From 6e2ad50e162d8c65e3ca88745ffc71c65e416db7 Mon Sep 17 00:00:00 2001
From: zzz <zzz@mail.i2p>
Date: Tue, 12 Nov 2019 20:20:07 +0000
Subject: [PATCH] i2psnark: Disable HTML5 for playlist files Another escaping
fix
---
.../org/klomp/snark/web/I2PSnarkServlet.java | 37 +++++++++++++++----
.../java/src/org/klomp/snark/web/URIUtil.java | 7 ++++
2 files changed, 36 insertions(+), 8 deletions(-)
diff --git a/apps/i2psnark/java/src/org/klomp/snark/web/I2PSnarkServlet.java b/apps/i2psnark/java/src/org/klomp/snark/web/I2PSnarkServlet.java
index 7a81e86ea6..d6ddb02559 100644
--- a/apps/i2psnark/java/src/org/klomp/snark/web/I2PSnarkServlet.java
+++ b/apps/i2psnark/java/src/org/klomp/snark/web/I2PSnarkServlet.java
@@ -3348,10 +3348,8 @@ public class I2PSnarkServlet extends BasicServlet {
// unless audio or video...
if (storage != null && storage.complete()) {
String mime = getMimeType(r.getName());
- boolean isAudio = mime != null && (mime.startsWith("audio/") || mime.equals("application/ogg"));
- boolean isVideo = mime != null && mime.startsWith("video/") &&
- !mime.equals("video/x-msvideo") && !mime.equals("video/x-matroska") &&
- !mime.equals("video/quicktime");
+ boolean isAudio = mime != null && isAudio(mime);
+ boolean isVideo = mime != null && isVideo(mime);
if (isAudio || isVideo) {
// HTML5
if (isAudio)
@@ -3552,10 +3550,8 @@ public class I2PSnarkServlet extends BasicServlet {
boolean isVideo = false;
buf.append("<td class=\"snarkFileIcon\">");
if (complete) {
- isAudio = mime.startsWith("audio/") || mime.equals("application/ogg");
- isVideo = mime.startsWith("video/") &&
- !mime.equals("video/x-msvideo") && !mime.equals("video/x-matroska") &&
- !mime.equals("video/quicktime");
+ isAudio = isAudio(mime);
+ isVideo = isVideo(mime);
if (isAudio || isVideo) {
// HTML5
if (isAudio)
@@ -3655,6 +3651,31 @@ public class I2PSnarkServlet extends BasicServlet {
return buf.toString();
}
+ /**
+ * @param mime non-null
+ * @since 0.9.44
+ */
+ private static boolean isAudio(String mime) {
+ // don't include playlist files as the browser doesn't support them
+ // in the HTML5 player,
+ // and if it did and prefetched, that could be a security issue
+ return (mime.startsWith("audio/") &&
+ !mime.equals("audio/mpegurl") &&
+ !mime.equals("audio/x-scpls")) ||
+ mime.equals("application/ogg");
+ }
+
+ /**
+ * @param mime non-null
+ * @since 0.9.44
+ */
+ private static boolean isVideo(String mime) {
+ return mime.startsWith("video/") &&
+ !mime.equals("video/x-msvideo") &&
+ !mime.equals("video/x-matroska") &&
+ !mime.equals("video/quicktime");
+ }
+
/**
* Is there at least one complete audio file in this directory or below?
* Recursive.
diff --git a/apps/i2psnark/java/src/org/klomp/snark/web/URIUtil.java b/apps/i2psnark/java/src/org/klomp/snark/web/URIUtil.java
index 71b70c5ae4..b82c4a35a9 100644
--- a/apps/i2psnark/java/src/org/klomp/snark/web/URIUtil.java
+++ b/apps/i2psnark/java/src/org/klomp/snark/web/URIUtil.java
@@ -88,6 +88,7 @@ class URIUtil
case '[':
case ']':
case '&':
+ case '|':
buf=new StringBuilder(path.length()*2);
break loop;
default:
@@ -156,6 +157,9 @@ class URIUtil
case '&':
buf.append("%26");
continue;
+ case '|':
+ buf.append("%7C");
+ continue;
default:
if (c <= 0x1f) // includes negative
toHex(c,buf);
@@ -212,6 +216,9 @@ class URIUtil
case '&':
buf.append("%26");
continue;
+ case '|':
+ buf.append("%7C");
+ continue;
default:
if (c <= 0x1f || (c >= 0x7f && c <= 0x9f) || Character.isSpaceChar(c))
toHex(c,buf);
--
GitLab