Show
Ignore:
Timestamp:
13.03.2014 14:34:48 (6 years ago)
Author:
ak19
Message:

First security commit. 1. Introducing the new securitools.h and .cpp files, which port the functions necessary to implement security in Greenstone from OWASP-ESAPI for Java, since OWASP's C++ version is largely not yet implemented, even though their code compiles. The newly added runtime-src/packages/security which contains OWASP ESAPI for C++ will therefore be removed again shortly. 2. receptionist.cpp now sets various web-encoded variants for each cgiarg macro, such as HTML entity encoded, attr encoded, javascript encoded (and css encoded variants). These are now used in the macro files based on which variant is suited to the context. 3. This commit further contains the minimum changes to protect the c, d, and p cgi variables.

Location:
main/trunk/greenstone2/runtime-src
Files:
2 added
9 modified

Legend:

Unmodified
Added
Removed
  • main/trunk/greenstone2/runtime-src/packages/Makefile.in

    r28865 r28888  
    2929USE_YAZ=@USE_YAZ@ 
    3030USE_APACHE_HTTPD=@USE_APACHE_HTTPD@ 
    31  
    32  
    33 SECURITY=security/libgpg-error-1.12 
    34 #security/libgcrypt-1.6.1 
    3531 
    3632ifeq ($(USE_Z3950), 1) 
     
    7470# is assumed that each package will have at least four rules: all, install, 
    7571# clean, and distclean. 
    76 INSTALLDIRS =   $(YAZ) $(D2M) $(CORBA) $(SECURITY) 
     72INSTALLDIRS =   $(YAZ) $(D2M) $(CORBA) 
    7773PACKAGEDIRS =   $(INSTALLDIRS) $(HTTPD) 
    7874 
     
    133129    cd yaz/yaz-2.1.4/src; $(MAKE)  $(MDEFINES) install 
    134130endif 
    135  
    136 # make install all packages in the security folder 
    137  
    138131 
    139132# now install everything except apache, since that had already been installed during "all" 
  • main/trunk/greenstone2/runtime-src/src/recpt/Makefile.in

    r28760 r28888  
    155155APACHE_MODULE = 
    156156endif 
     157 
    157158 
    158159# Extension support 
     
    229230    $(RSS_SOURCES) \ 
    230231    statusaction.cpp \ 
     232    securitytools.cpp \ 
    231233    summarise.cpp \ 
    232234    tipaction.cpp \ 
     
    278280    $(RSS_OBJECTS) \ 
    279281    statusaction.o \ 
     282    securitytools.o \ 
    280283    summarise.o \ 
    281284    tipaction.o \ 
  • main/trunk/greenstone2/runtime-src/src/recpt/action.h

    r16310 r28888  
    3434#include "recptproto.h" 
    3535#include "browserclass.h" 
     36#include "securitytools.h" 
    3637 
    3738#if defined(GSDL_USE_OBJECTSPACE) 
  • main/trunk/greenstone2/runtime-src/src/recpt/basequeryaction.cpp

    r27065 r28888  
    651651 
    652652    // Display the "this collection is not installed on this system" page 
    653     disp.setmacro("cvariable", displayclass::defaultpackage, collection); 
     653    disp.setmacro("cvariable", displayclass::defaultpackage, encodeForHTML(collection)); 
    654654    disp.setmacro("content", "query", "<p>_textbadcollection_<p>"); 
    655655 
  • main/trunk/greenstone2/runtime-src/src/recpt/cgiutils.cpp

    r28841 r28888  
    4444 
    4545// set to false to undo security changes (url-encoding arguments) 
    46 static bool do_safe_cgi_args = true; 
     46static bool do_safe_cgi_args = false; 
    4747 
    4848static unsigned short hexdigit (unsigned short c) { 
  • main/trunk/greenstone2/runtime-src/src/recpt/pageaction.cpp

    r23058 r28888  
    751751  if (arg_p == "about") { 
    752752    if (cinfo == NULL) { 
    753       disp.setmacro("cvariable", displayclass::defaultpackage, arg_c); 
     753      disp.setmacro("cvariable", displayclass::defaultpackage, encodeForHTML(arg_c)); 
    754754      disp.setmacro("content", arg_p, "<p>_textbadcollection_<p>"); 
    755755      return; 
     
    797797   
    798798    if (cinfo == NULL) { 
    799       disp.setmacro("cvariable", displayclass::defaultpackage, arg_c); 
     799      disp.setmacro("cvariable", displayclass::defaultpackage, encodeForHTML(arg_c)); 
    800800      disp.setmacro("content", arg_p, "<p>_textbadcollection_<p>"); 
    801801      return; 
     
    10091009  text_t &arg_p = args["p"]; 
    10101010 
    1011   textout << outconvert << disp << ("_" + arg_p + ":header_\n") 
    1012       << ("_" + arg_p + ":content_\n") 
    1013       << ("_" + arg_p + ":footer_\n"); 
     1011  textout << outconvert << disp << ("_" + encodeForHTML(arg_p) + ":header_\n") 
     1012      << ("_" + encodeForHTML(arg_p) + ":content_\n") 
     1013      << ("_" + encodeForHTML(arg_p) + ":footer_\n"); 
    10141014 
    10151015  return true; 
  • main/trunk/greenstone2/runtime-src/src/recpt/queryaction.cpp

    r28841 r28888  
    10101010 
    10111011    // Display the "this collection is not installed on this system" page 
    1012     disp.setmacro("cvariable", displayclass::defaultpackage, main_collection); 
     1012    disp.setmacro("cvariable", displayclass::defaultpackage, encodeForHTML(main_collection)); 
    10131013    disp.setmacro("content", "query", "<p>_textbadcollection_<p>"); 
    10141014 
     
