akira
/
pdfjs-dist
1
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity
Browse Source

Deprecate the `isValidUrl` utility function and replace it with `createValidAbsoluteUrl`/`isValidProtocal` functions instead, since the main URL validation is now done using the `new URL` constructor

Jonas Jenwald 9 years ago
parent
42f07c6262
commit
71a781ee5c
7 changed files with 49 additions and 31 deletions
Whitespace
Show all changes Ignore whitespace when comparing lines Ignore changes in amount of whitespace Ignore changes in whitespace at EOL
Split View
Diff Options
Show Stats Download Patch File Download Diff File
  1. 12
      src/core/obj.js
  2. 9
      src/display/dom_utils.js
  3. 2
      src/display/global.js
  4. 4
      src/main_loader.js
  5. 4
      src/pdf.js
  6. 46
      src/shared/util.js
  7. 3
      web/download_manager.js

12
src/core/obj.js
Unescape View File

@ -48,7 +48,7 @@ var shadow = sharedUtil.shadow; @@ -48,7 +48,7 @@ var shadow = sharedUtil.shadow;
var stringToPDFString = sharedUtil.stringToPDFString;
var stringToUTF8String = sharedUtil.stringToUTF8String;
var warn = sharedUtil.warn;
var isValidUrl = sharedUtil.isValidUrl;
var createValidAbsoluteUrl = sharedUtil.createValidAbsoluteUrl;
var Util = sharedUtil.Util;
var Ref = corePrimitives.Ref;
var RefSet = corePrimitives.RefSet;
@ -694,13 +694,9 @@ var Catalog = (function CatalogClosure() { @@ -694,13 +694,9 @@ var Catalog = (function CatalogClosure() {
if (isString(url)) {
url = tryConvertUrlEncoding(url);
var absoluteUrl;
try {
absoluteUrl = new URL(url).href;
} catch (ex) { /* `new URL()` will throw on incorrect data. */ }
if (isValidUrl(absoluteUrl, /* allowRelative = */ false)) {
resultObj.url = absoluteUrl;
var absoluteUrl = createValidAbsoluteUrl(url);
if (absoluteUrl) {
resultObj.url = absoluteUrl.href;
}
resultObj.unsafeUrl = url;
}

9
src/display/dom_utils.js
Unescape View File

@ -28,6 +28,8 @@ @@ -28,6 +28,8 @@
var removeNullCharacters = sharedUtil.removeNullCharacters;
var warn = sharedUtil.warn;
var deprecated = sharedUtil.deprecated;
var createValidAbsoluteUrl = sharedUtil.createValidAbsoluteUrl;
/**
* Optimised CSS custom property getter/setter.
@ -229,9 +231,16 @@ function isExternalLinkTargetSet() { @@ -229,9 +231,16 @@ function isExternalLinkTargetSet() {
}
}
function isValidUrl(url, allowRelative) {
deprecated('isValidUrl(), please use createValidAbsoluteUrl() instead.');
var baseUrl = allowRelative ? 'http://example.com' : null;
return createValidAbsoluteUrl(url, baseUrl) !== null;
}
exports.CustomStyle = CustomStyle;
exports.addLinkAttributes = addLinkAttributes;
exports.isExternalLinkTargetSet = isExternalLinkTargetSet;
exports.isValidUrl = isValidUrl;
exports.getFilenameFromUrl = getFilenameFromUrl;
exports.LinkTarget = LinkTarget;
exports.hasCanvasTypedArrays = hasCanvasTypedArrays;

2
src/display/global.js
Unescape View File

@ -76,7 +76,7 @@ @@ -76,7 +76,7 @@
PDFJS.VERBOSITY_LEVELS = sharedUtil.VERBOSITY_LEVELS;
PDFJS.OPS = sharedUtil.OPS;
PDFJS.UNSUPPORTED_FEATURES = sharedUtil.UNSUPPORTED_FEATURES;
PDFJS.isValidUrl = sharedUtil.isValidUrl;
PDFJS.isValidUrl = displayDOMUtils.isValidUrl;
PDFJS.shadow = sharedUtil.shadow;
PDFJS.createBlob = sharedUtil.createBlob;
PDFJS.createObjectURL = function PDFJS_createObjectURL(data, contentType) {

