From 905f93bcccd26a035cc9d37378b45ff87298adb5 Mon Sep 17 00:00:00 2001 From: linkmauve Date: Sun, 28 Nov 2021 22:54:48 +0100 Subject: Reject non-TLS URLs in HTTP File Upload (#1098) * Reject non-TLS URLs in HTTP File Upload This is a MUST in the XEP. * Update 0363_http_file_upload.vala Co-authored-by: fiaxh --- xmpp-vala/src/module/xep/0363_http_file_upload.vala | 5 +++++ 1 file changed, 5 insertions(+) (limited to 'xmpp-vala/src') diff --git a/xmpp-vala/src/module/xep/0363_http_file_upload.vala b/xmpp-vala/src/module/xep/0363_http_file_upload.vala index 0acc9602..996128e2 100644 --- a/xmpp-vala/src/module/xep/0363_http_file_upload.vala +++ b/xmpp-vala/src/module/xep/0363_http_file_upload.vala @@ -72,6 +72,11 @@ public class Module : XmppStreamModule { Idle.add((owned) callback); return; } + if (!url_get.down().has_prefix("https://") || !url_put.down().has_prefix("https://")) { + e = new HttpFileTransferError.SLOT_REQUEST("Error getting upload/download url: Received non-https URL from server"); + Idle.add((owned) callback); + return; + } slot_result.headers = new HashMap(); -- cgit v1.2.3-70-g09d2