/* The software in this package is distributed under the GNU General Public License version 2 (with a special exception described below). A copy of GNU General Public License (GPL) is included in this distribution, in the file COPYING.GPL. As a special exception, if other files instantiate templates or use macros or inline functions from this file, or you compile this file and link it with other works to produce a work based on this file, this file does not by itself cause the resulting work to be covered by the GNU General Public License. However the source code for this file must still be made available in accordance with section (3) of the GNU General Public License. This exception does not invalidate any other reasons why a work based on this file might be covered by the GNU General Public License. */ /** @file * @brief restricts html messages to an allowed group of tags. * * @copyright © Copyright 2017 Intra2net AG * */ #include #include #include #include #include #include #include #include "crypto.hxx" #include "filefunc.hxx" using namespace std; namespace I2n { /** * @brief Replace all "+" characters found in s to spaces (" "). * * @param s string that will be modified. */ static void unescape_space(string &s) { string::size_type pos; while ((pos=s.find('+')) != string::npos) s[pos]=' '; } /** * @brief Converts a hexadecimal sequence to its respective character. * * @param s string of size 2. Example: "77" * @return respective character represented by the hex sequence. */ static char x2c(const string& s) { char digit; digit=(s[0]>='A' ? ((s[0] & 0xdf)-'A')+10 : (s[0]-'0')); digit*=16; digit+=(s[1]>='A' ? ((s[1] & 0xdf)-'A')+10 : (s[1]-'0')); return digit; } /** * @brief Scan a string to find escaped hex chars in the format "%HH" and replace * for their respective character. * Example: "www%2E" becomes "www." * * @param s String that will be modified. */ static void unescape_hex(string& s) { static char hex_escape='%'; string::size_type escape_pos; string hex_seq; string rest=s; for (s=""; ((escape_pos=rest.find(hex_escape)) != string::npos);) { if (escape_pos+2(rest.length()) && ::isalnum(rest[escape_pos+1]) && ::isalnum(rest[escape_pos+2])) { hex_seq=rest.substr(escape_pos+1,2); s=s+rest.substr(0,escape_pos)+x2c(hex_seq); rest=rest.erase(0,escape_pos+3); } else { s=s+rest.substr(0,escape_pos+1); rest=rest.erase(0,escape_pos+1); } } s+=rest; } /** * @brief Decode url that contains percent-encoding. Replace space " " with "+". * Example: "%77%77%77%2E" becomes "www." * * @param s url string. * @return the decoded string. */ string decode_url(string s) { unescape_space (s); unescape_hex (s); return (s); } /** * @brief Verify if the parameter character requires encoding, If it is non * alphanumeric or valid ascii signs. * * @param c character to be verified. * @return true if the character should be encoded. */ bool needs_encoding (const char &c) { // some valid ascii signs if (c == '_' || c == '-') return false; // is digit? if (c > 47 && c < 58) return false; // is uppercase letter? if (c > 64 && c < 91) return false; // is lowercase letter? if (c > 96 && c < 123) return false; return true; } /** * @brief Encode url with percent-encoding. Any non-alphanumeric character is * converted to its hex value with the percent character (%) as prefix, except "_" * and "-". Replace space " " with "+". * * @param s url string. * @return the encoded url string. */ string encode_url(string s) { // convert non-alphanumeric characters to hex, convert space to + ostringstream out; for (string::iterator pos2=s.begin(); pos2 != s.end(); pos2++) { if (*pos2 == ' ') out << '+'; else if (needs_encoding (*pos2)) out << '%' << std::uppercase << setw(2) << setfill('0') << \ std::hex << (int)(unsigned char)*pos2; else out << (*pos2); } return out.str(); } /** * @brief Change the attribute Filename from which the SecretId is going * to be read. * * @param s custom_filename string new filename. */ void RedirectHash::set_custom_filename(string custom_filename) { Filename = custom_filename; } /** * @brief Reads the file Filename and loads the data into SecretId. */ void RedirectHash::load_secret_id() { SecretId = read_file(Filename); if (SecretId.empty()) throw runtime_error("Inexistent file or empty"); } /** * @brief Hashes the given url with the SecretId and returns a base64 hash. * * @param s &url string. * * @return base64 raw hash */ string RedirectHash::hash_url(const string &url) { if (SecretId.empty()) load_secret_id(); return base64_encode(hash_data_raw(url + SecretId, MD5)); } /** * @brief Reads a HTML file, removes all ##BEGIN_URL## and ##END_URL## tags and * adds urlauth param to the url in between these tags. * * @param s &html string. * * @return new html with the urls signed */ string RedirectHash::sign_urls(const string &html) { string ret(html); string url; string re = "##BEGIN_URL##(.*?)##END_URL##"; pcrecpp::RE re_match(re); while (re_match.PartialMatch(ret, &url)) { string hashed_url = hash_url(url); replace_all(ret, "##BEGIN_URL##" + url + "##END_URL##", encode_url(url) + "&urlauth=" + encode_url(hashed_url)); } return ret; } /** * @brief Validates if the given url is the correspondent url to the given * authtag hash. * * @param s &url string; * &authtag string hash; * * @return bool true if the given url is the correspondent url to the * authtag hash, else returns false */ bool RedirectHash::validate_redirect_authtag(const string &url, const string &authtag) { return authtag == hash_url(url); } } // eo namespace I2n