commit 9f0ac42d72d133dd8fc9aace2353b902673e7b5c
parent ee590a7301bd9696ea3ae13cfa2d30256486d83e
Author: Christian Grothoff <christian@grothoff.org>
Date: Fri, 10 Jan 2025 16:23:53 +0100
restrict characters allowed in order ID for #9452
Diffstat:
1 file changed, 30 insertions(+), 1 deletion(-)
diff --git a/src/backend/taler-merchant-httpd_private-post-orders.c b/src/backend/taler-merchant-httpd_private-post-orders.c
@@ -2945,7 +2945,7 @@ parse_order (struct OrderContext *oc)
const char *merchant_base_url = NULL;
uint64_t version = 0;
const json_t *jmerchant = NULL;
- const char *order_id;
+ const char *order_id = NULL;
struct GNUNET_JSON_Specification spec[] = {
GNUNET_JSON_spec_mark_optional (
GNUNET_JSON_spec_uint64 ("version",
@@ -3042,6 +3042,35 @@ parse_order (struct OrderContext *oc)
ret);
return;
}
+ if (NULL != order_id)
+ {
+ size_t len = strlen (order_id);
+
+ for (size_t i = 0; i<len; i++)
+ {
+ char c = order_id[i];
+
+ if (! ( ( (c >= 'A') &&
+ (c <= 'Z') ) ||
+ ( (c >= 'a') &&
+ (c <= 'z') ) ||
+ (c == '-') ||
+ (c == '_') ||
+ (c == '.') ||
+ (c == ':') ) )
+ {
+ GNUNET_log (GNUNET_ERROR_TYPE_WARNING,
+ "Invalid character `%c' in order ID `%s'\n",
+ c,
+ order_id);
+ reply_with_error (oc,
+ MHD_HTTP_BAD_REQUEST,
+ TALER_EC_GENERIC_CURRENCY_MISMATCH,
+ "Invalid character in order_id");
+ return;
+ }
+ }
+ }
switch (version)
{
case 0:
