Changeset 28898

Show
Ignore:
Timestamp:
14.03.2014 17:13:56 (4 years ago)
Author:
ak19
Message:

1. The cgiargq query variable is now no longer escaped in the 3 simply or large forms that use it. fqv and other js escaped fields are unchanged, since the jssafe now ensures that backslashes are escaped for macro files, so these resolve correctly in query.dm. 2. securitytools.cpp and .h updated to additionally escape back slashes for macro files when javascript escaping. This is done by default, since jssafe variants of cgiargs are all that are used, and they're used in macro files. 3. Encoded versions of decodedcompressedoptions are now used in all macro files. They're always used in attributes, so the attrsafe version which is set in receptionist.cpp is used.

Location:
main/trunk/greenstone2
Files:
14 modified

Legend:

Unmodified
Added
Removed
  • main/trunk/greenstone2/macros/authen.dm

    r28888 r28898  
    1616  <form name="login" method="post" action="_gwcgi_"> 
    1717) 
    18 <input type=hidden name="e" value="_If_(_cgiarger_,_cgiargerAttrsafe_,_decodedcompressedoptions_)"> 
     18<input type=hidden name="e" value="_If_(_cgiarger_,_cgiargerAttrsafe_,_decodedcompressedoptionsAttrsafe_)"> 
    1919_hiddenargs_ 
    2020<center><table width="_pagewidth_"> 
  • main/trunk/greenstone2/macros/browse.dm

    r28888 r28898  
    4242 
    4343<input type=hidden name="a" value="br"> 
    44 <input type=hidden name="e" value="_decodedcompressedoptions_"> 
     44<input type=hidden name="e" value="_decodedcompressedoptionsAttrsafe_"> 
    4545       <p> 
    4646       _textfilterby_ _anyallselect_ _textwords_<br>  
  • main/trunk/greenstone2/macros/collect.dm

    r28888 r28898  
    5252_introcontent_ { 
    5353<form name="collectorform" method=post action="_gwcgi_"> 
    54 <input type=hidden name="e" value="_decodedcompressedoptions_"> 
     54<input type=hidden name="e" value="_decodedcompressedoptionsAttrsafe_"> 
    5555 
    5656<center> 
     
    143143_existingcontent_ { 
    144144<form name="collectorform" method=post action="_gwcgi_"> 
    145 <input type=hidden name="e" value="_decodedcompressedoptions_"> 
     145<input type=hidden name="e" value="_decodedcompressedoptionsAttrsafe_"> 
    146146<input type=hidden name="p" value="_cgiargpAttrsafe_"> 
    147147<input type=hidden name="bc1dodelete" value="0"> 
     
    246246_infocontent_ { 
    247247<form name="collectorform" method=post action="_gwcgi_"> 
    248 <input type=hidden name="e" value="_decodedcompressedoptions_"> 
     248<input type=hidden name="e" value="_decodedcompressedoptionsAttrsafe_"> 
    249249<input type=hidden name="p" value="_cgiargpAttrsafe_"> 
    250250<input type=hidden name="bc1infochanged" value="0"> 
     
    370370_srcecontent_ { 
    371371<form name="collectorform" method=post action="_gwcgi_"> 
    372 <input type=hidden name="e" value="_decodedcompressedoptions_"> 
     372<input type=hidden name="e" value="_decodedcompressedoptionsAttrsafe_"> 
    373373<input type=hidden name="p" value="_cgiargpAttrsafe_"> 
    374374<input type=hidden name="bc1fromsrce" value="0"> 
     
    423423_confcontent_ { 
    424424<form name="collectorform" method=post action="_gwcgi_"> 
    425 <input type=hidden name="e" value="_decodedcompressedoptions_"> 
     425<input type=hidden name="e" value="_decodedcompressedoptionsAttrsafe_"> 
    426426<input type=hidden name="p" value="_cgiargpAttrsafe_"> 
    427427<input type=hidden name="bc1cfgchanged" value="_cgiargbc1cfgchangedAttrsafe_"> 
     
    475475 
    476476<form name="collectorform" method=post action="_gwcgi_"> 
    477 <input type=hidden name="e" value="_decodedcompressedoptions_"> 
     477<input type=hidden name="e" value="_decodedcompressedoptionsAttrsafe_"> 
    478478<input type=hidden name="p" value="_cgiargpAttrsafe_"> 
    479479 
     
    528528_bildframe1content_ { 
    529529<form name="collectorform" method=post action="_gwcgi_"> 
    530 <input type=hidden name="e" value="_decodedcompressedoptions_"> 
     530<input type=hidden name="e" value="_decodedcompressedoptionsAttrsafe_"> 
    531531<input type=hidden name="p" value="bildcancel"> 
    532532 
     
