echelon/i2p.i2p
1
0
Fork 0
forked from I2P_Developers/i2p.i2p
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

i2psnark: Disable HTML5 for playlist files

Browse Source 
Another escaping fix
This commit is contained in:
zzz
2019-11-12 20:20:07 +00:00
parent fdb3c68d3f
commit 6e2ad50e16
2 changed files with 36 additions and 8 deletions
Download Patch File Download Diff File Expand all files Collapse all files

37
apps/i2psnark/java/src/org/klomp/snark/web/I2PSnarkServlet.java
View File

@ -3348,10 +3348,8 @@ public class I2PSnarkServlet extends BasicServlet {
// unless audio or video... // unless audio or video...
if (storage != null && storage.complete()) { if (storage != null && storage.complete()) {
String mime = getMimeType(r.getName()); String mime = getMimeType(r.getName());
boolean isAudio = mime != null && (mime.startsWith("audio/") || mime.equals("application/ogg")); boolean isAudio = mime != null && isAudio(mime);
boolean isVideo = mime != null && mime.startsWith("video/") && boolean isVideo = mime != null && isVideo(mime);
!mime.equals("video/x-msvideo") && !mime.equals("video/x-matroska") &&
!mime.equals("video/quicktime");
if (isAudio || isVideo) { if (isAudio || isVideo) {
// HTML5 // HTML5
if (isAudio) if (isAudio)
@ -3552,10 +3550,8 @@ public class I2PSnarkServlet extends BasicServlet {
boolean isVideo = false; boolean isVideo = false;
buf.append("<td class=\"snarkFileIcon\">"); buf.append("<td class=\"snarkFileIcon\">");
if (complete) { if (complete) {
isAudio = mime.startsWith("audio/") || mime.equals("application/ogg"); isAudio = isAudio(mime);
isVideo = mime.startsWith("video/") && isVideo = isVideo(mime);
!mime.equals("video/x-msvideo") && !mime.equals("video/x-matroska") &&
!mime.equals("video/quicktime");
if (isAudio || isVideo) { if (isAudio || isVideo) {
// HTML5 // HTML5
if (isAudio) if (isAudio)
@ -3655,6 +3651,31 @@ public class I2PSnarkServlet extends BasicServlet {
return buf.toString(); return buf.toString();
} }
/**
* @param mime non-null
* @since 0.9.44
*/
private static boolean isAudio(String mime) {
// don't include playlist files as the browser doesn't support them
// in the HTML5 player,
// and if it did and prefetched, that could be a security issue
return (mime.startsWith("audio/") &&
!mime.equals("audio/mpegurl") &&
!mime.equals("audio/x-scpls")) ||
mime.equals("application/ogg");
}
/**
* @param mime non-null
* @since 0.9.44
*/
private static boolean isVideo(String mime) {
return mime.startsWith("video/") &&
!mime.equals("video/x-msvideo") &&
!mime.equals("video/x-matroska") &&
!mime.equals("video/quicktime");
}
/** /**
* Is there at least one complete audio file in this directory or below? * Is there at least one complete audio file in this directory or below?
* Recursive. * Recursive.

7
apps/i2psnark/java/src/org/klomp/snark/web/URIUtil.java
View File

@ -88,6 +88,7 @@ class URIUtil
case '[': case '[':
case ']': case ']':
case '&': case '&':
case '|':
buf=new StringBuilder(path.length()*2); buf=new StringBuilder(path.length()*2);
break loop; break loop;
default: default:
@ -156,6 +157,9 @@ class URIUtil
case '&': case '&':
buf.append("%26"); buf.append("%26");
continue; continue;
case '|':
buf.append("%7C");
continue;
default: default:
if (c <= 0x1f) // includes negative if (c <= 0x1f) // includes negative
toHex(c,buf); toHex(c,buf);
@ -212,6 +216,9 @@ class URIUtil
case '&': case '&':
buf.append("%26"); buf.append("%26");
continue; continue;
case '|':
buf.append("%7C");
continue;
default: default:
if (c <= 0x1f || (c >= 0x7f && c <= 0x9f) || Character.isSpaceChar(c)) if (c <= 0x1f || (c >= 0x7f && c <= 0x9f) || Character.isSpaceChar(c))
toHex(c,buf); toHex(c,buf);