Changeset 7749 in josm for trunk/src


Ignore:
Timestamp:
2014-11-26T13:50:31+01:00 (10 years ago)
Author:
bastiK
Message:

remotecontrol /import: only allow whitelisted download tasks to be called from remotecontrol

Turned off import of session files for now.
I think it is not really an issue at the moment but as new features are added,
this may accidentally get overlooked.
E.g. any javascript execution with rhino engine as we currently do for loading of
preference snippets is a no-go.

In order to enable remotecontrol for a plugin download-task, override the method
isSafeForRemotecontrolRequests() in AbstractDownloadTask or derive from a
class that is already whitelisted (e.g. DownloadOsmTask).

Location:
trunk/src/org/openstreetmap/josm
Files:
8 edited

Legend:

Unmodified
Added
Removed

  • trunk/src/org/openstreetmap/josm/actions/OpenLocationAction.java

    r7531 r7749  
    131131     * Replies the list of download tasks accepting the given url.
    132132     * @param url The URL to open
     133     * @param isRemotecontrol True if download request comes from remotecontrol.
    133134     * @return The list of download tasks accepting the given url.
    134135     * @since 5691
    135136     */
    136     public Collection<DownloadTask> findDownloadTasks(final String url) {
     137    public Collection<DownloadTask> findDownloadTasks(final String url, boolean isRemotecontrol) {
    137138        List<DownloadTask> result = new ArrayList<>();
    138139        for (Class<? extends DownloadTask> taskClass : downloadTasks) {
     
    140141                try {
    141142                    DownloadTask task = taskClass.getConstructor().newInstance();
    142                     if (task.acceptsUrl(url)) {
     143                    if (task.acceptsUrl(url, isRemotecontrol)) {
    143144                        result.add(task);
    144145                    }
     
    179180    public void openUrl(boolean new_layer, final String url) {
    180181        PleaseWaitProgressMonitor monitor = new PleaseWaitProgressMonitor(tr("Download Data"));
    181         Collection<DownloadTask> tasks = findDownloadTasks(url);
     182        Collection<DownloadTask> tasks = findDownloadTasks(url, false);
    182183        DownloadTask task = null;
    183184        Future<?> future = null;

  • trunk/src/org/openstreetmap/josm/actions/downloadtasks/AbstractDownloadTask.java

    r7005 r7749  
    6868
    6969    // Can be overridden for more complex checking logic
    70     @Override
    7170    public boolean acceptsUrl(String url) {
    7271        if (url==null) return false;
     
    7776        }
    7877        return false;
     78    }
     79
     80    /**
     81     * Check / decide if the task is safe for remotecontrol.
     82     *
     83     * Keep in mind that a potential attacker has full control over the content
     84     * of the file that will be downloaded.
     85     * If it is possible to run arbitrary code or write to the local file
     86     * system, then the task is (obviously) not save for remote execution.
     87     *
     88     * The default value is false = unsafe. Override in a subclass to
     89     * allow running the task via remotecontol.
     90     *
     91     * @return true if it is safe to download and open any file of the
     92     * corresponding format, false otherwise
     93     */
     94    public boolean isSafeForRemotecontrolRequests() {
     95        return false;
     96    }
     97
     98    @Override
     99    public boolean acceptsUrl(String url, boolean isRemotecontrol) {
     100        if (isRemotecontrol && !isSafeForRemotecontrolRequests()) return false;
     101        return acceptsUrl(url);
    79102    }
    80103

  • trunk/src/org/openstreetmap/josm/actions/downloadtasks/DownloadGpsTask.java

    r7597 r7749  
    198198    }
    199199
     200    @Override
     201    public boolean isSafeForRemotecontrolRequests() {
     202        return true;
     203    }
     204
    200205    /**
    201206     * Determines if the given URL denotes an OSM gpx-related API call.

  • trunk/src/org/openstreetmap/josm/actions/downloadtasks/DownloadNotesTask.java

    r7608 r7749  
    6767    }
    6868
     69    @Override
     70    public boolean isSafeForRemotecontrolRequests() {
     71        return true;
     72    }
     73
    6974    abstract class DownloadTask extends PleaseWaitRunnable {
    7075        protected OsmServerReader reader;

  • trunk/src/org/openstreetmap/josm/actions/downloadtasks/DownloadOsmTask.java

    r7637 r7749  
    169169    }
    170170
     171    @Override
     172    public boolean isSafeForRemotecontrolRequests() {
     173        return true;
     174    }
     175
    171176    /**
    172177     * Superclass of internal download task.

  • trunk/src/org/openstreetmap/josm/actions/downloadtasks/DownloadSessionTask.java

    r7004 r7749  
    7272        return null;
    7373    }
     74
     75    /**
     76     * Do not allow to load a session file via remotecontrol.
     77     *
     78     * Session importers can be added by plugins and there is currently
     79     * no way to ensure that these are safe for remotecontol.
     80     * @return
     81     */
     82    @Override
     83    public boolean isSafeForRemotecontrolRequests() {
     84        return Main.pref.getBoolean("remotecontrol.import.allow_session", false);
     85    }
    7486}

  • trunk/src/org/openstreetmap/josm/actions/downloadtasks/DownloadTask.java

    r6830 r7749  
    7575     * Returns true if the task is able to open the given URL, false otherwise.
    7676     * @param url the url to download from
     77     * @param isRemotecontrol True if download request comes from remotecontrol.
    7778     * @return True if the task is able to open the given URL, false otherwise.
     79     * Return false, if the request comes from remotecontrol, but the task is not
     80     * safe for remotecontrol.
     81     * A task is not safe for remotecontrol if it is possible to prepare a file
     82     * for download which does something unintended, e.g. gain access to the
     83     * local file system.
    7884     */
    79     boolean acceptsUrl(String url);
     85    boolean acceptsUrl(String url, boolean isRemotecontrol);
    8086
    8187    /**

  • trunk/src/org/openstreetmap/josm/io/remotecontrol/handler/ImportHandler.java

    r7005 r7749  
    125125        }
    126126        // Find download tasks for the given URL
    127         suitableDownloadTasks = Main.main.menu.openLocation.findDownloadTasks(urlString);
     127        suitableDownloadTasks = Main.main.menu.openLocation.findDownloadTasks(urlString, true);
    128128        if (suitableDownloadTasks.isEmpty()) {
    129129            // It should maybe be better to reject the request in that case ?
Note: See TracChangeset for help on using the changeset viewer.