enforce valid payto:// URI in exchange /wire response

2022-05-18 18:05:32 +02:00 · 2022-05-18 18:05:32 +02:00 · 344c53c51d
commit 344c53c51d
parent 492d501570
4 changed files with 58 additions and 1 deletions
--- a/contrib/gana
+++ b/contrib/gana
@ -1 +1 @@
-Subproject commit fa6373d8e2432cd63da881e05f4100240e688cdf
+Subproject commit 99d8d9e0336bacebab5af4ae00c3f685ffd90f60
--- a/src/exchange-tools/taler-exchange-offline.c
+++ b/src/exchange-tools/taler-exchange-offline.c
@ -1395,6 +1395,20 @@ upload_wire_add (const char *exchange_url,
    }
    GNUNET_free (wire_method);
  }
+  {
+    char *msg = TALER_payto_validate (payto_uri);
+
+    if (NULL != msg)
+    {
+      GNUNET_log (GNUNET_ERROR_TYPE_ERROR,
+                  "payto URI is malformed: %s\n",
+                  msg);
+      GNUNET_free (msg);
+      test_shutdown ();
+      global_ret = EXIT_INVALIDARGUMENT;
+      return;
+    }
+  }
  war = GNUNET_new (struct WireAddRequest);
  war->idx = idx;
  war->h =
@ -2460,6 +2474,20 @@ do_add_wire (char *const *args)
  if (GNUNET_OK !=
      load_offline_key (GNUNET_NO))
    return;
+  {
+    char *msg = TALER_payto_validate (args[0]);
+
+    if (NULL != msg)
+    {
+      GNUNET_log (GNUNET_ERROR_TYPE_ERROR,
+                  "payto URI is malformed: %s\n",
+                  msg);
+      GNUNET_free (msg);
+      test_shutdown ();
+      global_ret = EXIT_INVALIDARGUMENT;
+      return;
+    }
+  }
  now = GNUNET_TIME_timestamp_get ();
  {
    char *wire_method;
--- a/src/exchange/taler-exchange-httpd_management_wire_enable.c
+++ b/src/exchange/taler-exchange-httpd_management_wire_enable.c
@ -166,6 +166,23 @@ TEH_handler_management_post_wire (
      return MHD_YES; /* failure */
  }
  TEH_METRICS_num_verifications[TEH_MT_SIGNATURE_EDDSA]++;
+  {
+    char *msg = TALER_payto_validate (awc.payto_uri);
+
+    if (NULL != msg)
+    {
+      MHD_RESULT ret;
+
+      GNUNET_break_op (0);
+      ret = TALER_MHD_reply_with_error (
+        connection,
+        MHD_HTTP_BAD_REQUEST,
+        TALER_EC_GENERIC_PAYTO_URI_MALFORMED,
+        msg);
+      GNUNET_free (msg);
+      return ret;
+    }
+  }
  if (GNUNET_OK !=
      TALER_exchange_offline_wire_add_verify (awc.payto_uri,
                                              awc.validity_start,
--- a/src/lib/exchange_api_management_wire_enable.c
+++ b/src/lib/exchange_api_management_wire_enable.c
@ -138,6 +138,18 @@ TALER_EXCHANGE_management_enable_wire (
  CURL *eh;
  json_t *body;

+  {
+    char *msg = TALER_payto_validate (payto_uri);
+
+    if (NULL != msg)
+    {
+      GNUNET_log (GNUNET_ERROR_TYPE_ERROR,
+                  "payto URI is malformed: %s\n",
+                  msg);
+      GNUNET_free (msg);
+      return NULL;
+    }
+  }
  wh = GNUNET_new (struct TALER_EXCHANGE_ManagementWireEnableHandle);
  wh->cb = cb;
  wh->cb_cls = cb_cls;