commit 51056a54a6adbe598aeccace5955ea2c8c4596e7
parent 9831b7a7046a1a9b016b48a700d019f8f386639f
Author: Christian Grothoff <christian@grothoff.org>
Date: Thu, 21 May 2026 22:11:46 +0200
validate slugs, disallow special characters"
Diffstat:
10 files changed, 19 insertions(+), 51 deletions(-)
diff --git a/meson.build b/meson.build
@@ -254,7 +254,7 @@ if not get_option('only-doc')
endif
cc.has_header_symbol(
'taler/taler_json_lib.h',
- 'TALER_JSON_currency_specs_to_json',
+ 'TALER_JSON_spec_slug',
required: true,
dependencies: [talerjson_dep],
)
@@ -405,4 +405,3 @@ run_target(
env: {'PACKAGE_VERSION': meson.project_version()},
)
#meson.add_dist_script('meson-dist-script')
-
diff --git a/src/backend/taler-merchant-httpd_post-private-groups.c b/src/backend/taler-merchant-httpd_post-private-groups.c
@@ -36,8 +36,8 @@ TMH_private_post_groups (const struct TMH_RequestHandler *rh,
enum GNUNET_DB_QueryStatus qs;
uint64_t group_id;
struct GNUNET_JSON_Specification spec[] = {
- GNUNET_JSON_spec_string ("group_name",
- &group_name),
+ TALER_JSON_spec_slug ("group_name",
+ &group_name),
GNUNET_JSON_spec_string ("description",
&description),
GNUNET_JSON_spec_end ()
diff --git a/src/backend/taler-merchant-httpd_post-private-orders.c b/src/backend/taler-merchant-httpd_post-private-orders.c
@@ -3957,8 +3957,8 @@ phase_parse_order (struct OrderContext *oc)
&oc->parse_order.summary_i18n),
NULL),
GNUNET_JSON_spec_mark_optional (
- GNUNET_JSON_spec_string ("order_id",
- &order_id),
+ TALER_JSON_spec_slug ("order_id",
+ &order_id),
NULL),
GNUNET_JSON_spec_mark_optional (
GNUNET_JSON_spec_string ("fulfillment_message",
@@ -4066,37 +4066,6 @@ phase_parse_order (struct OrderContext *oc)
}
}
}
- if (NULL != order_id)
- {
- size_t len = strlen (order_id);
-
- for (size_t i = 0; i<len; i++)
- {
- char c = order_id[i];
-
- if (! ( ( (c >= 'A') &&
- (c <= 'Z') ) ||
- ( (c >= 'a') &&
- (c <= 'z') ) ||
- ( (c >= '0') &&
- (c <= '9') ) ||
- (c == '-') ||
- (c == '_') ||
- (c == '.') ||
- (c == ':') ) )
- {
- GNUNET_log (GNUNET_ERROR_TYPE_WARNING,
- "Invalid character `%c' in order ID `%s'\n",
- c,
- order_id);
- reply_with_error (oc,
- MHD_HTTP_BAD_REQUEST,
- TALER_EC_GENERIC_CURRENCY_MISMATCH,
- "Invalid character in order_id");
- return;
- }
- }
- }
switch (version)
{
case 0:
diff --git a/src/backend/taler-merchant-httpd_post-private-otp-devices.c b/src/backend/taler-merchant-httpd_post-private-otp-devices.c
@@ -67,8 +67,8 @@ TMH_private_post_otp_devices (const struct TMH_RequestHandler *rh,
const char *device_id;
enum GNUNET_DB_QueryStatus qs;
struct GNUNET_JSON_Specification spec[] = {
- GNUNET_JSON_spec_string ("otp_device_id",
- &device_id),
+ TALER_JSON_spec_slug ("otp_device_id",
+ &device_id),
GNUNET_JSON_spec_string ("otp_device_description",
(const char **) &tp.otp_description),
TALER_JSON_spec_otp_type ("otp_algorithm",
diff --git a/src/backend/taler-merchant-httpd_post-private-pots.c b/src/backend/taler-merchant-httpd_post-private-pots.c
@@ -36,8 +36,8 @@ TMH_private_post_pots (const struct TMH_RequestHandler *rh,
