From 262940332979dfc3f0703ce12638abab8c63605c Mon Sep 17 00:00:00 2001 From: Christian Grothoff Date: Thu, 22 Jul 2021 13:09:25 +0200 Subject: add more location checks --- ...ler-merchant-httpd_private-patch-instances-ID.c | 21 ++++++++++ .../taler-merchant-httpd_private-post-instances.c | 20 +++++++++ .../taler-merchant-httpd_private-post-orders.c | 48 ++++++++++++++-------- 3 files changed, 72 insertions(+), 17 deletions(-) (limited to 'src/backend') diff --git a/src/backend/taler-merchant-httpd_private-patch-instances-ID.c b/src/backend/taler-merchant-httpd_private-patch-instances-ID.c index 8b0917e7..bafccb59 100644 --- a/src/backend/taler-merchant-httpd_private-patch-instances-ID.c +++ b/src/backend/taler-merchant-httpd_private-patch-instances-ID.c @@ -114,6 +114,27 @@ patch_instances_ID (struct TMH_MerchantInstance *mi, TALER_EC_GENERIC_CURRENCY_MISMATCH, NULL); } + + if (! TMH_location_object_valid (is.address)) + { + GNUNET_break_op (0); + GNUNET_JSON_parse_free (spec); + return TALER_MHD_reply_with_error (connection, + MHD_HTTP_BAD_REQUEST, + TALER_EC_GENERIC_PARAMETER_MALFORMED, + "address"); + } + + if (! TMH_location_object_valid (is.jurisdiction)) + { + GNUNET_break_op (0); + GNUNET_JSON_parse_free (spec); + return TALER_MHD_reply_with_error (connection, + MHD_HTTP_BAD_REQUEST, + TALER_EC_GENERIC_PARAMETER_MALFORMED, + "jurisdiction"); + } + if (! TMH_payto_uri_array_valid (payto_uris)) return TALER_MHD_reply_with_error (connection, MHD_HTTP_BAD_REQUEST, diff --git a/src/backend/taler-merchant-httpd_private-post-instances.c b/src/backend/taler-merchant-httpd_private-post-instances.c index 4c5919e9..c6471571 100644 --- a/src/backend/taler-merchant-httpd_private-post-instances.c +++ b/src/backend/taler-merchant-httpd_private-post-instances.c @@ -230,6 +230,26 @@ TMH_private_post_instances (const struct TMH_RequestHandler *rh, "id"); } + if (! TMH_location_object_valid (is.address)) + { + GNUNET_break_op (0); + GNUNET_JSON_parse_free (spec); + return TALER_MHD_reply_with_error (connection, + MHD_HTTP_BAD_REQUEST, + TALER_EC_GENERIC_PARAMETER_MALFORMED, + "address"); + } + + if (! TMH_location_object_valid (is.jurisdiction)) + { + GNUNET_break_op (0); + GNUNET_JSON_parse_free (spec); + return TALER_MHD_reply_with_error (connection, + MHD_HTTP_BAD_REQUEST, + TALER_EC_GENERIC_PARAMETER_MALFORMED, + "jurisdiction"); + } + /* Check currency of client matches our own currency */ if ( (0 != strcasecmp (is.default_max_deposit_fee.currency, TMH_currency)) || diff --git a/src/backend/taler-merchant-httpd_private-post-orders.c b/src/backend/taler-merchant-httpd_private-post-orders.c index d4812715..172cb05c 100644 --- a/src/backend/taler-merchant-httpd_private-post-orders.c +++ b/src/backend/taler-merchant-httpd_private-post-orders.c @@ -1,6 +1,6 @@ /* This file is part of TALER - (C) 2014, 2015, 2016, 2018, 2020 Taler Systems SA + (C) 2014, 2015, 2016, 2018, 2020, 2021 Taler Systems SA TALER is free software; you can redistribute it and/or modify it under the terms of the GNU Affero General Public License as @@ -30,6 +30,7 @@ #include "taler-merchant-httpd_private-post-orders.h" #include "taler-merchant-httpd_auditors.h" #include "taler-merchant-httpd_exchanges.h" +#include "taler-merchant-httpd_helper.h" #include "taler-merchant-httpd_private-get-orders.h" @@ -712,10 +713,10 @@ patch_order (struct MHD_Connection *connection, &wire_fee_amortization)), GNUNET_JSON_spec_mark_optional ( TALER_JSON_spec_absolute_time ("delivery_date", - &delivery_date)), + &delivery_date)), GNUNET_JSON_spec_mark_optional ( TALER_JSON_spec_relative_time ("auto_refund", - &auto_refund)), + &auto_refund)), GNUNET_JSON_spec_mark_optional ( GNUNET_JSON_spec_json ("delivery_location", &delivery_location)), @@ -864,7 +865,7 @@ patch_order (struct MHD_Connection *connection, refund_deadline))); } if ((0 != delivery_date.abs_value_us) && - (delivery_date.abs_value_us < now.abs_value_us) ) + (delivery_date.abs_value_us < now.abs_value_us) ) { GNUNET_break_op (0); return TALER_MHD_reply_with_error ( @@ -901,7 +902,8 @@ patch_order (struct MHD_Connection *connection, GNUNET_assert (0 == json_object_set_new (order, "wire_transfer_deadline", - GNUNET_JSON_from_time_abs (wire_deadline))); + GNUNET_JSON_from_time_abs ( + wire_deadline))); } if (wire_deadline.abs_value_us < refund_deadline.abs_value_us) { @@ -926,8 +928,8 @@ patch_order (struct MHD_Connection *connection, else { if (0 != - strcasecmp (max_wire_fee.currency, - TMH_currency)) + strcasecmp (max_wire_fee.currency, + TMH_currency)) { GNUNET_break_op (0); return TALER_MHD_reply_with_error ( @@ -951,8 +953,8 @@ patch_order (struct MHD_Connection *connection, else { if (0 != - strcasecmp (max_fee.currency, - TMH_currency)) + strcasecmp (max_fee.currency, + TMH_currency)) { GNUNET_break_op (0); return TALER_MHD_reply_with_error ( @@ -985,7 +987,7 @@ patch_order (struct MHD_Connection *connection, GNUNET_free (url); } else if (('\0' == *merchant_base_url) || - ('/' != merchant_base_url[strlen(merchant_base_url) - 1])) + ('/' != merchant_base_url[strlen (merchant_base_url) - 1])) { GNUNET_break_op (0); return TALER_MHD_reply_with_error ( @@ -994,7 +996,7 @@ patch_order (struct MHD_Connection *connection, TALER_EC_MERCHANT_PRIVATE_POST_ORDERS_PROPOSAL_PARSE_ERROR, "merchant_base_url is not valid"); } - + /* Fill in merchant information if necessary */ if (NULL != jmerchant) { @@ -1005,8 +1007,8 @@ patch_order (struct MHD_Connection *connection, TALER_EC_MERCHANT_PRIVATE_POST_ORDERS_PROPOSAL_PARSE_ERROR, "'merchant' field already set, but must be provided by backend"); } - jmerchant = json_pack("{s:s}", - "name", settings->name); + jmerchant = json_pack ("{s:s}", + "name", settings->name); GNUNET_assert (NULL != jmerchant); { json_t *loca; @@ -1064,22 +1066,34 @@ patch_order (struct MHD_Connection *connection, TALER_EC_GENERIC_JSON_INVALID, "could not compute hash of order due to bogus forgettable fields"); } + + if ( (NULL != delivery_location) && + (! TMH_location_object_valid (delivery_location)) ) + { + GNUNET_break_op (0); + GNUNET_JSON_parse_free (spec); + return TALER_MHD_reply_with_error (connection, + MHD_HTTP_BAD_REQUEST, + TALER_EC_GENERIC_PARAMETER_MALFORMED, + "delivery_location"); + } + /* sanity check result */ { struct GNUNET_HashCode h_control; - + switch (TALER_JSON_contract_hash (order, &h_control)) { - case GNUNET_SYSERR: + case GNUNET_SYSERR: GNUNET_break (0); return TALER_MHD_reply_with_error ( connection, MHD_HTTP_INTERNAL_SERVER_ERROR, TALER_EC_GENERIC_FAILED_COMPUTE_JSON_HASH, "could not compute hash of patched order"); - - case GNUNET_NO: + + case GNUNET_NO: GNUNET_break_op (0); return TALER_MHD_reply_with_error ( connection, -- cgit v1.2.3