source: josm/trunk/src/org/openstreetmap/josm/io/remotecontrol/handler/ImportHandler.java@ 7749

Last change on this file since 7749 was 7749, checked in by bastiK, 9 years ago

remotecontrol /import: only allow whitelisted download tasks to be called from remotecontrol

Turned off import of session files for now.
I think it is not really an issue at the moment but as new features are added,
this may accidentally get overlooked.
E.g. any javascript execution with rhino engine as we currently do for loading of
preference snippets is a no-go.

In order to enable remotecontrol for a plugin download-task, override the method
isSafeForRemotecontrolRequests() in AbstractDownloadTask or derive from a
class that is already whitelisted (e.g. DownloadOsmTask).
File size: 5.3 KB
Line 
1// License: GPL. For details, see LICENSE file.
2package org.openstreetmap.josm.io.remotecontrol.handler;
3
4import static org.openstreetmap.josm.tools.I18n.tr;
5
6import java.net.MalformedURLException;
7import java.net.URL;
8import java.util.Collection;
9import java.util.HashMap;
10
11import org.openstreetmap.josm.Main;
12import org.openstreetmap.josm.actions.downloadtasks.DownloadOsmTask;
13import org.openstreetmap.josm.actions.downloadtasks.DownloadTask;
14import org.openstreetmap.josm.io.remotecontrol.PermissionPrefWithDefault;
15import org.openstreetmap.josm.tools.Utils;
16
17/**
18 * Handler for import request
19 */
20public class ImportHandler extends RequestHandler {
21
22 /**
23 * The remote control command name used to import data.
24 */
25 public static final String command = "import";
26
27 private URL url;
28 private Collection<DownloadTask> suitableDownloadTasks;
29
30 @Override
31 protected void handleRequest() throws RequestHandlerErrorException {
32 try {
33 if (suitableDownloadTasks != null && !suitableDownloadTasks.isEmpty()) {
34 // TODO: handle multiple suitable download tasks ?
35 suitableDownloadTasks.iterator().next().loadUrl(isLoadInNewLayer(), url.toExternalForm(), null);
36 }
37 } catch (Exception ex) {
38 Main.warn("RemoteControl: Error parsing import remote control request:");
39 Main.error(ex);
40 throw new RequestHandlerErrorException(ex);
41 }
42 }
43
44 @Override
45 public String[] getMandatoryParams() {
46 return new String[]{"url"};
47 }
48
49 @Override
50 public String[] getOptionalParams() {
51 return new String[] {"new_layer"};
52 }
53
54 @Override
55 public String getUsage() {
56 return "downloads the specified OSM file and adds it to the current data set";
57 }
58
59 @Override
60 public String[] getUsageExamples() {
61 return new String[] { "/import?url="+Main.getJOSMWebsite()+"/browser/josm/trunk/data_nodist/direction-arrows.osm" };
62 }
63
64 @Override
65 public String getPermissionMessage() {
66 // URL can be any suitable URL giving back OSM data, including OSM API calls, even if calls to the main API
67 // should rather be passed to LoadAndZoomHandler or LoadObjectHandler.
68 // Other API instances will however use the import handler to force JOSM to make requests to this API instance.
69 // (Example with OSM-FR website that makes calls to the OSM-FR API)
70 // For user-friendliness, let's try to decode these OSM API calls to give a better confirmation message.
71 String taskMessage = null;
72 if (suitableDownloadTasks != null && !suitableDownloadTasks.isEmpty()) {
73 // TODO: handle multiple suitable download tasks ?
74 taskMessage = suitableDownloadTasks.iterator().next().getConfirmationMessage(url);
75 }
76 return tr("Remote Control has been asked to import data from the following URL:")
77 + "<br>" + (taskMessage == null ? url.toString() : taskMessage);
78 }
79
80 @Override
81 public PermissionPrefWithDefault getPermissionPref() {
82 return PermissionPrefWithDefault.IMPORT_DATA;
83 }
84
85 @Override
86 protected void parseArgs() {
87 HashMap<String, String> args = new HashMap<>();
88 if (request.indexOf('?') != -1) {
89 String query = request.substring(request.indexOf('?') + 1);
90 if (query.indexOf("url=") == 0) {
91 args.put("url", decodeParam(query.substring(4)));
92 } else {
93 int urlIdx = query.indexOf("&url=");
94 if (urlIdx != -1) {
95 args.put("url", decodeParam(query.substring(urlIdx + 5)));
96 query = query.substring(0, urlIdx);
97 } else {
98 if (query.indexOf('#') != -1) {
99 query = query.substring(0, query.indexOf('#'));
100 }
101 }
102 String[] params = query.split("&", -1);
103 for (String param : params) {
104 int eq = param.indexOf('=');
105 if (eq != -1) {
106 args.put(param.substring(0, eq), param.substring(eq + 1));
107 }
108 }
109 }
110 }
111 this.args = args;
112 }
113
114 @Override
115 protected void validateRequest() throws RequestHandlerBadRequestException {
116 String urlString = args.get("url");
117 if (Main.pref.getBoolean("remotecontrol.importhandler.fix_url_query", true)) {
118 urlString = Utils.fixURLQuery(urlString);
119 }
120 try {
121 // Ensure the URL is valid
122 url = new URL(urlString);
123 } catch (MalformedURLException e) {
124 throw new RequestHandlerBadRequestException("MalformedURLException: "+e.getMessage(), e);
125 }
126 // Find download tasks for the given URL
127 suitableDownloadTasks = Main.main.menu.openLocation.findDownloadTasks(urlString, true);
128 if (suitableDownloadTasks.isEmpty()) {
129 // It should maybe be better to reject the request in that case ?
130 // For compatibility reasons with older instances of JOSM, arbitrary choice of DownloadOsmTask
131 suitableDownloadTasks.add(new DownloadOsmTask());
132 }
133 }
134}
Note: See TracBrowser for help on using the repository browser.