From 99ff49d502a65eacecdf2a59dbbada7cda119909 Mon Sep 17 00:00:00 2001 From: Andrew Bettison Date: Sat, 28 Mar 2015 05:05:48 +1030 Subject: [PATCH] /restful/rhizome/insert reject out-of-order parameters Must have the 'bundle-secret', 'bundle-author' and 'bundle-id' parameters before the 'manifest' part --- rhizome_restful.c | 9 +++++++++ 1 file changed, 9 insertions(+) diff --git a/rhizome_restful.c b/rhizome_restful.c index 8ebf3b88..84ecb2b1 100644 --- a/rhizome_restful.c +++ b/rhizome_restful.c @@ -451,18 +451,27 @@ static int insert_mime_part_header(struct http_request *hr, const struct mime_pa if (strcmp(h->content_disposition.name, PART_AUTHOR) == 0) { if (r->u.insert.received_author) return http_response_form_part(r, "Duplicate", PART_AUTHOR, NULL, 0); + // Reject a request if this parameter comes after the manifest part. + if (r->u.insert.received_manifest) + return http_response_form_part(r, "Spurious", PART_AUTHOR, NULL, 0); r->u.insert.current_part = PART_AUTHOR; assert(r->u.insert.author_hex_len == 0); } else if (strcmp(h->content_disposition.name, PART_SECRET) == 0) { if (r->u.insert.received_secret) return http_response_form_part(r, "Duplicate", PART_SECRET, NULL, 0); + // Reject a request if this parameter comes after the manifest part. + if (r->u.insert.received_manifest) + return http_response_form_part(r, "Spurious", PART_SECRET, NULL, 0); r->u.insert.current_part = PART_SECRET; assert(r->u.insert.secret_text_len == 0); } else if (strcmp(h->content_disposition.name, PART_BUNDLEID) == 0) { if (r->u.insert.received_bundleid) return http_response_form_part(r, "Duplicate", PART_BUNDLEID, NULL, 0); + // Reject a request if this parameter comes after the manifest part. + if (r->u.insert.received_manifest) + return http_response_form_part(r, "Spurious", PART_BUNDLEID, NULL, 0); r->u.insert.current_part = PART_BUNDLEID; assert(r->u.insert.bid_text_len == 0); }