Reject non-TLS URLs in HTTP File Upload (#1098)

* Reject non-TLS URLs in HTTP File Upload This is a MUST in the XEP. * Update 0363_http_file_upload.vala Co-authored-by: fiaxh <fiaxh@users.noreply.github.com>
author: linkmauve <linkmauve@linkmauve.fr> 2021-11-28 22:54:48 +0100
committer: GitHub <noreply@github.com> 2021-11-28 22:54:48 +0100
commit: 905f93bcccd26a035cc9d37378b45ff87298adb5 (patch)
tree: cf291a1ef970e87f08f24a5228c8b622d18989d3 /xmpp-vala
parent: e7500138a97500e155f6f7435c29874e1391b318 (diff)
download: dino-905f93bcccd26a035cc9d37378b45ff87298adb5.tar.gz
dino-905f93bcccd26a035cc9d37378b45ff87298adb5.zip
1 files changed, 5 insertions, 0 deletions
diff --git a/xmpp-vala/src/module/xep/0363_http_file_upload.vala b/xmpp-vala/src/module/xep/0363_http_file_upload.vala
index 0acc9602..996128e2 100644
--- a/xmpp-vala/src/module/xep/0363_http_file_upload.vala
+++ b/xmpp-vala/src/module/xep/0363_http_file_upload.vala
@@ -72,6 +72,11 @@ public class Module : XmppStreamModule {
                 Idle.add((owned) callback);
                 return;
             }
+            if (!url_get.down().has_prefix("https://") || !url_put.down().has_prefix("https://")) {
+                e = new HttpFileTransferError.SLOT_REQUEST("Error getting upload/download url: Received non-https URL from server");
+                Idle.add((owned) callback);
+                return;
+            }
 
             slot_result.headers = new HashMap<string, string>();
author	linkmauve <linkmauve@linkmauve.fr>	2021-11-28 22:54:48 +0100
committer	GitHub <noreply@github.com>	2021-11-28 22:54:48 +0100
commit	905f93bcccd26a035cc9d37378b45ff87298adb5 (patch)
tree	cf291a1ef970e87f08f24a5228c8b622d18989d3 /xmpp-vala
parent	e7500138a97500e155f6f7435c29874e1391b318 (diff)
download	dino-905f93bcccd26a035cc9d37378b45ff87298adb5.tar.gz dino-905f93bcccd26a035cc9d37378b45ff87298adb5.zip