Ignore:
Timestamp:
2014-03-13T14:34:48+13:00 (10 years ago)
Author:
ak19
Message:

First security commit. 1. Introducing the new securitools.h and .cpp files, which port the functions necessary to implement security in Greenstone from OWASP-ESAPI for Java, since OWASP's C++ version is largely not yet implemented, even though their code compiles. The newly added runtime-src/packages/security which contains OWASP ESAPI for C++ will therefore be removed again shortly. 2. receptionist.cpp now sets various web-encoded variants for each cgiarg macro, such as HTML entity encoded, attr encoded, javascript encoded (and css encoded variants). These are now used in the macro files based on which variant is suited to the context. 3. This commit further contains the minimum changes to protect the c, d, and p cgi variables.

File:
1 edited

Legend:

Unmodified
Added
Removed

  • main/trunk/greenstone2/runtime-src/src/recpt/pageaction.cpp

    r23058 r28888  
    751751  if (arg_p == "about") {
    752752    if (cinfo == NULL) {
    753       disp.setmacro("cvariable", displayclass::defaultpackage, arg_c);
     753      disp.setmacro("cvariable", displayclass::defaultpackage, encodeForHTML(arg_c));
    754754      disp.setmacro("content", arg_p, "<p>_textbadcollection_<p>");
    755755      return;
     
    797797 
    798798    if (cinfo == NULL) {
    799       disp.setmacro("cvariable", displayclass::defaultpackage, arg_c);
     799      disp.setmacro("cvariable", displayclass::defaultpackage, encodeForHTML(arg_c));
    800800      disp.setmacro("content", arg_p, "<p>_textbadcollection_<p>");
    801801      return;
     
    10091009  text_t &arg_p = args["p"];
    10101010
    1011   textout << outconvert << disp << ("_" + arg_p + ":header_\n")
    1012       << ("_" + arg_p + ":content_\n")
    1013       << ("_" + arg_p + ":footer_\n");
     1011  textout << outconvert << disp << ("_" + encodeForHTML(arg_p) + ":header_\n")
     1012      << ("_" + encodeForHTML(arg_p) + ":content_\n")
     1013      << ("_" + encodeForHTML(arg_p) + ":footer_\n");
    10141014
    10151015  return true;
Note: See TracChangeset for help on using the changeset viewer.