Index: base/applications/rapps/loaddlg.c =================================================================== --- base/applications/rapps/loaddlg.c (revision 69426) +++ base/applications/rapps/loaddlg.c (working copy) @@ -227,15 +227,15 @@ BOOL Ret = FALSE; INTERNET_CERTIFICATE_INFOW certInfo; - hConnect = InternetConnectW(hInternet, lpszHostName, INTERNET_DEFAULT_HTTPS_PORT, NULL, NULL, INTERNET_SERVICE_HTTP, INTERNET_FLAG_SECURE, 0); + hConnect = InternetConnectW(hInternet, lpszHostName, INTERNET_DEFAULT_HTTPS_PORT, NULL, NULL, INTERNET_SERVICE_HTTP, INTERNET_FLAG_SECURE, 0); if (hConnect) { hRequest = HttpOpenRequestW(hConnect, L"HEAD", NULL, NULL, NULL, NULL, INTERNET_FLAG_SECURE, 0); if (hRequest != NULL) - { + { Ret = HttpSendRequestW(hRequest, L"", 0, NULL, 0); - if (Ret) - { + if (Ret) + { certInfoLength = sizeof(INTERNET_CERTIFICATE_INFOW); Ret = InternetQueryOptionW(hRequest, INTERNET_OPTION_SECURITY_CERTIFICATE_STRUCT, @@ -243,7 +243,7 @@ &certInfoLength); if (Ret) { - if (certInfo.lpszEncryptionAlgName) + if (certInfo.lpszEncryptionAlgName) LocalFree(certInfo.lpszEncryptionAlgName); if (certInfo.lpszIssuerInfo) { @@ -251,11 +251,11 @@ Ret = FALSE; LocalFree(certInfo.lpszIssuerInfo); } - if (certInfo.lpszProtocolName) + if (certInfo.lpszProtocolName) LocalFree(certInfo.lpszProtocolName); - if (certInfo.lpszSignatureAlgName) + if (certInfo.lpszSignatureAlgName) LocalFree(certInfo.lpszSignatureAlgName); - if (certInfo.lpszSubjectInfo) + if (certInfo.lpszSubjectInfo) { if (strcmp((LPSTR)certInfo.lpszSubjectInfo, CERT_SUBJECT_INFO) != 0) Ret = FALSE; @@ -276,7 +276,7 @@ { IBindStatusCallback *dl = NULL; WCHAR path[MAX_PATH]; - LPWSTR p; + PWSTR p, q; HWND Dlg = (HWND) Context; DWORD dwContentLen, dwBytesWritten, dwBytesRead, dwStatus; DWORD dwCurrentBytesRead = 0; @@ -290,27 +290,38 @@ unsigned char lpBuffer[4096]; const LPWSTR lpszAgent = L"RApps/1.0"; URL_COMPONENTS urlComponents; - size_t urlLength; + size_t urlLength, filenameLength; - /* built the path for the download */ + /* build the path for the download */ p = wcsrchr(AppInfo->szUrlDownload, L'/'); + q = wcsrchr(AppInfo->szUrlDownload, L'?'); + /* do we have a final slash separator? */ if (!p) goto end; - if (wcscmp(AppInfo->szUrlDownload, APPLICATION_DATABASE_URL) == 0) - { - bCab = TRUE; - if (!GetStorageDirectory(path, sizeof(path) / sizeof(path[0]))) - goto end; - } - else - { - if (FAILED(StringCbCopyW(path, sizeof(path), SettingsInfo.szDownloadDir))) - goto end; - } + /* prepare the tentative length of the filename, maybe we've to remove part of it later on */ + filenameLength = wcslen(p) * sizeof(WCHAR); + /* do we have query arguments in the target URL after the filename? account for them + (e.g. https://example.org/myfile.exe?no_adware_plz) */ + if (q && q > p && (q - p) > 0) + filenameLength -= wcslen(q - 1) * sizeof(WCHAR); + /* is this URL an update package for