Ignore:
Timestamp:
2014-03-13T14:34:48+13:00 (10 years ago)
Author:
ak19
Message:

First security commit. 1. Introducing the new securitools.h and .cpp files, which port the functions necessary to implement security in Greenstone from OWASP-ESAPI for Java, since OWASP's C++ version is largely not yet implemented, even though their code compiles. The newly added runtime-src/packages/security which contains OWASP ESAPI for C++ will therefore be removed again shortly. 2. receptionist.cpp now sets various web-encoded variants for each cgiarg macro, such as HTML entity encoded, attr encoded, javascript encoded (and css encoded variants). These are now used in the macro files based on which variant is suited to the context. 3. This commit further contains the minimum changes to protect the c, d, and p cgi variables.

File:
1 edited

Legend:

Unmodified
Added
Removed

  • main/trunk/greenstone2/macros/collect.dm

    r23310 r28888  
    4141
    4242_httpinfo_ {_gwcgi_?e=_compressedoptions_&p=info}
    43 _httpview_ {_gwcgi_?a=p&p=about&c=_cgiargbc1dirname_}
     43_httpview_ {_gwcgi_?a=p&p=about&c=_cgiargbc1dirnameUrlsafe_}
    4444
    4545
     
    144144<form name="collectorform" method=post action="_gwcgi_">
    145145<input type=hidden name="e" value="_decodedcompressedoptions_">
    146 <input type=hidden name="p" value="_cgiargp_">
     146<input type=hidden name="p" value="_cgiargpAttrsafe_">
    147147<input type=hidden name="bc1dodelete" value="0">
    148148<input type=hidden name="bc1esrce" value="0">
     
    247247<form name="collectorform" method=post action="_gwcgi_">
    248248<input type=hidden name="e" value="_decodedcompressedoptions_">
    249 <input type=hidden name="p" value="_cgiargp_">
     249<input type=hidden name="p" value="_cgiargpAttrsafe_">
    250250<input type=hidden name="bc1infochanged" value="0">
    251251
     
    261261<p>_textwcanc_
    262262<h4>_texttfc_</h4>
    263 <input type="text" name="bc1fullname" value="_cgiargbc1fullname_"
     263<input type="text" name="bc1fullname" value="_cgiargbc1fullnameAttrsafe_"
    264264onChange="document.collectorform.bc1infochanged.value=1;") size=72>
    265265<br>_texttctiasp_
    266266<h4>_textcea_</h4>
    267 <input type="text" name="bc1contactemail" value="_cgiargbc1contactemail_"
     267<input type="text" name="bc1contactemail" value="_cgiargbc1contactemailAttrsafe_"
    268268onChange="document.collectorform.bc1infochanged.value=1;" size=72>
    269269<br>
     
    273273<textarea name="bc1aboutdesc"  cols=72 rows=6 wrap=physical
    274274onChange="document.collectorform.bc1infochanged.value=1;">
    275 _cgiargbc1aboutdesc_
     275_cgiargbc1aboutdescHtmlsafe_
    276276</textarea>
    277277<br>_texttiasd_
     
    371371<form name="collectorform" method=post action="_gwcgi_">
    372372<input type=hidden name="e" value="_decodedcompressedoptions_">
    373 <input type=hidden name="p" value="_cgiargp_">
     373<input type=hidden name="p" value="_cgiargpAttrsafe_">
    374374<input type=hidden name="bc1fromsrce" value="0">
    375375<input type=hidden name="bc1clonechanged" value="0">
    376 <input type=hidden name="bc1clone" value="_cgiargbc1clone_">
    377 <input type=hidden name="bc1inputnum" value="_cgiargbc1inputnum_">
     376<input type=hidden name="bc1clone" value="_cgiargbc1cloneAttrsafe_">
     377<input type=hidden name="bc1inputnum" value="_cgiargbc1inputnumAttrsafe_">
    378378
    379379<center>
     
    424424<form name="collectorform" method=post action="_gwcgi_">
    425425<input type=hidden name="e" value="_decodedcompressedoptions_">
    426 <input type=hidden name="p" value="_cgiargp_">
    427 <input type=hidden name="bc1cfgchanged" value="_cgiargbc1cfgchanged_">
     426<input type=hidden name="p" value="_cgiargpAttrsafe_">
     427<input type=hidden name="bc1cfgchanged" value="_cgiargbc1cfgchangedAttrsafe_">
    428428
    429429<center>
     
    476476<form name="collectorform" method=post action="_gwcgi_">
    477477<input type=hidden name="e" value="_decodedcompressedoptions_">
    478 <input type=hidden name="p" value="_cgiargp_">
     478<input type=hidden name="p" value="_cgiargpAttrsafe_">
    479479
    480480<frameset rows="*,160" border=0>
     
    495495  </noframes>
    496496  <frame src="_gwcgi_?e=_compressedoptions_&p=bildframe1">
    497   <frame src="_gwcgi_?e=_compressedoptions_&p=bildstatus&c=_cgiargbc1dirname_">
     497  <frame src="_gwcgi_?e=_compressedoptions_&p=bildstatus&c=_cgiargbc1dirnameUrlsafe_">
    498498</frameset>
    499499</html>
     
    572572<form name="collectorform" method=post action="_gwcgi_">
    573573<input type=hidden name="e" value="_decodedcompressedoptions_">
    574 <input type=hidden name="p" value="_cgiargp_">
     574<input type=hidden name="p" value="_cgiargpAttrsafe_">
    575575
    576576</form>
     
    683683<form name="collectorform" method=post action="_gwcgi_">
    684684<input type=hidden name="e" value="_decodedcompressedoptions_">
    685 <input type=hidden name="p" value="_cgiargp_">
     685<input type=hidden name="p" value="_cgiargpAttrsafe_">
    686686
    687687</form>
Note: See TracChangeset for help on using the changeset viewer.