diff options
author | Robin Appelman <icewind@owncloud.com> | 2014-08-29 17:33:10 +0200 |
---|---|---|
committer | Robin Appelman <icewind@owncloud.com> | 2014-09-04 13:26:47 +0200 |
commit | 8605e2e6a5ac637ed552d9469f3dc31717b4ea3e (patch) | |
tree | 81bd76cad7f484c841b2c2b90757644cceb042d7 /lib | |
parent | 65608d7c9253d03ba5b56615f850f19f1fd90a49 (diff) | |
download | nextcloud-server-8605e2e6a5ac637ed552d9469f3dc31717b4ea3e.tar.gz nextcloud-server-8605e2e6a5ac637ed552d9469f3dc31717b4ea3e.zip |
Explicitly cast id and validate type
Diffstat (limited to 'lib')
-rw-r--r-- | lib/private/eventsource.php | 9 |
1 files changed, 6 insertions, 3 deletions
diff --git a/lib/private/eventsource.php b/lib/private/eventsource.php index 22782d677e4..53947f3a2f2 100644 --- a/lib/private/eventsource.php +++ b/lib/private/eventsource.php @@ -40,7 +40,7 @@ class OC_EventSource implements \OCP\IEventSource { header('X-Accel-Buffering: no'); $this->fallback = isset($_GET['fallback']) and $_GET['fallback'] == 'true'; if ($this->fallback) { - $this->fallBackId = $_GET['fallback_id']; + $this->fallBackId = (int)$_GET['fallback_id']; header("Content-Type: text/html"); echo str_repeat('<span></span>' . PHP_EOL, 10); //dummy data to keep IE happy } else { @@ -60,18 +60,21 @@ class OC_EventSource implements \OCP\IEventSource { * @param string $type * @param mixed $data * + * @throws \BadMethodCallException * if only one parameter is given, a typeless message will be send with that parameter as data */ public function send($type, $data = null) { + if ($data and !preg_match('/^[A-Za-z0-9_]+$/', $type)) { + throw new BadMethodCallException('Type needs to be alphanumeric ('. $type .')'); + } $this->init(); if (is_null($data)) { $data = $type; $type = null; } if ($this->fallback) { - $fallBackId = OC_Util::sanitizeHTML($this->fallBackId); $response = '<script type="text/javascript">window.parent.OC.EventSource.fallBackCallBack(' - . $fallBackId . ',"' . $type . '",' . OCP\JSON::encode($data) . ')</script>' . PHP_EOL; + . $this->fallBackId . ',"' . $type . '",' . OCP\JSON::encode($data) . ')</script>' . PHP_EOL; echo $response; } else { if ($type) { |