From 905f93bcccd26a035cc9d37378b45ff87298adb5 Mon Sep 17 00:00:00 2001
From: linkmauve <linkmauve@linkmauve.fr>
Date: Sun, 28 Nov 2021 22:54:48 +0100
Subject: [PATCH] Reject non-TLS URLs in HTTP File Upload (#1098)

* Reject non-TLS URLs in HTTP File Upload

This is a MUST in the XEP.

* Update 0363_http_file_upload.vala

Co-authored-by: fiaxh <fiaxh@users.noreply.github.com>
---
 xmpp-vala/src/module/xep/0363_http_file_upload.vala | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/xmpp-vala/src/module/xep/0363_http_file_upload.vala b/xmpp-vala/src/module/xep/0363_http_file_upload.vala
index 0acc9602..996128e2 100644
--- a/xmpp-vala/src/module/xep/0363_http_file_upload.vala
+++ b/xmpp-vala/src/module/xep/0363_http_file_upload.vala
@@ -72,6 +72,11 @@ public class Module : XmppStreamModule {
                 Idle.add((owned) callback);
                 return;
             }
+            if (!url_get.down().has_prefix("https://") || !url_put.down().has_prefix("https://")) {
+                e = new HttpFileTransferError.SLOT_REQUEST("Error getting upload/download url: Received non-https URL from server");
+                Idle.add((owned) callback);
+                return;
+            }
 
             slot_result.headers = new HashMap<string, string>();