X-Git-Url: http://www.project-moonshot.org/gitweb/?a=blobdiff_plain;f=xmltooling%2Fio%2FHTTPResponse.h;h=fa70d5b3018b5e6dbf4609784ee43fd0b5880439;hb=2d795c731e6729309044607154978696a87fd900;hp=77aec51424065a641a2b9d9f9c3c4c7da895b984;hpb=ec5e96970f4fbb473458ce61478d02e684afd8ed;p=shibboleth%2Fcpp-xmltooling.git

diff --git a/xmltooling/io/HTTPResponse.h b/xmltooling/io/HTTPResponse.h
index 77aec51..fa70d5b 100644
--- a/xmltooling/io/HTTPResponse.h
+++ b/xmltooling/io/HTTPResponse.h
@@ -1,23 +1,27 @@
-/*
- *  Copyright 2001-2007 Internet2
- * 
- * Licensed under the Apache License, Version 2.0 (the "License");
- * you may not use this file except in compliance with the License.
- * You may obtain a copy of the License at
+/**
+ * Licensed to the University Corporation for Advanced Internet
+ * Development, Inc. (UCAID) under one or more contributor license
+ * agreements. See the NOTICE file distributed with this work for
+ * additional information regarding copyright ownership.
  *
- *     http://www.apache.org/licenses/LICENSE-2.0
+ * UCAID licenses this file to you under the Apache License,
+ * Version 2.0 (the "License"); you may not use this file except
+ * in compliance with the License. You may obtain a copy of the
+ * License at
  *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and
- * limitations under the License.
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND,
+ * either express or implied. See the License for the specific
+ * language governing permissions and limitations under the License.
  */
 
 /**
  * @file xmltooling/io/HTTPResponse.h
  * 
- * Interface to HTTP response.
+ * Interface to HTTP responses.
  */
 
 #ifndef __xmltooling_httpres_h__
@@ -25,8 +29,16 @@
 
 #include <xmltooling/io/GenericResponse.h>
 
+#include <string>
+#include <vector>
+
 namespace xmltooling {
-    
+
+#if defined (_MSC_VER)
+    #pragma warning( push )
+    #pragma warning( disable : 4251 )
+#endif
+
     /**
      * Interface to HTTP response.
      * 
@@ -38,63 +50,80 @@ namespace xmltooling {
      */
     class XMLTOOL_API HTTPResponse : public GenericResponse {
     protected:
-        HTTPResponse() {}
+        HTTPResponse();
     public:
-        virtual ~HTTPResponse() {}
+        virtual ~HTTPResponse();
         
-        void setContentType(const char* type) {
-            setResponseHeader("Content-Type", type);
-        }
+        void setContentType(const char* type);
         
         /**
          * Sets or clears a response header.
          * 
          * @param name  header name
-         * @param value value to set, or NULL to clear
+         * @param value value to set, or nullptr to clear
          */
-        virtual void setResponseHeader(const char* name, const char* value)=0;
+        virtual void setResponseHeader(const char* name, const char* value);
 
         /**
          * Sets a client cookie.
          * 
          * @param name  cookie name
-         * @param value value to set, or NULL to clear
+         * @param value value to set, or nullptr to clear
          */
-        virtual void setCookie(const char* name, const char* value) {
-            std::string cookie(name);
-            cookie = cookie + '=' + value;
-            setResponseHeader("Set-Cookie", cookie.c_str());
-        }
+        virtual void setCookie(const char* name, const char* value);
         
         /**
          * Redirect the client to the specified URL and complete the response.
-         * Any headers previously set will be sent ahead of the redirect.
          * 
+         * <p>Any headers previously set will be sent ahead of the redirect.
+         *
+         * <p>The URL will be validated with the sanitizeURL method below.
+         *
          * @param url   location to redirect client
          * @return a result code to return from the calling MessageEncoder
          */
-        virtual long sendRedirect(const char* url)=0;
+        virtual long sendRedirect(const char* url);
         
         /** Some common HTTP status codes. */
         enum status_t {
             XMLTOOLING_HTTP_STATUS_OK = 200,
             XMLTOOLING_HTTP_STATUS_MOVED = 302,
+            XMLTOOLING_HTTP_STATUS_NOTMODIFIED = 304,
             XMLTOOLING_HTTP_STATUS_UNAUTHORIZED = 401,
             XMLTOOLING_HTTP_STATUS_FORBIDDEN = 403,
             XMLTOOLING_HTTP_STATUS_NOTFOUND = 404,
             XMLTOOLING_HTTP_STATUS_ERROR = 500
         };
         
+        long sendError(std::istream& inputStream);
+
         using GenericResponse::sendResponse;
+        long sendResponse(std::istream& inputStream);
 
-        long sendError(std::istream& inputStream) {
-            return sendResponse(inputStream, XMLTOOLING_HTTP_STATUS_ERROR);
-        }
+        /**
+         * Returns a modifiable array of schemes to permit in sanitized URLs.
+         *
+         * <p>Updates to this array must be externally synchronized with any use
+         * of this class or its subclasses.
+         *
+         * @return  a mutable array of strings containing the schemes to permit
+         */
+        static std::vector<std::string>& getAllowedSchemes();
+
+        /**
+         * Manually check for unsafe URLs vulnerable to injection attacks.
+         *
+         * @param url   location to check
+         */
+        static void sanitizeURL(const char* url);
 
-        long sendResponse(std::istream& inputStream) {
-            return sendResponse(inputStream, XMLTOOLING_HTTP_STATUS_OK);
-        }
+    private:
+        static std::vector<std::string> m_allowedSchemes;
     };
+
+#if defined (_MSC_VER)
+    #pragma warning( pop )
+#endif
 };
 
 #endif /* __xmltooling_httpres_h__ */