paulmataruso/zulip
1
0
Fork 0
mirror of https://github.com/zulip/zulip.git synced 2025-11-02 04:53:36 +00:00
Code Issues Packages Projects Releases Wiki Activity

push_notifications: Validate format of APNS tokens.

Browse Source 
This fixes a bug where we would previously not validate the format of
APNS tokens before writing them to the database, which could lead to
exceptions in the push notifications system if a buggy mobile app
submitted invalid format tokens.
This commit is contained in:
Tim Abbott
2017-07-07 09:18:37 -07:00
parent e99067cfc3
commit eaa33cce73
2 changed files with 40 additions and 14 deletions
Download Patch File Download Diff File Expand all files Collapse all files

20
zerver/views/push_notifications.py
View File

@@ -10,42 +10,48 @@ from django.http import HttpRequest, HttpResponse
from django.utils.translation import ugettext as _
from zerver.lib.push_notifications import add_push_device_token, \
remove_push_device_token
b64_to_hex, remove_push_device_token
from zerver.lib.request import has_request_variables, REQ, JsonableError
from zerver.lib.response import json_success, json_error
from zerver.lib.validator import check_string, check_list, check_bool
from zerver.models import PushDeviceToken, UserProfile
def validate_token(token_str):
# type: (str) -> None
def validate_token(token_str, kind):
# type: (str, int) -> None
if token_str == '' or len(token_str) > 4096:
raise JsonableError(_('Empty or invalid length token'))
if kind == PushDeviceToken.APNS:
# Validate that we can actually decode the token.
try:
b64_to_hex(token_str)
except Exception:
raise JsonableError(_('Invalid APNS token'))
@has_request_variables
def add_apns_device_token(request, user_profile, token=REQ(),
appid=REQ(default=settings.ZULIP_IOS_APP_ID)):
# type: (HttpRequest, UserProfile, str, str) -> HttpResponse
validate_token(token)
validate_token(token, PushDeviceToken.APNS)
add_push_device_token(user_profile, token, PushDeviceToken.APNS, ios_app_id=appid)
return json_success()
@has_request_variables
def add_android_reg_id(request, user_profile, token=REQ()):
# type: (HttpRequest, UserProfile, str) -> HttpResponse
validate_token(token)
validate_token(token, PushDeviceToken.GCM)
add_push_device_token(user_profile, token, PushDeviceToken.GCM)
return json_success()
@has_request_variables
def remove_apns_device_token(request, user_profile, token=REQ()):
# type: (HttpRequest, UserProfile, str) -> HttpResponse
validate_token(token)
validate_token(token, PushDeviceToken.APNS)
remove_push_device_token(user_profile, token, PushDeviceToken.APNS)
return json_success()
@has_request_variables
def remove_android_reg_id(request, user_profile, token=REQ()):
# type: (HttpRequest, UserProfile, str) -> HttpResponse
validate_token(token)
validate_token(token, PushDeviceToken.GCM)
remove_push_device_token(user_profile, token, PushDeviceToken.GCM)
return json_success()