cordova-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From shaz...@apache.org
Subject [05/12] ios commit: Validate that callback IDs are always well-formed
Date Fri, 28 Mar 2014 23:34:05 GMT
Validate that callback IDs are always well-formed


Project: http://git-wip-us.apache.org/repos/asf/cordova-ios/repo
Commit: http://git-wip-us.apache.org/repos/asf/cordova-ios/commit/d5928f63
Tree: http://git-wip-us.apache.org/repos/asf/cordova-ios/tree/d5928f63
Diff: http://git-wip-us.apache.org/repos/asf/cordova-ios/diff/d5928f63

Branch: refs/heads/3.4.x
Commit: d5928f63dc49ec92c64e95598095a9aa207cdd1c
Parents: d0f7efd
Author: Ian Clelland <iclelland@chromium.org>
Authored: Wed Feb 19 00:37:24 2014 -0500
Committer: Shazron Abdullah <shazron@apache.org>
Committed: Fri Mar 28 16:09:02 2014 -0700

----------------------------------------------------------------------
 CordovaLib/Classes/CDVCommandDelegateImpl.h |  1 +
 CordovaLib/Classes/CDVCommandDelegateImpl.m | 25 ++++++++++++++++++++++++
 2 files changed, 26 insertions(+)
----------------------------------------------------------------------


http://git-wip-us.apache.org/repos/asf/cordova-ios/blob/d5928f63/CordovaLib/Classes/CDVCommandDelegateImpl.h
----------------------------------------------------------------------
diff --git a/CordovaLib/Classes/CDVCommandDelegateImpl.h b/CordovaLib/Classes/CDVCommandDelegateImpl.h
index d35b32d..7b41df7 100644
--- a/CordovaLib/Classes/CDVCommandDelegateImpl.h
+++ b/CordovaLib/Classes/CDVCommandDelegateImpl.h
@@ -26,6 +26,7 @@
 @interface CDVCommandDelegateImpl : NSObject <CDVCommandDelegate>{
     @private
     __weak CDVViewController* _viewController;
+    NSRegularExpression *_callbackIdPattern;
     @protected
     __weak CDVCommandQueue* _commandQueue;
     BOOL _delayResponses;

http://git-wip-us.apache.org/repos/asf/cordova-ios/blob/d5928f63/CordovaLib/Classes/CDVCommandDelegateImpl.m
----------------------------------------------------------------------
diff --git a/CordovaLib/Classes/CDVCommandDelegateImpl.m b/CordovaLib/Classes/CDVCommandDelegateImpl.m
index 5bb56b0..4c0b5cd 100644
--- a/CordovaLib/Classes/CDVCommandDelegateImpl.m
+++ b/CordovaLib/Classes/CDVCommandDelegateImpl.m
@@ -31,6 +31,7 @@
     if (self != nil) {
         _viewController = viewController;
         _commandQueue = _viewController.commandQueue;
+        _callbackIdPattern = nil;
     }
     return self;
 }
@@ -94,6 +95,25 @@
     }
 }
 
+- (BOOL)isValidCallbackId:(NSString *)callbackId
+{
+    NSError *err = nil;
+    // Initialize on first use
+    if (_callbackIdPattern == nil) {
+        // Catch any invalid characters in the callback id.
+        _callbackIdPattern = [NSRegularExpression regularExpressionWithPattern:@"[^A-Za-z0-9_-]"
options:0 error:&err];
+        if (err != nil) {
+            // Couldn't initialize Regex; No is safer than Yes.
+            return NO;
+        }
+    }
+    // Disallow if too long or if any invalid characters were found.
+    if (([callbackId length] > 100) || [_callbackIdPattern firstMatchInString:callbackId
options:0 range:NSMakeRange(0, [callbackId length])]) {
+        return NO;
+    }
+    return YES;
+}
+
 - (void)sendPluginResult:(CDVPluginResult*)result callbackId:(NSString*)callbackId
 {
     CDV_EXEC_LOG(@"Exec(%@): Sending result. Status=%@", callbackId, result.status);
@@ -101,6 +121,11 @@
     if ([@"INVALID" isEqualToString : callbackId]) {
         return;
     }
+    // This occurs when the callback id is malformed.
+    if (![self isValidCallbackId:callbackId]) {
+        NSLog(@"Invalid callback id received by sendPluginResult");
+        return;
+    }
     int status = [result.status intValue];
     BOOL keepCallback = [result.keepCallback boolValue];
     NSString* argumentsAsJSON = [result argumentsAsJSON];


Mime
View raw message