enum GNUNET_DB_QueryStatus qs;
uint64_t pot_id;
struct GNUNET_JSON_Specification spec[] = {
- GNUNET_JSON_spec_string ("pot_name",
- &pot_name),
+ TALER_JSON_spec_slug ("pot_name",
+ &pot_name),
GNUNET_JSON_spec_string ("description",
&description),
GNUNET_JSON_spec_end ()
diff --git a/src/backend/taler-merchant-httpd_post-private-products.c b/src/backend/taler-merchant-httpd_post-private-products.c
@@ -49,8 +49,8 @@ TMH_private_post_products (const struct TMH_RequestHandler *rh,
struct TALER_Amount price;
bool price_missing;
struct GNUNET_JSON_Specification spec[] = {
- GNUNET_JSON_spec_string ("product_id",
- &product_id),
+ TALER_JSON_spec_slug ("product_id",
+ &product_id),
/* new in protocol v20, thus optional for backwards-compatibility */
GNUNET_JSON_spec_mark_optional (
GNUNET_JSON_spec_string ("product_name",
diff --git a/src/backend/taler-merchant-httpd_post-private-templates.c b/src/backend/taler-merchant-httpd_post-private-templates.c
@@ -71,8 +71,8 @@ TMH_private_post_templates (const struct TMH_RequestHandler *rh,
const char *template_id;
enum GNUNET_DB_QueryStatus qs;
struct GNUNET_JSON_Specification spec[] = {
- GNUNET_JSON_spec_string ("template_id",
- &template_id),
+ TALER_JSON_spec_slug ("template_id",
+ &template_id),
GNUNET_JSON_spec_string ("template_description",
(const char **) &tp.template_description),
GNUNET_JSON_spec_mark_optional (
diff --git a/src/backend/taler-merchant-httpd_post-private-tokenfamilies.c b/src/backend/taler-merchant-httpd_post-private-tokenfamilies.c
@@ -95,8 +95,8 @@ TMH_private_post_token_families (const struct TMH_RequestHandler *rh,
bool no_valid_after = false;
enum GNUNET_DB_QueryStatus qs;
struct GNUNET_JSON_Specification spec[] = {
- GNUNET_JSON_spec_string ("slug",
- (const char **) &details.slug),
+ TALER_JSON_spec_slug ("slug",
+ (const char **) &details.slug),
GNUNET_JSON_spec_string ("name",
(const char **) &details.name),
GNUNET_JSON_spec_string ("description",
diff --git a/src/backend/taler-merchant-httpd_post-private-units.c b/src/backend/taler-merchant-httpd_post-private-units.c
@@ -39,8 +39,8 @@ TMH_private_post_units (const struct TMH_RequestHandler *rh,
enum GNUNET_DB_QueryStatus qs;
enum MHD_Result ret;
struct GNUNET_JSON_Specification spec[] = {
- GNUNET_JSON_spec_string ("unit",
- (const char **) &nud.unit),
+ TALER_JSON_spec_slug ("unit",
+ (const char **) &nud.unit),
GNUNET_JSON_spec_string ("unit_name_long",
(const char **) &nud.unit_name_long),
GNUNET_JSON_spec_string ("unit_name_short",
diff --git a/src/backend/taler-merchant-httpd_post-private-webhooks.c b/src/backend/taler-merchant-httpd_post-private-webhooks.c
@@ -78,8 +78,8 @@ TMH_private_post_webhooks (const struct TMH_RequestHandler *rh,
const char *webhook_id;
enum GNUNET_DB_QueryStatus qs;
struct GNUNET_JSON_Specification spec[] = {
- GNUNET_JSON_spec_string ("webhook_id",
- &webhook_id),
+ TALER_JSON_spec_slug ("webhook_id",
+ &webhook_id),
GNUNET_JSON_spec_string ("event_type",
(const char **) &wb.event_type),
TALER_JSON_spec_web_url ("url",
