Changeset 28888 for main/trunk/greenstone2/runtime-src/src/recpt/receptionist.cpp

Timestamp:

2014-03-13T14:34:48+13:00 (10 years ago)

Author:

ak19

Message:

First security commit. 1. Introducing the new securitools.h and .cpp files, which port the functions necessary to implement security in Greenstone from OWASP-ESAPI for Java, since OWASP's C++ version is largely not yet implemented, even though their code compiles. The newly added runtime-src/packages/security which contains OWASP ESAPI for C++ will therefore be removed again shortly. 2. receptionist.cpp now sets various web-encoded variants for each cgiarg macro, such as HTML entity encoded, attr encoded, javascript encoded (and css encoded variants). These are now used in the macro files based on which variant is suited to the context. 3. This commit further contains the minimum changes to protect the c, d, and p cgi variables.

File:

• main/trunk/greenstone2/runtime-src/src/recpt/receptionist.cpp (modified) (4 diffs)

main/trunk/greenstone2/runtime-src/src/recpt/receptionist.cpp

@@ -36 +36 @@
 #include "gsdltimes.h"
 #include "OIDtools.h"
+#include "securitytools.h"
 #include <assert.h>
 #include <time.h>
@@ -1485 +1486 @@
     compressedoptions = to_uni(compressedoptions);
   }
-  disp.setmacro ("decodedcompressedoptions", displayclass::defaultpackage, dm_safe(compressedoptions)); 
+
+  text_t dmacrovalue = dm_safe(compressedoptions);
+  disp.setmacro ("decodedcompressedoptions", displayclass::defaultpackage, dmacrovalue); 
+  disp.setmacro ("decodedcompressedoptionsAttrsafe", displayclass::defaultpackage, encodeForHTMLAttr(dmacrovalue));
 
 #if defined (__WIN32__)
@@ -1495 +1499 @@
   cgiargsclass::const_iterator argsend = args.end();
   while (argshere != argsend) {
+
+    text_t macrovalue = (*argshere).second.value; // and stays like that if ((*argshere).first == "hp")
+
     if (((*argshere).first == "q") ||
     ((*argshere).first == "qa") ||
@@ -1502 +1509 @@
     ((*argshere).first == "qpl") ||
     ((*argshere).first == "qr") ||
-    ((*argshere).first == "q2"))
+    ((*argshere).first == "q2")) {
+
       // need to escape special characters from query string
-      disp.setmacro ("cgiarg" + (*argshere).first, 
-             displayclass::defaultpackage, html_safe((*argshere).second.value));
-    else if ((*argshere).first == "hp") {
-      disp.setmacro ("cgiarg" + (*argshere).first, displayclass::defaultpackage, (*argshere).second.value);
-    } else {
-      disp.setmacro ("cgiarg" + (*argshere).first, displayclass::defaultpackage, dm_safe((*argshere).second.value));
-    }
+      macrovalue = html_safe(macrovalue);
+
+    } else  if ((*argshere).first == "hp") {
+      if(!isValidURLProtocol(macrovalue)) {
+    macrovalue = encodeForURL(macrovalue); // URL has invalid protocol like javascript:, so URL encode it
+      }
+    }
+    else {
+      macrovalue = dm_safe(macrovalue);
+    }   
+
+    // set the default value for the macro
+    disp.setmacro ("cgiarg" + (*argshere).first, displayclass::defaultpackage, macrovalue);
+
+    // set macros for the encoded versions of the same value. Uses the functions in securitytools.h
+    // https://www.owasp.org/index.php/XSS_%28Cross_Site_Scripting%29_Prevention_Cheat_Sheet
+
+    text_t htmlsafe = encodeForHTML(macrovalue);
+    text_t attrsafe = encodeForHTMLAttr(macrovalue);
+    text_t urlsafe = encodeForURL(macrovalue);
+    text_t jssafe = encodeForJavascript(macrovalue);
+    text_t csssafe = encodeForCSS(macrovalue);
+
+    disp.setmacro ("cgiarg" + (*argshere).first + "Htmlsafe", displayclass::defaultpackage, htmlsafe);    
+    disp.setmacro ("cgiarg" + (*argshere).first + "Attrsafe", displayclass::defaultpackage, attrsafe);
+    disp.setmacro ("cgiarg" + (*argshere).first + "Jssafe", displayclass::defaultpackage, jssafe);
+    disp.setmacro ("cgiarg" + (*argshere).first + "Csssafe", displayclass::defaultpackage, csssafe);
+    disp.setmacro ("cgiarg" + (*argshere).first + "Urlsafe", displayclass::defaultpackage, urlsafe);
+    
+
     ++argshere;
   }