ucb: webdav-curl: Related: tdf#99499, add a limit to the number of http redirections

Check for maximum number of redirections according to <https://tools.ietf.org/html/rfc7231#section-6.4>. A practical limit can be 5, due to old RFC: <https://tools.ietf.org/html/rfc2068#section-10.3>, this limit is reported also in more recent RFCs, see final paragraph of RFC7231, 6.4. [ port of commit 18009fe8fbe3982141ddca3f1fcd0900a63150a6 ] Change-Id: I3a6d1510627434cdff9e4f0af8194a8e6a33c28b Reviewed-on: https://gerrit.libreoffice.org/c/core/+/123476 Tested-by: Michael Stahl <michael.stahl@allotropia.de> Reviewed-by: Michael Stahl <michael.stahl@allotropia.de>
author: Giuseppe Castagno <giuseppe.castagno@acca-esse.eu> 2016-08-11 22:20:46 +0200
committer: Michael Stahl <michael.stahl@allotropia.de> 2021-11-01 18:42:36 +0100
commit: 0e9cea7ccdac443a51c81ce6ec3e1115a09b00be (patch)
tree: 862afd2019014b39aa717c21c2775cd18bb7f321 /ucb
parent: 928fbadb267be88cc558b55ddb33ec151be6e222 (diff)
3 files changed, 19 insertions, 2 deletions
diff --git a/ucb/source/ucp/webdav-curl/DAVResourceAccess.cxx b/ucb/source/ucp/webdav-curl/DAVResourceAccess.cxx
index c81d326207d1..cead9980b4a6 100644
--- a/ucb/source/ucp/webdav-curl/DAVResourceAccess.cxx
+++ b/ucb/source/ucp/webdav-curl/DAVResourceAccess.cxx
@@ -129,6 +129,7 @@ DAVResourceAccess::DAVResourceAccess(
 : m_aURL( rURL ),
   m_xSessionFactory( rSessionFactory ),
   m_xContext( rContext )
+, m_nRedirectLimit( 5 )
 {
 }
 
@@ -140,7 +141,8 @@ DAVResourceAccess::DAVResourceAccess( const DAVResourceAccess & rOther )
   m_xSession( rOther.m_xSession ),
   m_xSessionFactory( rOther.m_xSessionFactory ),
   m_xContext( rOther.m_xContext ),
-  m_aRedirectURIs( rOther.m_aRedirectURIs )
+  m_aRedirectURIs( rOther.m_aRedirectURIs ),
+  m_nRedirectLimit( rOther.m_nRedirectLimit )
 {
 }
 
@@ -155,6 +157,7 @@ DAVResourceAccess & DAVResourceAccess::operator=(
     m_xSessionFactory = rOther.m_xSessionFactory;
     m_xContext           = rOther.m_xContext;
     m_aRedirectURIs   = rOther.m_aRedirectURIs;
+    m_nRedirectLimit = rOther.m_nRedirectLimit;
 
     return *this;
 }
@@ -1094,7 +1097,7 @@ void DAVResourceAccess::getUserRequestHeaders(
     }
 }
 
-
+// This function member implements the control on cyclical redirections
 bool DAVResourceAccess::detectRedirectCycle(
         ::std::u16string_view const rRedirectURL)
 {
@@ -1102,6 +1105,15 @@ bool DAVResourceAccess::detectRedirectCycle(
 
     CurlUri const aUri( rRedirectURL );
 
+    // Check for maximum number of redirections
+    // according to <https://tools.ietf.org/html/rfc7231#section-6.4>.
+    // A practical limit may be 5, due to earlier specifications:
+    // <https://tools.ietf.org/html/rfc2068#section-10.3>
+    // it can be raised keeping in mind the added net activity.
+    if( static_cast< size_t >( m_nRedirectLimit ) <= m_aRedirectURIs.size() )
+        return true;
+
+    // try to detect a cyclical redirection
     return std::any_of(m_aRedirectURIs.begin(), m_aRedirectURIs.end(),
         [&aUri](const CurlUri& rUri) { return aUri == rUri; });
 }
diff --git a/ucb/source/ucp/webdav-curl/DAVResourceAccess.hxx b/ucb/source/ucp/webdav-curl/DAVResourceAccess.hxx
index 86a392e23cf1..051e53c4c8f5 100644
--- a/ucb/source/ucp/webdav-curl/DAVResourceAccess.hxx
+++ b/ucb/source/ucp/webdav-curl/DAVResourceAccess.hxx
@@ -52,6 +52,7 @@ class DAVResourceAccess
     rtl::Reference< DAVSessionFactory > m_xSessionFactory;
     css::uno::Reference< css::uno::XComponentContext > m_xContext;
     std::vector<CurlUri> m_aRedirectURIs;
+    sal_uInt32   m_nRedirectLimit;
 
 public:
     DAVResourceAccess() = default;
diff --git a/ucb/source/ucp/webdav-curl/webdavcontent.cxx b/ucb/source/ucp/webdav-curl/webdavcontent.cxx
index 876a23b7a930..5b1fbd5635e7 100644
--- a/ucb/source/ucp/webdav-curl/webdavcontent.cxx
+++ b/ucb/source/ucp/webdav-curl/webdavcontent.cxx
@@ -3959,6 +3959,10 @@ void Content::getResourceOptions(
                     }
                 }
                 break;
+                // The 'DAVException::DAV_HTTP_REDIRECT' means we reached the maximum
+                // number of redirections, consider the resource type as UNKNOWN
+                // possibly a normal web site, not DAV
+                case DAVException::DAV_HTTP_REDIRECT:
                 default: // leave the resource type as UNKNOWN, for now
                     // it means this will be managed as a standard http site
                     SAL_WARN( "ucb.ucp.webdav","OPTIONS - DAVException for URL <" << m_xIdentifier->getContentIdentifier() << ">, DAV error: "
author	Giuseppe Castagno <giuseppe.castagno@acca-esse.eu>	2016-08-11 22:20:46 +0200
committer	Michael Stahl <michael.stahl@allotropia.de>	2021-11-01 18:42:36 +0100
commit	0e9cea7ccdac443a51c81ce6ec3e1115a09b00be (patch)
tree	862afd2019014b39aa717c21c2775cd18bb7f321 /ucb
parent	928fbadb267be88cc558b55ddb33ec151be6e222 (diff)