VKCOM/vk-ios-sdk
1
1
Fork 0
mirror of https://github.com/VKCOM/vk-ios-sdk.git synced 2024-09-11 06:45:37 +03:00
Code Issues Projects Releases Wiki Activity

Merge pull request #431 from grebenschikov/master

Browse Source 
Fix potentially vulnerable code
This commit is contained in:
Roman Truba 2016-08-02 15:17:37 +04:00 committed by GitHub
commit 5061d72908
1 changed files with 6 additions and 4 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

10
library/Source/Core/VKHTTPClient.m
View File

@ -31,7 +31,8 @@
static VKHTTPClient *__clientInstance = nil;
static NSString const *VK_API_URI = @"api.vk.com/method/";
static NSString *const kVKMultipartFormBoundary = @"Boundary(======VK_SDK======)";
static NSString const *kVKMultipartFormBoundaryPrefix = @"VK_SDK";
@interface VKHTTPClient ()
@property(readwrite, nonatomic, strong) NSMutableDictionary *defaultHeaders;
@ -130,19 +131,20 @@ static NSString *const kVKMultipartFormBoundary = @"Boundary(======VK_SDK======)
NSParameterAssert(![method isEqualToString:@"GET"] && ![method isEqualToString:@"HEAD"]);
NSMutableURLRequest *request = [self requestWithMethod:method path:path parameters:nil secure:YES];
NSString *contentType = [NSString stringWithFormat:@"multipart/form-data; boundary=%@", kVKMultipartFormBoundary];
NSString *formBoundary = [NSString stringWithFormat:@"%@.boundary.%08x%08x", kVKMultipartFormBoundaryPrefix, arc4random(), arc4random()];
NSString *contentType = [NSString stringWithFormat:@"multipart/form-data; boundary=%@", formBoundary];
[request addValue:contentType forHTTPHeaderField:@"Content-Type"];
NSMutableData *postbody = [NSMutableData data];
for (NSUInteger i = 0; i < images.count; i++) {
VKUploadImage *uploadImageObject = images[i];
NSString *fileName = [NSString stringWithFormat:@"file%d", (int) (i + 1)];
[postbody appendData:[[NSString stringWithFormat:@"\r\n--%@\r\n", kVKMultipartFormBoundary] dataUsingEncoding:NSUTF8StringEncoding]];
[postbody appendData:[[NSString stringWithFormat:@"\r\n--%@\r\n", formBoundary] dataUsingEncoding:NSUTF8StringEncoding]];
[postbody appendData:[[NSString stringWithFormat:@"Content-Disposition: form-data; name=\"%@\"; filename=\"%@.%@\"\r\n", fileName, fileName, [uploadImageObject.parameters fileExtension]] dataUsingEncoding:NSUTF8StringEncoding]];
[postbody appendData:[[NSString stringWithFormat:@"Content-Type: %@\r\n\r\n", [uploadImageObject.parameters mimeType]] dataUsingEncoding:NSUTF8StringEncoding]];
[postbody appendData:uploadImageObject.imageData];
}
[postbody appendData:[[NSString stringWithFormat:@"\r\n--%@--\r\n", kVKMultipartFormBoundary] dataUsingEncoding:NSUTF8StringEncoding]];
[postbody appendData:[[NSString stringWithFormat:@"\r\n--%@--\r\n", formBoundary] dataUsingEncoding:NSUTF8StringEncoding]];
[request setHTTPBody:postbody];
return request;
}