add checks to ensure payto:// URI is well-formed to taler-exchange-offline, and taler-exchange-httpd where applicable (fixes #6675)

2021-01-06 15:52:12 +01:00 · 2021-01-06 15:52:12 +01:00 · 73a9fe56eb
commit 73a9fe56eb
parent 1f91211263
3 changed files with 58 additions and 0 deletions
--- a/src/exchange-tools/taler-exchange-offline.c
+++ b/src/exchange-tools/taler-exchange-offline.c
@ -1236,6 +1236,21 @@ upload_wire_add (const char *exchange_url,
    test_shutdown ();
    return;
  }
+  {
+    char *wire_method;
+
+    wire_method = TALER_payto_get_method (payto_uri);
+    if (NULL == wire_method)
+    {
+      GNUNET_log (GNUNET_ERROR_TYPE_ERROR,
+                  "payto:// URI `%s' is malformed\n",
+                  payto_uri);
+      global_ret = 7;
+      test_shutdown ();
+      return;
+    }
+    GNUNET_free (wire_method);
+  }
  war = GNUNET_new (struct WireAddRequest);
  war->idx = idx;
  war->h =
@ -2043,6 +2058,21 @@ do_add_wire (char *const *args)
  now = GNUNET_TIME_absolute_get ();
  (void) GNUNET_TIME_round_abs (&now);

+  {
+    char *wire_method;
+
+    wire_method = TALER_payto_get_method (args[0]);
+    if (NULL == wire_method)
+    {
+      GNUNET_log (GNUNET_ERROR_TYPE_ERROR,
+                  "payto:// URI `%s' is malformed\n",
+                  args[0]);
+      global_ret = 7;
+      test_shutdown ();
+      return;
+    }
+    GNUNET_free (wire_method);
+  }
  TALER_exchange_offline_wire_add_sign (args[0],
                                        now,
                                        &master_priv,
--- a/src/exchange/taler-exchange-httpd_management_wire.c
+++ b/src/exchange/taler-exchange-httpd_management_wire.c
@ -195,6 +195,23 @@ TEH_handler_management_denominations_wire (
      TALER_EC_EXCHANGE_MANAGEMENT_WIRE_DETAILS_SIGNATURE_INVALID,
      NULL);
  }
+  {
+    char *wire_method;
+
+    wire_method = TALER_payto_get_method (awc.payto_uri);
+    if (NULL == wire_method)
+    {
+      GNUNET_log (GNUNET_ERROR_TYPE_ERROR,
+                  "payto:// URI `%s' is malformed\n",
+                  awc.payto_uri);
+      return TALER_MHD_reply_with_error (
+        connection,
+        MHD_HTTP_BAD_REQUEST,
+        TALER_EC_GENERIC_PARAMETER_MALFORMED,
+        "payto_uri");
+    }
+    GNUNET_free (wire_method);
+  }

  qs = TEH_DB_run_transaction (connection,
                               "add wire",
--- a/src/exchange/taler-exchange-httpd_wire.c
+++ b/src/exchange/taler-exchange-httpd_wire.c
@ -232,6 +232,15 @@ build_wire_state (void)
                                                                  "payto_uri"));
      GNUNET_assert (NULL != payto_uri);
      wire_method = TALER_payto_get_method (payto_uri);
+      if (NULL == wire_method)
+      {
+        GNUNET_log (GNUNET_ERROR_TYPE_ERROR,
+                    "payto:// URI `%s' stored in our database is malformed\n",
+                    payto_uri);
+        json_decref (wire_accounts_array);
+        json_decref (wire_fee_object);
+        return NULL;
+      }
      if (NULL == json_object_get (wire_fee_object,
                                   wire_method))
      {
@ -248,6 +257,7 @@ build_wire_state (void)
          json_decref (a);
          json_decref (wire_fee_object);
          json_decref (wire_accounts_array);
+          GNUNET_free (wire_method);
          return NULL;
        }
        if (0 == json_array_size (a))
@ -257,6 +267,7 @@ build_wire_state (void)
                      wire_method);
          json_decref (wire_accounts_array);
          json_decref (wire_fee_object);
+          GNUNET_free (wire_method);
          return NULL;
        }
        GNUNET_assert (0 ==