From e76b5643effc0a38c28a561ce403c97033419398 Mon Sep 17 00:00:00 2001 From: Mnikolenko Productengine Date: Wed, 10 Aug 2016 13:31:25 +0300 Subject: MAINT-6608 FIXED URI parser problem with links with username, password --- indra/llui/llurlentry.cpp | 12 +++++++++--- 1 file changed, 9 insertions(+), 3 deletions(-) (limited to 'indra/llui/llurlentry.cpp') diff --git a/indra/llui/llurlentry.cpp b/indra/llui/llurlentry.cpp index e4848362a7..797fae81c4 100644 --- a/indra/llui/llurlentry.cpp +++ b/indra/llui/llurlentry.cpp @@ -205,9 +205,15 @@ std::string LLUrlEntryBase::urlToGreyQuery(const std::string &url) const std::string label; up.extractParts(); - up.glueFirst(label); - std::string query = url.substr(label.size()); - return query; + up.glueFirst(label, false); + + size_t pos = url.find(label); + if (pos == std::string::npos) + { + return ""; + } + pos += label.size(); + return url.substr(pos); } -- cgit v1.2.3 From 377683a8ed85a0f6dcf78ba0d3c78f2fd9fff5d7 Mon Sep 17 00:00:00 2001 From: Mnikolenko Productengine Date: Tue, 23 Aug 2016 13:01:19 +0300 Subject: MAINT-6648 FIXED [SECURITY] Link tags do not filter unicode and allow for easy URL spoofing. --- indra/llui/llurlentry.cpp | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) (limited to 'indra/llui/llurlentry.cpp') diff --git a/indra/llui/llurlentry.cpp b/indra/llui/llurlentry.cpp index 797fae81c4..27a2456deb 100644 --- a/indra/llui/llurlentry.cpp +++ b/indra/llui/llurlentry.cpp @@ -183,8 +183,9 @@ bool LLUrlEntryBase::isLinkDisabled() const bool LLUrlEntryBase::isWikiLinkCorrect(std::string url) { - std::string label = getLabelFromWikiLink(url); - return (LLUrlRegistry::instance().hasUrl(label)) ? false : true; + LLWString label = utf8str_to_wstring(getLabelFromWikiLink(url)); + label.erase(std::remove(label.begin(), label.end(), L'\u200B'), label.end()); + return (LLUrlRegistry::instance().hasUrl(wstring_to_utf8str(label))) ? false : true; } std::string LLUrlEntryBase::urlToLabelWithGreyQuery(const std::string &url) const -- cgit v1.2.3