VKCOM/vk-ios-sdk
1
1
Fork 0
mirror of https://github.com/VKCOM/vk-ios-sdk.git synced 2024-09-11 06:45:37 +03:00
Code Issues Projects Releases Wiki Activity

Fix potentially vulnerable code

Browse Source
This commit is contained in:
Alexander Grebenschikov 2016-07-30 11:57:10 +03:00
parent b7da2f2a8a
commit c7548404dd
2 changed files with 7 additions and 5 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
example/VKSDKTestApplication.xcodeproj/project.pbxproj
View File

@ -230,7 +230,7 @@
ORGANIZATIONNAME = VK;
TargetAttributes = {
F3EEFF651827B1DD000BB525 = {
DevelopmentTeam = R26JY69RPL;
DevelopmentTeam = D4KTSC4PP8;
};
};
};

10
library/Source/Core/VKHTTPClient.m
View File

@ -31,7 +31,8 @@
static VKHTTPClient *__clientInstance = nil;
static NSString const *VK_API_URI = @"api.vk.com/method/";
static NSString *const kVKMultipartFormBoundary = @"Boundary(======VK_SDK======)";
static NSString const *kVKMultipartFormBoundaryPrefix = @"VK_SDK";
@interface VKHTTPClient ()
@property(readwrite, nonatomic, strong) NSMutableDictionary *defaultHeaders;
@ -130,19 +131,20 @@ static NSString *const kVKMultipartFormBoundary = @"Boundary(======VK_SDK======)
NSParameterAssert(![method isEqualToString:@"GET"] && ![method isEqualToString:@"HEAD"]);
NSMutableURLRequest *request = [self requestWithMethod:method path:path parameters:nil secure:YES];
NSString *contentType = [NSString stringWithFormat:@"multipart/form-data; boundary=%@", kVKMultipartFormBoundary];
NSString *formBoundary = [NSString stringWithFormat:@"%@.boundary.%08x%08x", kVKMultipartFormBoundaryPrefix, arc4random(), arc4random()];
NSString *contentType = [NSString stringWithFormat:@"multipart/form-data; boundary=%@", formBoundary];
[request addValue:contentType forHTTPHeaderField:@"Content-Type"];
NSMutableData *postbody = [NSMutableData data];
for (NSUInteger i = 0; i < images.count; i++) {
VKUploadImage *uploadImageObject = images[i];
NSString *fileName = [NSString stringWithFormat:@"file%d", (int) (i + 1)];
[postbody appendData:[[NSString stringWithFormat:@"\r\n--%@\r\n", kVKMultipartFormBoundary] dataUsingEncoding:NSUTF8StringEncoding]];
[postbody appendData:[[NSString stringWithFormat:@"\r\n--%@\r\n", formBoundary] dataUsingEncoding:NSUTF8StringEncoding]];
[postbody appendData:[[NSString stringWithFormat:@"Content-Disposition: form-data; name=\"%@\"; filename=\"%@.%@\"\r\n", fileName, fileName, [uploadImageObject.parameters fileExtension]] dataUsingEncoding:NSUTF8StringEncoding]];
[postbody appendData:[[NSString stringWithFormat:@"Content-Type: %@\r\n\r\n", [uploadImageObject.parameters mimeType]] dataUsingEncoding:NSUTF8StringEncoding]];
[postbody appendData:uploadImageObject.imageData];
}
[postbody appendData:[[NSString stringWithFormat:@"\r\n--%@--\r\n", kVKMultipartFormBoundary] dataUsingEncoding:NSUTF8StringEncoding]];
[postbody appendData:[[NSString stringWithFormat:@"\r\n--%@--\r\n", formBoundary] dataUsingEncoding:NSUTF8StringEncoding]];
[request setHTTPBody:postbody];
return request;
}