HttpUploadManager: Only allow https urls (#478)

author: Jonah Brüchert <jbb@kaidan.im> 2022-09-29 19:10:52 +0200
committer: Linus Jahn <lnj@kaidan.im> 2022-09-29 19:14:46 +0200
commit: bd196fa5d04bd133fc7fcf8f6dc7a7281d0f41a0 (patch)
tree: ffd208fa674127008070e4e206547aa2741f1180 /src/client/QXmppHttpUploadManager.cpp
parent: 2d21b72fa52a71f9e651ea6c00186c0db9afa101 (diff)
1 files changed, 8 insertions, 0 deletions
diff --git a/src/client/QXmppHttpUploadManager.cpp b/src/client/QXmppHttpUploadManager.cpp
index 5723246d..728956e5 100644
--- a/src/client/QXmppHttpUploadManager.cpp
+++ b/src/client/QXmppHttpUploadManager.cpp
@@ -316,6 +316,14 @@ std::shared_ptr<QXmppHttpUpload> QXmppHttpUploadManager::uploadFile(QIODevice *d
             upload->d->reportFinished();
         } else {
             auto slot = std::get<QXmppHttpUploadSlotIq>(std::move(result));
+
+            if (slot.getUrl().scheme() != "https" || slot.putUrl().scheme() != "https") {
+                auto message = QStringLiteral("The server replied with an insecure non-https url. This is forbidden by XEP-0363.");
+                upload->d->reportError(QXmppError { std::move(message), {} });
+                upload->d->reportFinished();
+                return;
+            }
+
             upload->d->getUrl = slot.getUrl();
 
             QNetworkRequest request(slot.putUrl());
author	Jonah Brüchert <jbb@kaidan.im>	2022-09-29 19:10:52 +0200
committer	Linus Jahn <lnj@kaidan.im>	2022-09-29 19:14:46 +0200
commit	bd196fa5d04bd133fc7fcf8f6dc7a7281d0f41a0 (patch)
tree	ffd208fa674127008070e4e206547aa2741f1180 /src/client/QXmppHttpUploadManager.cpp
parent	2d21b72fa52a71f9e651ea6c00186c0db9afa101 (diff)