gnunet-svn
[Top][All Lists]
Advanced
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[taler-merchant] branch master updated: restrict characters allowed in o

From: gnunet
Subject: [taler-merchant] branch master updated: restrict characters allowed in order ID for #9452
Date: Fri, 10 Jan 2025 16:23:58 +0100 
This is an automated email from the git hooks/post-receive script.

grothoff pushed a commit to branch master
in repository merchant.

The following commit(s) were added to refs/heads/master by this push:
     new 9f0ac42d restrict characters allowed in order ID for #9452
9f0ac42d is described below

commit 9f0ac42d72d133dd8fc9aace2353b902673e7b5c
Author: Christian Grothoff <christian@grothoff.org>
AuthorDate: Fri Jan 10 16:23:53 2025 +0100

    restrict characters allowed in order ID for #9452
---
 .../taler-merchant-httpd_private-post-orders.c     | 31 +++++++++++++++++++++-
 1 file changed, 30 insertions(+), 1 deletion(-)

diff --git a/src/backend/taler-merchant-httpd_private-post-orders.c 
b/src/backend/taler-merchant-httpd_private-post-orders.c
index d255fcf1..7bf07488 100644
--- a/src/backend/taler-merchant-httpd_private-post-orders.c
+++ b/src/backend/taler-merchant-httpd_private-post-orders.c
@@ -2945,7 +2945,7 @@ parse_order (struct OrderContext *oc)
   const char *merchant_base_url = NULL;
   uint64_t version = 0;
   const json_t *jmerchant = NULL;
-  const char *order_id;
+  const char *order_id = NULL;
   struct GNUNET_JSON_Specification spec[] = {
     GNUNET_JSON_spec_mark_optional (
       GNUNET_JSON_spec_uint64 ("version",
@@ -3042,6 +3042,35 @@ parse_order (struct OrderContext *oc)
                      ret);
     return;
   }
+  if (NULL != order_id)
+  {
+    size_t len = strlen (order_id);
+
+    for (size_t i = 0; i<len; i++)
+    {
+      char c = order_id[i];
+
+      if (! ( ( (c >= 'A') &&
+                (c <= 'Z') ) ||
+              ( (c >= 'a') &&
+                (c <= 'z') ) ||
+              (c == '-') ||
+              (c == '_') ||
+              (c == '.') ||
+              (c == ':') ) )
+      {
+        GNUNET_log (GNUNET_ERROR_TYPE_WARNING,
+                    "Invalid character `%c' in order ID `%s'\n",
+                    c,
+                    order_id);
+        reply_with_error (oc,
+                          MHD_HTTP_BAD_REQUEST,
+                          TALER_EC_GENERIC_CURRENCY_MISMATCH,
+                          "Invalid character in order_id");
+        return;
+      }
+    }
+  }
   switch (version)
   {
   case 0:

-- 
To stop receiving notification emails like this one, please contact
gnunet@gnunet.org.
reply via email to
[Prev in Thread] Current Thread [Next in Thread]