound, tr("Could not find a folder to sync."), relPath);
return;
}
-
+
+ // Token is an alphanumeric string 128 chars long.
+ // Ensure that is what we received and what we are sending to the server.
+ const QRegularExpression tokenRegex("^[a-zA-Z0-9]{128}$");
+ const auto regexMatch = tokenRegex.match(token);
+
+ // Means invalid token type received, be cautious with bad token
+ if(!regexMatch.hasMatch()) {
+ showError(accountFound, tr("Invalid token received."), tr("Please try again."));
+ return;
+ }
+
const auto relPathSplit = relPath.split(QLatin1Char('/'));
if (relPathSplit.size() > 0) {
Systray::instance()->createEditFileLocallyLoadingDialog(relPathSplit.last());
return;
}
- const auto checkTokenForEditLocally = new SimpleApiJob(accountFound->account(), QStringLiteral("/ocs/v2.php/apps/files/api/v1/openlocaleditor/%1").arg(token));
+ // Sanitise the token
+ const auto encodedToken = QString(QUrl::toPercentEncoding(token));
+ const auto checkTokenForEditLocally = new SimpleApiJob(accountFound->account(), QStringLiteral("/ocs/v2.php/apps/files/api/v1/openlocaleditor/%1").arg(encodedToken));
checkTokenForEditLocally->setVerb(SimpleApiJob::Verb::Post);
checkTokenForEditLocally->setBody(QByteArray{"path=/"}.append(relPath.toUtf8()));
connect(checkTokenForEditLocally, &SimpleApiJob::resultReceived, checkTokenForEditLocally, [this, folderForFile, localFilePath, showError, accountFound, relPath] (int statusCode) {
projects / nextcloud-desktop.git / commitdiff