2002/06/01 23:46:10

author megacz <megacz@xwt.org>

Fri, 30 Jan 2004 06:47:43 +0000 (06:47 +0000)

committer megacz <megacz@xwt.org>

Fri, 30 Jan 2004 06:47:43 +0000 (06:47 +0000)
author megacz <megacz@xwt.org>
Fri, 30 Jan 2004 06:47:43 +0000 (06:47 +0000)
committer megacz <megacz@xwt.org>
Fri, 30 Jan 2004 06:47:43 +0000 (06:47 +0000)
diff --git a/CHANGES b/CHANGES

index e67f3f9..bad04e9 100644 (file)
--- a/CHANGES
+++ b/CHANGES
@@ -172,3 +172,5 @@
  
  28-May megacz Main.java: spelling fix
  
+01-Jun megacz Platform.java: extra checks on URL well-formedness
+
diff --git a/src/org/xwt/Platform.java b/src/org/xwt/Platform.java

index f773f71..02e75dd 100644 (file)
--- a/src/org/xwt/Platform.java
+++ b/src/org/xwt/Platform.java
@@ -265,6 +265,17 @@ public class Platform {
              if (Log.on) Log.log(Platform.class, "xwt.newBrowserWindow() only supports http and https urls");
              return;
          }
+
+        // check the URL for well-formedness, as a defense against buffer overflow attacks
+        try {
+            String u = url;
+            if (u.startsWith("https")) u = "http" + u.substring(5);
+            new URL(u);
+        } catch (MalformedURLException e) {
+            if (Log.on) Log.log(Platform.class, "URL " + url + " is not well-formed");
+            if (Log.on) Log.log(Platform.class, e);
+        }
+
          if (Log.on) Log.log(Platform.class, "newBrowserWindow, url = " + url);
          platform._newBrowserWindow(url);
      }
author	megacz <megacz@xwt.org>
	Fri, 30 Jan 2004 06:47:43 +0000 (06:47 +0000)
committer	megacz <megacz@xwt.org>
	Fri, 30 Jan 2004 06:47:43 +0000 (06:47 +0000)
CHANGES		patch \| blob \| history
src/org/xwt/Platform.java		patch \| blob \| history