RAPPS? if so store it in a different place */ + if (wcscmp(AppInfo->szUrlDownload, APPLICATION_DATABASE_URL) == 0) + { + bCab = TRUE; + if (!GetStorageDirectory(path, _countof(path))) + goto end; + } + else + { + if (FAILED(StringCbCopyW(path, sizeof(path), SettingsInfo.szDownloadDir))) + goto end; + } + + /* is the path valid? can we access it? */ if (GetFileAttributesW(path) == INVALID_FILE_ATTRIBUTES) { if (!CreateDirectoryW(path, NULL)) @@ -317,12 +328,13 @@ goto end; } + /* append a \ to the provided file system path, and the filename portion from the URL after that */ if (FAILED(StringCbCatW(path, sizeof(path), L"\\"))) goto end; - if (FAILED(StringCbCatW(path, sizeof(path), p + 1))) + if (FAILED(StringCbCatNW(path, sizeof(path), p + 1, filenameLength))) goto end; - /* download it */ + /* create an async download context for it */ bTempfile = TRUE; dl = CreateDl(Context, &bCancelled); @@ -329,6 +341,7 @@ if (dl == NULL) goto end; + /* FIXME: this should just be using the system-wide proxy settings */ switch(SettingsInfo.Proxy) { case 0: /* preconfig */ @@ -348,7 +361,7 @@ if (!hOpen) goto end; - hFile = InternetOpenUrlW(hOpen, AppInfo->szUrlDownload, NULL, 0, INTERNET_FLAG_PRAGMA_NOCACHE|INTERNET_FLAG_KEEP_CONNECTION, 0); + hFile = InternetOpenUrlW(hOpen, AppInfo->szUrlDownload, NULL, 0, INTERNET_FLAG_PRAGMA_NOCACHE | INTERNET_FLAG_KEEP_CONNECTION, 0); if (!hFile) goto end; @@ -373,15 +386,15 @@ if(FAILED(StringCbLengthW(AppInfo->szUrlDownload, sizeof(AppInfo->szUrlDownload), &urlLength))) goto end; - + urlComponents.dwSchemeLength = urlLength*sizeof(WCHAR); urlComponents.lpszScheme = malloc(urlComponents.dwSchemeLength); urlComponents.dwHostNameLength = urlLength*sizeof(WCHAR); urlComponents.lpszHostName = malloc(urlComponents.dwHostNameLength); - + if(!InternetCrackUrlW(AppInfo->szUrlDownload, urlLength+1, ICU_DECODE | ICU_ESCAPE, &urlComponents)) goto end; - + if(urlComponents.nScheme == INTERNET_SCHEME_HTTP || urlComponents.nScheme == INTERNET_SCHEME_HTTPS) HttpQueryInfo(hFile, HTTP_QUERY_CONTENT_LENGTH | HTTP_QUERY_FLAG_NUMBER, &dwContentLen, &dwStatus, 0); @@ -389,7 +402,10 @@ dwContentLen = FtpGetFileSize(hFile, &dwStatus); #ifdef USE_CERT_PINNING - if ((urlComponents.nScheme == INTERNET_SCHEME_HTTPS) && (!CertIsValid(hOpen, urlComponents.lpszHostName))) + /* are we using HTTPS to download the RAPPS update package? check if the certificate is original */ + if ((urlComponents.nScheme == INTERNET_SCHEME_HTTPS) && + (wcscmp(AppInfo->szUrlDownload, APPLICATION_DATABASE_URL) == 0) && + (!CertIsValid(hOpen, urlComponents.lpszHostName))) { WCHAR szMsgText[MAX_STR_LEN]; @@ -396,7 +412,7 @@ if (!LoadStringW(hInst, IDS_CERT_DOES_NOT_MATCH, szMsgText, sizeof(szMsgText) / sizeof(WCHAR))) goto end; - MessageBoxW(hMainWnd, szMsgText, NULL, MB_OK | MB_ICONERROR); + MessageBoxW(Dlg, szMsgText, NULL, MB_OK | MB_ICONERROR); goto end; } #endif