diff options
author | commit-bot@chromium.org <commit-bot@chromium.org@2bbb7eff-a529-9590-31e7-b0007b416f81> | 2014-04-15 00:43:51 +0000 |
---|---|---|
committer | commit-bot@chromium.org <commit-bot@chromium.org@2bbb7eff-a529-9590-31e7-b0007b416f81> | 2014-04-15 00:43:51 +0000 |
commit | 4bd8fdc04c143e3c43a0e48a5444da02cacf1803 (patch) | |
tree | 2ff5938536506492162ccdc817e7e30991f8f1d5 /experimental | |
parent | 479bad560a10178b82406072a194ab5008299c7e (diff) |
More sanitizing input.
Also fix issue with parsing time on MySQL.
BUG=skia:
R=mtklein@google.com
Author: jcgregorio@google.com
Review URL: https://codereview.chromium.org/235953008
git-svn-id: http://skia.googlecode.com/svn/trunk@14195 2bbb7eff-a529-9590-31e7-b0007b416f81
Diffstat (limited to 'experimental')
-rw-r--r-- | experimental/webtry/webtry.go | 30 |
1 files changed, 27 insertions, 3 deletions
diff --git a/experimental/webtry/webtry.go b/experimental/webtry/webtry.go index 008ea82929..1b678ecb77 100644 --- a/experimental/webtry/webtry.go +++ b/experimental/webtry/webtry.go @@ -34,6 +34,8 @@ p.setStrokeWidth(10); canvas->drawLine(20, 20, 100, 100, p); ` + // Don't increase above 2^16 w/o altering the db tables to accept something bigger than TEXT. + MAX_TRY_SIZE = 64000 ) var ( @@ -115,7 +117,7 @@ func init() { // The IP address of the database is found here: // https://console.developers.google.com/project/31977622648/sql/instances/webtry/overview // And 3306 is the default port for MySQL. - db, err = sql.Open("mysql", fmt.Sprintf("webtry:%s@tcp(173.194.83.52:3306)/webtry", password)) + db, err = sql.Open("mysql", fmt.Sprintf("webtry:%s@tcp(173.194.83.52:3306)/webtry?parseTime=true", password)) if err != nil { log.Printf("ERROR: Failed to open connection to SQL server: %q\n", err) panic(err) @@ -292,6 +294,17 @@ func recentHandler(w http.ResponseWriter, r *http.Request) { } } +// hasPreProcessor returns true if any line in the code begins with a # char. +func hasPreProcessor(code string) bool { + lines := strings.Split(code, "\n") + for _, s := range lines { + if strings.HasPrefix(strings.TrimSpace(s), "#") { + return true + } + } + return false +} + // mainHandler handles the GET and POST of the main page. func mainHandler(w http.ResponseWriter, r *http.Request) { log.Printf("Main Handler: %q\n", r.URL.Path) @@ -316,12 +329,23 @@ func mainHandler(w http.ResponseWriter, r *http.Request) { } } else if r.Method == "POST" { w.Header().Set("Content-Type", "application/json") - b, err := ioutil.ReadAll(r.Body) + buf := bytes.NewBuffer(make([]byte, 0, MAX_TRY_SIZE)) + n, err := buf.ReadFrom(r.Body) if err != nil { reportError(w, r, err, "Failed to read a request body.") return } - code := string(b) + if n == MAX_TRY_SIZE { + err := fmt.Errorf("Code length equal to, or exceeded, %d", MAX_TRY_SIZE) + reportError(w, r, err, "Code too large.") + return + } + code := string(buf.Bytes()) + if hasPreProcessor(code) { + err := fmt.Errorf("Found preprocessor macro in code.") + reportError(w, r, err, "Preprocessor macros aren't allowed.") + return + } hash, err := expandCode(LineNumbers(code)) if err != nil { reportError(w, r, err, "Failed to write the code to compile.") |