    13941394    } 
    13951395 
    1396     disp.setmacro ("decodedcompressedoptions", displayclass::defaultpackage, dm_safe(compressedoptions)); 
     1396    text_t macrovalue = dm_safe(compressedoptions); 
     1397    disp.setmacro ("decodedcompressedoptions", displayclass::defaultpackage, macrovalue); 
     1398    disp.setmacro ("decodedcompressedoptionsAttrsafe", displayclass::defaultpackage, encodeForHTMLAttr(macrovalue)); 
     1399     
    13971400      } 
    13981401    } // form search 
  • main/trunk/greenstone2/runtime-src/src/recpt/receptionist.cpp

    r24895 r28888  
    3636#include "gsdltimes.h" 
    3737#include "OIDtools.h" 
     38#include "securitytools.h" 
    3839#include <assert.h> 
    3940#include <time.h> 
     
    14851486    compressedoptions = to_uni(compressedoptions); 
    14861487  } 
    1487   disp.setmacro ("decodedcompressedoptions", displayclass::defaultpackage, dm_safe(compressedoptions));  
     1488 
     1489  text_t dmacrovalue = dm_safe(compressedoptions); 
     1490  disp.setmacro ("decodedcompressedoptions", displayclass::defaultpackage, dmacrovalue);  
     1491  disp.setmacro ("decodedcompressedoptionsAttrsafe", displayclass::defaultpackage, encodeForHTMLAttr(dmacrovalue)); 
    14881492 
    14891493#if defined (__WIN32__) 
     
    14951499  cgiargsclass::const_iterator argsend = args.end(); 
    14961500  while (argshere != argsend) { 
     1501 
     1502    text_t macrovalue = (*argshere).second.value; // and stays like that if ((*argshere).first == "hp") 
     1503 
    14971504    if (((*argshere).first == "q") || 
    14981505    ((*argshere).first == "qa") || 
     
    15021509    ((*argshere).first == "qpl") || 
    15031510    ((*argshere).first == "qr") || 
    1504     ((*argshere).first == "q2")) 
     1511    ((*argshere).first == "q2")) { 
     1512 
    15051513      // need to escape special characters from query string 
    1506       disp.setmacro ("cgiarg" + (*argshere).first,  
    1507              displayclass::defaultpackage, html_safe((*argshere).second.value)); 
    1508     else if ((*argshere).first == "hp") { 
    1509       disp.setmacro ("cgiarg" + (*argshere).first, displayclass::defaultpackage, (*argshere).second.value); 
    1510     } else { 
    1511       disp.setmacro ("cgiarg" + (*argshere).first, displayclass::defaultpackage, dm_safe((*argshere).second.value)); 
    1512     } 
     1514      macrovalue = html_safe(macrovalue); 
     1515 
     1516    } else  if ((*argshere).first == "hp") { 
     1517      if(!isValidURLProtocol(macrovalue)) { 
     1518    macrovalue = encodeForURL(macrovalue); // URL has invalid protocol like javascript:, so URL encode it 
     1519      } 
     1520    } 
     1521    else { 
     1522      macrovalue = dm_safe(macrovalue); 
     1523    }    
     1524 
     1525    // set the default value for the macro 
     1526    disp.setmacro ("cgiarg" + (*argshere).first, displayclass::defaultpackage, macrovalue); 
     1527 
     1528    // set macros for the encoded versions of the same value. Uses the functions in securitytools.h 
     1529    // https://www.owasp.org/index.php/XSS_%28Cross_Site_Scripting%29_Prevention_Cheat_Sheet 
     1530 
     1531    text_t htmlsafe = encodeForHTML(macrovalue); 
     1532    text_t attrsafe = encodeForHTMLAttr(macrovalue); 
     1533    text_t urlsafe = encodeForURL(macrovalue); 
     1534    text_t jssafe = encodeForJavascript(macrovalue); 
     1535    text_t csssafe = encodeForCSS(macrovalue); 
     1536 
     1537    disp.setmacro ("cgiarg" + (*argshere).first + "Htmlsafe", displayclass::defaultpackage, htmlsafe);     
     1538    disp.setmacro ("cgiarg" + (*argshere).first + "Attrsafe", displayclass::defaultpackage, attrsafe); 
     1539    disp.setmacro ("cgiarg" + (*argshere).first + "Jssafe", displayclass::defaultpackage, jssafe); 
     1540    disp.setmacro ("cgiarg" + (*argshere).first + "Csssafe", displayclass::defaultpackage, csssafe); 
     1541    disp.setmacro ("cgiarg" + (*argshere).first + "Urlsafe", displayclass::defaultpackage, urlsafe); 
     1542     
     1543 
    15131544    ++argshere; 
    15141545  } 
  • main/trunk/greenstone2/runtime-src/src/recpt/sqlqueryaction.cpp

    r28841 r28888  
    309309      compressedoptions = to_uni(compressedoptions); 
    310310    } 
    311  
    312     disp.setmacro ("decodedcompressedoptions", displayclass::defaultpackage, dm_safe(compressedoptions)); 
     311     
     312    text_t dmacrovalue = dm_safe(compressedoptions); 
     313    disp.setmacro ("decodedcompressedoptions", displayclass::defaultpackage, dmacrovalue); 
     314    disp.setmacro ("decodedcompressedoptionsAttrsafe", displayclass::defaultpackage, encodeForHTMLAttr(dmacrovalue)); 
    313315      } 
    314316    } // form search 
     
    317319    logout << "ERROR (sqlqueryaction::get_formatted_query_string): querytype not defined\n"; 
    318320  } 
    319  
    320  
    321  
    322  
    323321 
    324322}