fix: bypass form action error

fix #47
pull/67/head
sualko 2020-08-25 13:17:35 +02:00
parent dad3712467
commit da8a9133d5
4 changed files with 27 additions and 30 deletions

View File

@ -1,15 +1,3 @@
<?php
OCP\Util::addScript('bbb', 'filelist');
$apiUrl = \OC::$server->getConfig()->getAppValue('bbb', 'api.url');
$parsedApiUrl = @parse_url($apiUrl);
if ($parsedApiUrl !== false) {
$manager = \OC::$server->getContentSecurityPolicyManager();
$policy = new \OCP\AppFramework\Http\EmptyContentSecurityPolicy();
$policy->addAllowedFormActionDomain(($parsedApiUrl['scheme'] ?: 'https') . '://' . $parsedApiUrl['host']);
$manager->addDefaultPolicy($policy);
}

View File

@ -117,26 +117,19 @@ class JoinController extends Controller {
'wrongPassword' => $password !== $room->password && $password !== '',
], 'guest');
$this->addFormActionDomain($response);
return $response;
}
$creationDate = $this->api->createMeeting($room, $presentation);
$joinUrl = $this->api->createJoinUrl($room, $creationDate, $displayname, $userId);
return new RedirectResponse($joinUrl);
}
\OCP\Util::addHeader('meta', ['http-equiv' => 'refresh', 'content' => '3;url='.$joinUrl]);
private function addFormActionDomain($response) {
$apiUrl = $this->config->getAppValue($this->appName, 'api.url');
$parsedApiUrl = parse_url($apiUrl);
if ($parsedApiUrl === false) {
throw new \Exception('No valid api url provided');
}
$response->getContentSecurityPolicy()->addAllowedFormActionDomain(($parsedApiUrl['scheme'] ?: 'https') . '://' . $parsedApiUrl['host']);
return new TemplateResponse($this->appName, 'forward', [
'room' => $room->name,
'url' => $joinUrl,
], 'guest');
;
}
private function getRoom(): ?Room {

12
templates/forward.php Normal file
View File

@ -0,0 +1,12 @@
<?php
/** @var $_ array */
/** @var $l \OCP\IL10N */
style('core', 'guest');
?>
<div class="update bbb">
<h2><?php p($_['room']) ?></h2>
<p><?php p($l->t('You will be forwarded to the room in the next few seconds.')); ?><br />
<br />
<a href="<?php print_unescaped($_['url']); ?>"><?php p($l->t('Let\'s go!')); ?></a></p>
</div>

View File

@ -104,8 +104,9 @@ class JoinControllerTest extends TestCase {
$result = $this->controller->index(null);
$this->assertInstanceOf(RedirectResponse::class, $result);
$this->assertEquals($url, $result->getRedirectURL());
$this->assertInstanceOf(TemplateResponse::class, $result);
$this->assertEquals('forward', $result->getTemplateName());
$this->assertEquals($url, $result->getParams()['url']);
}
public function testUserNeedsToAuthenticateForInternal() {
@ -189,7 +190,9 @@ class JoinControllerTest extends TestCase {
$response = $this->controller->index('Foo Bar');
$this->assertInstanceOf(RedirectResponse::class, $response);
$this->assertInstanceOf(TemplateResponse::class, $response);
$this->assertEquals('forward', $response->getTemplateName());
$this->assertEquals($url, $response->getParams()['url']);
}
private function invalidDisplayname($displayname) {
@ -229,7 +232,8 @@ class JoinControllerTest extends TestCase {
$response = $this->controller->index('Foo Bar', '', '', 'asdf');
$this->assertInstanceOf(RedirectResponse::class, $response);
$this->assertEquals($url, $response->getRedirectURL());
$this->assertInstanceOf(TemplateResponse::class, $response);
$this->assertEquals('forward', $response->getTemplateName());
$this->assertEquals($url, $response->getParams()['url']);
}
}