SL-10924 Fix data escaping to accomodate CEF update

author: andreykproductengine <andreykproductengine@lindenlab.com> 2019-04-11 20:29:50 +0300
committer: andreykproductengine <andreykproductengine@lindenlab.com> 2019-04-11 20:29:50 +0300
commit: e4a244a6cb1837d1748381e4552b5199a5782150 (patch)
tree: 1e16c93c3099e0c8a2e814a4c9be050c7c4a28d5 /indra/llcommon
parent: 9194a97e9460fcd3836c8e20399d50a37d4f1807 (diff)
2 files changed, 105 insertions, 0 deletions
diff --git a/indra/llcommon/lluri.cpp b/indra/llcommon/lluri.cpp
index 758b98e143..e2285d0a9c 100644
--- a/indra/llcommon/lluri.cpp
+++ b/indra/llcommon/lluri.cpp
@@ -173,6 +173,19 @@ namespace
 			"-._~";
 		return s;
 	}
+	const std::string path()
+	{
+		static const std::string s =
+			"ABCDEFGHIJKLMNOPQRSTUVWXYZ"
+			"abcdefghijklmnopqrstuvwxyz"
+			"0123456789"
+			"$-_.+"
+			"!*'(),"
+			"{}|\\^~[]`"
+			"<>#%"
+			";/?:@&=";
+		return s;
+	}
 	const std::string sub_delims()
 	{
 		static const std::string s = "!$&'()*+,;=";
@@ -187,6 +200,12 @@ namespace
 		{ return LLURI::escape(s, unreserved() + ":@!$'()*+,"); }	 // sub_delims - "&;=" + ":@"
 	std::string escapeQueryValue(const std::string& s)
 		{ return LLURI::escape(s, unreserved() + ":@!$'()*+,="); }	// sub_delims - "&;" + ":@"
+	std::string escapeUriQuery(const std::string& s)
+		{ return LLURI::escape(s, unreserved() + ":@?&$;*+=%/"); }
+	std::string escapeUriData(const std::string& s)
+		{ return LLURI::escape(s, unreserved()); }
+	std::string escapeUriPath(const std::string& s)
+		{ return LLURI::escape(s, path()); }
 }
 
 //static
@@ -202,6 +221,84 @@ std::string LLURI::escape(const std::string& str)
 	return escape(str, default_allowed, true);
 }
 
+//static
+std::string LLURI::escapePathAndData(const std::string &str)
+{
+    std::string result;
+
+    const std::string data_marker = "data:";
+    if (str.compare(0, data_marker.length(), data_marker) == 0)
+    {
+        // This is not url, but data, data part needs to be properly escaped
+        // data part is separated by ',' from header. Minimal data uri is "data:,"
+        // See "data URI scheme"
+        size_t separator = str.find(',');
+        if (separator != std::string::npos)
+        {
+            size_t header_size = separator + 1;
+            std::string header = str.substr(0, header_size);
+            // base64 is url-safe
+            if (header.find("base64") != std::string::npos)
+            {
+                // assume url-safe data
+                result = str;
+            }
+            else
+            {
+                std::string data = str.substr(header_size, str.length() - header_size);
+
+                // Notes: File can be partially pre-escaped, that's why escaping ignores '%'
+                // It somewhat limits user from displaying strings like "%20" in text
+                // but that's how viewer worked for a while and user can double-encode it
+
+                // Header doesn't need escaping
+                result = header + escapeUriData(data);
+            }
+        }
+    }
+    else
+    {
+        // try processing it as path with query separator
+        // The query component is indicated by the first question
+        // mark("?") character and terminated by a number sign("#")
+        size_t delim_pos = str.find('?');
+        if (delim_pos == std::string::npos)
+        {
+            // alternate separator
+            delim_pos = str.find(';');
+        }
+
+        if (delim_pos != std::string::npos)
+        {
+            size_t path_size = delim_pos + 1;
+            std::string query;
+            std::string fragment;
+
+            size_t fragment_pos = str.find('#');
+            if (fragment_pos != std::string::npos)
+            {
+                query = str.substr(path_size, fragment_pos - path_size);
+                fragment = str.substr(fragment_pos);
+            }
+            else
+            {
+                query = str.substr(path_size);
+            }
+
+            std::string path = str.substr(0, path_size);
+
+            result = escapeUriPath(path) + escapeUriQuery(query) + escapeUriPath(fragment);
+        }
+    }
+
+    if (result.empty())
+    {
+        // Not a known scheme or no data part, try just escaping as Uri path
+        result = escapeUriPath(str);
+    }
+    return result;
+}
+
 LLURI::LLURI()
 {
 }
diff --git a/indra/llcommon/lluri.h b/indra/llcommon/lluri.h
index 9e44cc7da2..b8fca0ca51 100644
--- a/indra/llcommon/lluri.h
+++ b/indra/llcommon/lluri.h
@@ -158,6 +158,14 @@ public:
 		bool is_allowed_sorted = false);
 
 	/**
+	 * @brief Break string into data part and path or sheme
+	 * and escape path (if present) and data.
+	 * Data part is not allowed to have path related symbols
+	 * @param str The raw URI to escape.
+	 */
+	static std::string escapePathAndData(const std::string &str);
+
+	/**
 	 * @brief unescape an escaped URI string.
 	 *
 	 * @param str The escped URI to unescape.
author	andreykproductengine <andreykproductengine@lindenlab.com>	2019-04-11 20:29:50 +0300
committer	andreykproductengine <andreykproductengine@lindenlab.com>	2019-04-11 20:29:50 +0300
commit	e4a244a6cb1837d1748381e4552b5199a5782150 (patch)
tree	1e16c93c3099e0c8a2e814a4c9be050c7c4a28d5 /indra/llcommon
parent	9194a97e9460fcd3836c8e20399d50a37d4f1807 (diff)