4
src/main_loader.js
Unescape View File

@ -55,12 +55,12 @@ @@ -55,12 +55,12 @@
exports.UnexpectedResponseException = sharedUtil.UnexpectedResponseException;
exports.OPS = sharedUtil.OPS;
exports.UNSUPPORTED_FEATURES = sharedUtil.UNSUPPORTED_FEATURES;
exports.isValidUrl = sharedUtil.isValidUrl;
exports.isValidUrl = displayDOMUtils.isValidUrl;
exports.createValidAbsoluteUrl = sharedUtil.createValidAbsoluteUrl;
exports.createObjectURL = sharedUtil.createObjectURL;
exports.removeNullCharacters = sharedUtil.removeNullCharacters;
exports.shadow = sharedUtil.shadow;
exports.createBlob = sharedUtil.createBlob;
exports.getFilenameFromUrl = displayDOMUtils.getFilenameFromUrl;
exports.addLinkAttributes = displayDOMUtils.addLinkAttributes;
}));

4
src/pdf.js
Unescape View File

@ -64,7 +64,9 @@ @@ -64,7 +64,9 @@
exports.OPS = pdfjsLibs.pdfjsSharedUtil.OPS;
exports.UNSUPPORTED_FEATURES =
pdfjsLibs.pdfjsSharedUtil.UNSUPPORTED_FEATURES;
exports.isValidUrl = pdfjsLibs.pdfjsSharedUtil.isValidUrl;
exports.isValidUrl = pdfjsLibs.pdfjsDisplayDOMUtils.isValidUrl;
exports.createValidAbsoluteUrl =
pdfjsLibs.pdfjsSharedUtil.createValidAbsoluteUrl;
exports.createObjectURL = pdfjsLibs.pdfjsSharedUtil.createObjectURL;
exports.removeNullCharacters =
pdfjsLibs.pdfjsSharedUtil.removeNullCharacters;

46
src/shared/util.js
Unescape View File

@ -332,30 +332,42 @@ function isSameOrigin(baseUrl, otherUrl) { @@ -332,30 +332,42 @@ function isSameOrigin(baseUrl, otherUrl) {
return base.origin === other.origin;
}
// Validates if URL is safe and allowed, e.g. to avoid XSS.
function isValidUrl(url, allowRelative) {
if (!url || typeof url !== 'string') {
// Checks if URLs use one of the whitelisted protocols, e.g. to avoid XSS.
function isValidProtocol(url) {
if (!url) {
return false;
}
// RFC 3986 (http://tools.ietf.org/html/rfc3986#section-3.1)
// scheme = ALPHA *( ALPHA / DIGIT / "+" / "-" / "." )
var protocol = /^[a-z][a-z0-9+\-.]*(?=:)/i.exec(url);
if (!protocol) {
return allowRelative;
}
protocol = protocol[0].toLowerCase();
switch (protocol) {
case 'http':
case 'https':
case 'ftp':
case 'mailto':
case 'tel':
switch (url.protocol) {
case 'http:':
case 'https:':
case 'ftp:':
case 'mailto:':
case 'tel:':
return true;
default:
return false;
}
}
/**
* Attempts to create a valid absolute URL (utilizing `isValidProtocol`).
* @param {URL|string} url - An absolute, or relative, URL.
* @param {URL|string} baseUrl - An absolute URL.
* @returns Either a valid {URL}, or `null` otherwise.
*/
function createValidAbsoluteUrl(url, baseUrl) {
if (!url) {
return null;
}
try {
var absoluteUrl = baseUrl ? new URL(url, baseUrl) : new URL(url);
if (isValidProtocol(absoluteUrl)) {
return absoluteUrl;
}
} catch (ex) { /* `new URL()` will throw on incorrect data. */ }
return null;
}
function shadow(obj, prop, value) {
Object.defineProperty(obj, prop, { value: value,
enumerable: true,
@ -2431,7 +2443,7 @@ exports.isNum = isNum; @@ -2431,7 +2443,7 @@ exports.isNum = isNum;
exports.isString = isString;
exports.isSpace = isSpace;
exports.isSameOrigin = isSameOrigin;
exports.isValidUrl = isValidUrl;
exports.createValidAbsoluteUrl = createValidAbsoluteUrl;
exports.isLittleEndian = isLittleEndian;
exports.isEvalSupported = isEvalSupported;
exports.loadJpegStream = loadJpegStream;

3
web/download_manager.js
Unescape View File

@ -67,10 +67,9 @@ if (typeof PDFJSDev === 'undefined' || PDFJSDev.test('GENERIC || CHROME')) { @@ -67,10 +67,9 @@ if (typeof PDFJSDev === 'undefined' || PDFJSDev.test('GENERIC || CHROME')) {
DownloadManager.prototype = {
downloadUrl: function DownloadManager_downloadUrl(url, filename) {
if (!pdfjsLib.isValidUrl(url, true)) {
if (!pdfjsLib.createValidAbsoluteUrl(url, 'http://example.com')) {
return; // restricted/invalid URL
}
download(url + '#pdfjs.action=download', filename);
},

Write Preview
Loading…
Cancel
Save