From bd196fa5d04bd133fc7fcf8f6dc7a7281d0f41a0 Mon Sep 17 00:00:00 2001
From: Jonah Brüchert <jbb@kaidan.im>
Date: Thu, 29 Sep 2022 19:10:52 +0200
Subject: HttpUploadManager: Only allow https urls (#478)

---
 src/client/QXmppHttpUploadManager.cpp | 8 ++++++++
 1 file changed, 8 insertions(+)

(limited to 'src')

diff --git a/src/client/QXmppHttpUploadManager.cpp b/src/client/QXmppHttpUploadManager.cpp
index 5723246d..728956e5 100644
--- a/src/client/QXmppHttpUploadManager.cpp
+++ b/src/client/QXmppHttpUploadManager.cpp
@@ -316,6 +316,14 @@ std::shared_ptr<QXmppHttpUpload> QXmppHttpUploadManager::uploadFile(QIODevice *d
             upload->d->reportFinished();
         } else {
             auto slot = std::get<QXmppHttpUploadSlotIq>(std::move(result));
+
+            if (slot.getUrl().scheme() != "https" || slot.putUrl().scheme() != "https") {
+                auto message = QStringLiteral("The server replied with an insecure non-https url. This is forbidden by XEP-0363.");
+                upload->d->reportError(QXmppError { std::move(message), {} });
+                upload->d->reportFinished();
+                return;
+            }
+
             upload->d->getUrl = slot.getUrl();
 
             QNetworkRequest request(slot.putUrl());
-- 
cgit v1.2.3