Open-Harbor/osrm-backend
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases 3 Wiki Activity

implemented several security measures when parsing GET input to the site

Browse Source
This commit is contained in:
DennisSchiefer 2012-03-16 09:07:03 +01:00
parent 26c9d357f0
commit 9c2a1dc37f
2 changed files with 58 additions and 33 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

27
WebContent/main.js
View File

@ -176,13 +176,17 @@ function initMap() {
// parse URL GET parameters if any exist // parse URL GET parameters if any exist
function checkURL(){ function checkURL(){
var called_url = document.location.search.substr(1,document.location.search.length); var called_url = document.location.search.substr(1,document.location.search.length);
if( called_url != '') {
var positions = [];
// reject messages that are clearly too long or too small
if( called_url.length > 1000 || called_url.length == 0)
return;
// storage for parameter values
var positions = [];
var destination = undefined; var destination = undefined;
var destination_name = undefined; var destination_name = undefined;
// parse input (currently only parses start, dest, via) // parse input
var splitted_url = called_url.split('&'); var splitted_url = called_url.split('&');
for(var i=0; i<splitted_url.length; i++) { for(var i=0; i<splitted_url.length; i++) {
var name_val = splitted_url[i].split('='); var name_val = splitted_url[i].split('=');
@ -191,26 +195,31 @@ function checkURL(){
if(name_val[0] == 'loc') { if(name_val[0] == 'loc') {
var coordinates = unescape(name_val[1]).split(','); var coordinates = unescape(name_val[1]).split(',');
if(coordinates.length==2) if(coordinates.length!=2 || !isLatitude(coordinates[0]) || !isLongitude(coordinates[1]) )
return;
positions.push ( new L.LatLng( coordinates[0], coordinates[1]) ); positions.push ( new L.LatLng( coordinates[0], coordinates[1]) );
} }
else if(name_val[0] == 'dest') { else if(name_val[0] == 'dest') {
var coordinates = unescape(name_val[1]).split(','); var coordinates = unescape(name_val[1]).split(',');
if(coordinates.length==2) if(coordinates.length!=2 || !isLatitude(coordinates[0]) || !isLongitude(coordinates[1]) )
return;
destination = new L.LatLng( coordinates[0], coordinates[1]); destination = new L.LatLng( coordinates[0], coordinates[1]);
} }
else if(name_val[0] == 'destname') else if(name_val[0] == 'destname') {
destination_name = name_val[1]; destination_name = decodeURI(name_val[1]).replace(/<\/?[^>]+(>|$)/g ,""); // discard tags
}
} }
// destination given // case 1: destination given
if( destination != undefined ) { if( destination != undefined ) {
onclickGeocoderResult("target", destination.lat, destination.lng, (destination_name == undefined) ); onclickGeocoderResult("target", destination.lat, destination.lng, (destination_name == undefined) );
if( destination_name != undefined ) if( destination_name != undefined )
document.getElementById("input-target-name").value = decodeURI(destination_name); document.getElementById("input-target-name").value = destination_name;
return; return;
} }
// case 2: locations given
if( positions != []) {
// draw via points // draw via points
if( positions.length > 0) if( positions.length > 0)
my_markers.setSource( positions[0] ); my_markers.setSource( positions[0] );

16
WebContent/utils.js
View File

@ -52,6 +52,22 @@ function getDistanceWithUnit(distance){
//------------------------------------------------------ //------------------------------------------------------
// verify angles
function isLatitude(value) {
if( value >=-90 && value <=90)
return true;
else
return false;
}
function isLongitude(value) {
if( value >=-180 && value <=180)
return true;
else
return false;
}
// ------------------------------------------------------
// distance between two points // distance between two points
function distanceBetweenPoint(x1, y1, x2, y2) { function distanceBetweenPoint(x1, y1, x2, y2) {
var a = x1 - x2; var a = x1 - x2;