Permalink
Browse files

Require security token when calling CallbackServer via XHR.

  • Loading branch information...
1 parent 2e5d6f5 commit f7254044ee6782951548ec97220d385587a70931 @brycecurtis committed Oct 29, 2010
Showing with 50 additions and 28 deletions.
  1. +4 −1 framework/assets/js/phonegap.js.base
  2. +46 −27 framework/src/com/phonegap/CallbackServer.java
@@ -578,6 +578,9 @@ PhoneGap.run_command = function() {
};
+PhoneGap.JSCallbackPort = CallbackServer.getPort();
+PhoneGap.JSCallbackToken = CallbackServer.getToken();
+
/**
* This is only for Android.
*
@@ -623,7 +626,7 @@ PhoneGap.JSCallback = function() {
}
}
- xmlhttp.open("GET", "http://127.0.0.1:"+CallbackServer.getPort()+"/" , true);
+ xmlhttp.open("GET", "http://127.0.0.1:"+PhoneGap.JSCallbackPort+"/"+PhoneGap.JSCallbackToken , true);
xmlhttp.send();
};
@@ -72,6 +72,11 @@
private boolean usePolling;
/**
+ * Security token to prevent other apps from accessing this callback server via XHR
+ */
+ private String token;
+
+ /**
* Constructor.
*/
public CallbackServer() {
@@ -109,6 +114,15 @@ public int getPort() {
}
/**
+ * Get the security token that this server requires when calling getJavascript().
+ *
+ * @return
+ */
+ public String getToken() {
+ return this.token;
+ }
+
+ /**
* Start the server on a new thread.
*/
public void startServer() {
@@ -145,6 +159,8 @@ public void run() {
ServerSocket waitSocket = new ServerSocket(0);
this.port = waitSocket.getLocalPort();
//System.out.println(" -- using port " +this.port);
+ this.token = java.util.UUID.randomUUID().toString();
+ //System.out.println(" -- using token "+this.token);
while (this.active) {
//System.out.println("CallbackServer: Waiting for data on socket");
@@ -153,36 +169,39 @@ public void run() {
DataOutputStream output = new DataOutputStream(connection.getOutputStream());
request = xhrReader.readLine();
//System.out.println("Request="+request);
- if(request.contains("GET"))
- {
- //System.out.println(" -- Processing GET request");
-
- // Wait until there is some data to send, or send empty data every 30 sec
- // to prevent XHR timeout on the client
- synchronized (this) {
- while (this.empty) {
- try {
- this.wait(30000); // prevent timeout from happening
- //System.out.println(">>> break <<<");
- break;
+ if (request.contains("GET")) {
+
+ // Must have security token
+ if (request.substring(5,41).equals(this.token)) {
+ //System.out.println(" -- Processing GET request");
+
+ // Wait until there is some data to send, or send empty data every 30 sec
+ // to prevent XHR timeout on the client
+ synchronized (this) {
+ while (this.empty) {
+ try {
+ this.wait(30000); // prevent timeout from happening
+ //System.out.println(">>> break <<<");
+ break;
+ }
+ catch (Exception e) { }
}
- catch (Exception e) { }
- }
- }
-
- // If server is still running
- if (this.active) {
-
- // If no data, then send 404 back to client before it times out
- if (this.empty) {
- //System.out.println(" -- sending data 0");
- output.writeBytes("HTTP/1.1 404 NO DATA\r\n\r\n");
}
- else {
- //System.out.println(" -- sending item");
- output.writeBytes("HTTP/1.1 200 OK\r\n\r\n"+this.getJavascript());
+
+ // If server is still running
+ if (this.active) {
+
+ // If no data, then send 404 back to client before it times out
+ if (this.empty) {
+ //System.out.println(" -- sending data 0");
+ output.writeBytes("HTTP/1.1 404 NO DATA\r\n\r\n");
+ }
+ else {
+ //System.out.println(" -- sending item");
+ output.writeBytes("HTTP/1.1 200 OK\r\n\r\n"+this.getJavascript());
+ }
}
- }
+ }
}
//System.out.println("CallbackServer: closing output");
output.close();

0 comments on commit f725404

Please sign in to comment.