1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
|
/*
* Copyright (C) 2012 Lasath Fernando <kde@lasath.org>
* Copyright (C) 2013 David Edmundson <kde@davidedmundson.co.uk>
*
* This library is free software; you can redistribute it and/or
* modify it under the terms of the GNU Lesser General Public
* License as published by the Free Software Foundation; either
* version 2.1 of the License, or (at your option) any later version.
*
* This library is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
* Lesser General Public License for more details.
*
* You should have received a copy of the GNU Lesser General Public
* License along with this library; if not, write to the Free Software
* Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA
*/
#include "bugzilla-filter.h"
#include <KPluginFactory>
#include <KDebug>
#include <KUrl>
class BugzillaFilter::Private
{
public:
Private() {
requestCounter = 0;
}
QRegExp bugText;
int requestCounter;
QStringList bugzillaHosts;
};
BugzillaFilter::BugzillaFilter(QObject *parent, const QVariantList &) :
AbstractMessageFilter(parent), d(new Private)
{
d->bugText = QRegExp(QLatin1String("BUG:[ ]*(\\d+)"));
d->bugText.setCaseSensitivity(Qt::CaseInsensitive);
d->bugzillaHosts << QLatin1String("bugzilla.mozilla.org")
<< QLatin1String("bugzilla.kernel.org")
<< QLatin1String("bugzilla.gnome.org")
<< QLatin1String("bugs.kde.org")
<< QLatin1String("issues.apache.org")
<< QLatin1String("www.openoffice.org")
<< QLatin1String("bugs.eclipse.org/bugs")
<< QLatin1String("bugzilla.redhat.com/bugzilla")
<< QLatin1String("qa.mandriva.com")
<< QLatin1String("bugs.gentoo.org")
<< QLatin1String("bugzilla.novell.com");
}
BugzillaFilter::~BugzillaFilter()
{
delete d;
}
void BugzillaFilter::addBugDescription(KTp::Message &message, const KUrl &baseUrl)
{
QString bugRequestId((QLatin1String("bug_") + QString::number(d->requestCounter)));
d->requestCounter++;
KUrl request;
request.setHost(baseUrl.host());
request.setProtocol(baseUrl.protocol());
request.setDirectory(baseUrl.directory());
request.setFileName(QLatin1String("jsonrpc.cgi"));
request.addQueryItem(QLatin1String("method"), QLatin1String("Bug.get"));
request.addQueryItem(QLatin1String("params"),
QString(QLatin1String("[{\"ids\":[%1]}]")).
arg(baseUrl.queryItemValue(QLatin1String("id"))));
request.addQueryItem(QLatin1String("callback"), QLatin1String("showBugCallback"));
request.addQueryItem(QLatin1String("id"), bugRequestId);
message.appendMessagePart(QString::fromLatin1("<p><a href=\"%1\" id=\"%2\"></a></p>").arg(baseUrl.prettyUrl(), bugRequestId));
message.appendScript(QString::fromLatin1("showBug(\"%1\");").arg(request.prettyUrl()));
}
void BugzillaFilter::filterMessage(KTp::Message &message, const KTp::MessageContext &context)
{
//if we're hidden we don't want to make network requests that can show we're online
if (context.account()->currentPresence().type() == Tp::ConnectionPresenceTypeHidden) {
return;
}
QString msg = message.mainMessagePart();
int index = msg.indexOf(d->bugText);
while (index >= 0) {
KUrl baseUrl;
//TODO make this configurable
baseUrl.setProtocol(QLatin1String("https"));
baseUrl.setHost(QLatin1String("bugs.kde.org"));
baseUrl.setFileName(QLatin1String("show_bug.cgi"));
baseUrl.addQueryItem(QLatin1String("id"), d->bugText.cap(1));
addBugDescription(message, baseUrl);
index = msg.indexOf(d->bugText, index + 1);
}
Q_FOREACH (QVariant var, message.property("Urls").toList()) {
KUrl url = qvariant_cast<KUrl>(var);
if (url.fileName() == QLatin1String("show_bug.cgi")) { //a bugzilla of some sort
//as we have to use jsonp to get round making a cross-domain http request, a malicious website
//could pretend to be bugzilla and return arbitrary data that we cannot sanitise, filling the text-ui
//then someone could send a link potentially executing random JS.
//somewhat unlikely..but better safe than sorry.
//QML rewrite will fix it, as that does not have security origin checks on XHttpRequest objects
//Do not try and make this plugin more generic by removing this check unless you know what you are doing.
//check hostname against a whitelist of bugzilla instances
//TODO as we are checking the hostname we can support host/bugID formats
//TODO make this configurable in config
if (d->bugzillaHosts.contains(url.host())) {
addBugDescription(message, url);
}
}
}
}
QStringList BugzillaFilter::requiredScripts()
{
return QStringList() << QLatin1String("ktelepathy/showBugzillaInfo.js");
}
K_PLUGIN_FACTORY(MessageFilterFactory, registerPlugin<BugzillaFilter>();)
K_EXPORT_PLUGIN(MessageFilterFactory("ktptextui_message_filter_bugzilla"))
|
