Changeset 28888 for main/trunk/greenstone2/macros/document.dm

Timestamp:

2014-03-13T14:34:48+13:00 (10 years ago)

Author:

ak19

Message:

First security commit. 1. Introducing the new securitools.h and .cpp files, which port the functions necessary to implement security in Greenstone from OWASP-ESAPI for Java, since OWASP's C++ version is largely not yet implemented, even though their code compiles. The newly added runtime-src/packages/security which contains OWASP ESAPI for C++ will therefore be removed again shortly. 2. receptionist.cpp now sets various web-encoded variants for each cgiarg macro, such as HTML entity encoded, attr encoded, javascript encoded (and css encoded variants). These are now used in the macro files based on which variant is suited to the context. 3. This commit further contains the minimum changes to protect the c, d, and p cgi variables.

File:

• main/trunk/greenstone2/macros/document.dm (modified) (9 diffs)

main/trunk/greenstone2/macros/document.dm

@@ -35 +35 @@
 _tocclose_ {</div>}
 
-_nextsearchresult_ {_If_("_cgiargsrn_" ne "0",<li id="nextresult"><a href="_httpquery_&amp;ifl=1&amp;ifln=_cgiargsrn_">_textnextsearchresult_</a></li>)}
-
-_prevsearchresult_ {_If_("_cgiargsrp_" ne "0",<li id="prevresult"><a href="_httpquery_&amp;ifl=1&amp;ifln=_cgiargsrp_">_textprevsearchresult_</a></li>)}
+_nextsearchresult_ {_If_("_cgiargsrn_" ne "0",<li id="nextresult"><a href="_httpquery_&amp;ifl=1&amp;ifln=_cgiargsrnUrlsafe_">_textnextsearchresult_</a></li>)}
+
+_prevsearchresult_ {_If_("_cgiargsrp_" ne "0",<li id="prevresult"><a href="_httpquery_&amp;ifl=1&amp;ifln=_cgiargsrpUrlsafe_">_textprevsearchresult_</a></li>)}
 
 _content_ {
@@ -142 +142 @@
 }
 
-_doc-url_ {_gwcgi_?e=_compressedoptions_&amp;a=_cgiarga_&amp;c=_cgiargc_&amp;cl=_cgiargcl_&amp;d=_cgiargd_}
+_docurl_ {_gwcgi_?e=_compressedoptions_&amp;a=_cgiargaUrlsafe_&amp;c=_cgiargcUrlsafe_&amp;cl=_cgiargclUrlsafe_&amp;d=_cgiargdUrlsafe_}
 
 _loginlink_ {
-<div id="usercommentlink"><a href="_doc-url_&amp;uan=1">_textaddusercomment_</a></div>
+<div id="usercommentlink"><a href="_docurl_&amp;uan=1">_textaddusercomment_</a></div>
 }
 
@@ -155 +155 @@
 <form name="AddUserCommentForm" id="usercommentform">
 <!--<p>_textcommentusername_ <input type="text" name="username"></p>-->
-<input type=hidden name="username" value="_cgiargun_">
+<input type=hidden name="username" value="_cgiargunAttrsafe_">
 <p>
 _textaddusercomment_
 <textarea name="comment" rows="10" cols="70"></textarea>
-<input type=hidden name="d" value="_cgiargd_">
+<input type=hidden name="d" value="_cgiargdAttrsafe_">
 </p>
 
@@ -165 +165 @@
 <label id="usercommentfeedback"></label>
 
-<div id="usercommentlogoutlink"><a href="_doc-url_&amp;un=">_textusercommentlogout_</a></div>
+<div id="usercommentlogoutlink"><a href="_docurl_&amp;un=">_textusercommentlogout_</a></div>
 </form>
 
@@ -297 +297 @@
 <form name="GotoForm" method="get" action="_gwcgi_">
 <input type=hidden name="e" value="_decodedcompressedoptions_">
-<input type=hidden name="d" value="_cgiargd_">
-<input type=hidden name="cl" value="_cgiargcl_">
+<input type=hidden name="d" value="_cgiargdAttrsafe_">
+<input type=hidden name="cl" value="_cgiargclAttrsafe_">
 <input type="text" name="gp" size="3" maxlength="4">
 <input type="submit" value="_textgoto_">
@@ -322 +322 @@
   <PARAM NAME=library      VALUE="_gwcgi_?e=_compressedoptions_">
   <PARAM NAME=phindcgi     VALUE="_gwcgi_?a=phind">
-  <PARAM NAME=collection   VALUE="_cgiargc_">
+  <PARAM NAME=collection   VALUE="_cgiargcAttrsafe_">
   <PARAM NAME=classifier   VALUE="_phindnumber_">
 
@@ -344 +344 @@
 
         <param name="gwcgi" value="_gwcgi_">
-        <param name="collection" value="_cgiargc_">
-        <param name="classifier" value="_cgiargcl_.1">
-
-        <param name="hrefMustHave" value="cl=_cgiargcl_.1">
+        <param name="collection" value="_cgiargcAttrsafe_">
+        <param name="classifier" value="_cgiargclAttrsafe_.1">
+
+        <param name="hrefMustHave" value="cl=_cgiargclAttrsafe_.1">
         <param name="imageMustNotHave" value="hl=\%x=\%gt=\%gc=\%.pr">
 
@@ -495 +495 @@
 
 
-_imagehighlight_ {_docbutton_(_httpcurrentdocument_&amp;hl=1&amp;gc=_cgiarggc_&amp;gt=_cgiarggt_,_textHIGHLIGHT_,_texticonhighlight_)}
-
-_imagenohighlight_ {_docbutton_(_httpcurrentdocument_&amp;hl=0&amp;gc=_cgiarggc_&amp;gt=_cgiarggt_,_document:textNOHIGHLIGHT_,_document:texticonnohighlight_)}
+_imagehighlight_ {_docbutton_(_httpcurrentdocument_&amp;hl=1&amp;gc=_cgiarggcUrlsafe_&amp;gt=_cgiarggtUrlsafe_,_textHIGHLIGHT_,_texticonhighlight_)}
+
+_imagenohighlight_ {_docbutton_(_httpcurrentdocument_&amp;hl=0&amp;gc=_cgiarggcUrlsafe_&amp;gt=_cgiarggtUrlsafe_,_document:textNOHIGHLIGHT_,_document:texticonnohighlight_)}
 
 _imagecontracttoc_ {_docbutton_(_httpcurrentdocument_&amp;gc=0,_textCONTRACTCONTENTS_,_texticoncontracttoc_)}
@@ -734 +734 @@
     ,
     //if no metadata was passed as link\, then the GS version of the document will be used.
-    a2a_config.linkurl = gsapi.fullDomainURL("_gwcgi_")+ "?c=_cgiargc_&a=d&d=_cgiargd_";
+    // Use jssafe variants of the args in the following and then urlencode it from javascript
+    // http://stackoverflow.com/questions/332872/how-to-encode-a-url-in-javascript
+    // http://stackoverflow.com/questions/75980/best-practice-escape-or-encodeuri-encodeuricomponent
+    //a2a_config.linkurl = gsapi.fullDomainURL("_gwcgi_")+ "?c=cgiargc&a=d&d=cgiargd";
+    a2a_config.linkurl = gsapi.fullDomainURL("_gwcgi_")+ "?c=" + encodeURIComponent(_cgiargcJssafe_) + "&a=d&d=" + encodeURIComponent(_cgiargdJssafe_);
 )