    571571_bildcancelcontent_ { 
    572572<form name="collectorform" method=post action="_gwcgi_"> 
    573 <input type=hidden name="e" value="_decodedcompressedoptions_"> 
     573<input type=hidden name="e" value="_decodedcompressedoptionsAttrsafe_"> 
    574574<input type=hidden name="p" value="_cgiargpAttrsafe_"> 
    575575 
     
    630630_bildstatuscontent_ { 
    631631<form name="collectorform" method=post action="_gwcgi_"> 
    632 <input type=hidden name="e" value="_decodedcompressedoptions_"> 
     632<input type=hidden name="e" value="_decodedcompressedoptionsAttrsafe_"> 
    633633<center> 
    634634<table width=_pagewidth_> 
     
    682682_bildfailcontent_ { 
    683683<form name="collectorform" method=post action="_gwcgi_"> 
    684 <input type=hidden name="e" value="_decodedcompressedoptions_"> 
     684<input type=hidden name="e" value="_decodedcompressedoptionsAttrsafe_"> 
    685685<input type=hidden name="p" value="_cgiargpAttrsafe_"> 
    686686 
     
    739739_messagehead_ { 
    740740<form name="collectorform" method=post action="_gwcgi_"> 
    741 <input type=hidden name="e" value="_decodedcompressedoptions_"> 
     741<input type=hidden name="e" value="_decodedcompressedoptionsAttrsafe_"> 
    742742 
    743743<center> 
  • main/trunk/greenstone2/macros/dateqry.dm

    r28888 r28898  
    6767 
    6868<input type=hidden name="a" value="q"> 
    69 <input type=hidden name="e" value="_decodedcompressedoptions_"> 
     69<input type=hidden name="e" value="_decodedcompressedoptionsAttrsafe_"> 
    7070<input type=hidden name="r" value="1"> 
    7171<input type=hidden name="hs" value="1"> 
  • main/trunk/greenstone2/macros/deposit.dm

    r28888 r28898  
    125125_selectcontent_ { 
    126126<form name="depositorform" method=post action="_gwcgi_"> 
    127 <input type=hidden name="e" value="_decodedcompressedoptions_"> 
     127<input type=hidden name="e" value="_decodedcompressedoptionsAttrsafe_"> 
    128128<input type=hidden name="p" value="intro"> 
    129129<input type=hidden name="c" value=""> 
     
    229229<form name="depositorform" method=post action="_gwcgi_" enctype="multipart/form-data"> 
    230230 
    231 <input type=hidden name="e" value="_decodedcompressedoptions_"> 
     231<input type=hidden name="e" value="_decodedcompressedoptionsAttrsafe_"> 
    232232<input type=hidden name="p" value="_cgiargpAttrsafe_"> 
    233233 
     
    274274_step2content_ { 
    275275<form name="depositorform" method=post action="_gwcgi_" enctype="multipart/form-data"> 
    276 <input type=hidden name="e" value="_decodedcompressedoptions_"> 
     276<input type=hidden name="e" value="_decodedcompressedoptionsAttrsafe_"> 
    277277<input type=hidden name="p" value="_cgiargpAttrsafe_"> 
    278278<center> 
     
    310310_step3content_ { 
    311311<form name="depositorform" method=post action="_gwcgi_" enctype="multipart/form-data"> 
    312 <input type=hidden name="e" value="_decodedcompressedoptions_"> 
     312<input type=hidden name="e" value="_decodedcompressedoptionsAttrsafe_"> 
    313313<input type=hidden name="p" value="_cgiargpAttrsafe_"> 
    314314<center> 
     
    347347 
    348348<form name="depositorform" method=post action="_gwcgi_"> 
    349 <input type=hidden name="e" value="_decodedcompressedoptions_"> 
     349<input type=hidden name="e" value="_decodedcompressedoptionsAttrsafe_"> 
    350350<input type=hidden name="p" value="_cgiargpAttrsafe_"> 
    351351 
     
    406406_bildframe1content_ { 
    407407<form name="depositorform" method=post action="_gwcgi_"> 
    408 <input type=hidden name="e" value="_decodedcompressedoptions_"> 
     408<input type=hidden name="e" value="_decodedcompressedoptionsAttrsafe_"> 
    409409<input type=hidden name="p" value="bildcancel"> 
    410410 
     
    449449_bildcancelcontent_ { 
    450450<form name="depositorform" method=post action="_gwcgi_"> 
    451 <input type=hidden name="e" value="_decodedcompressedoptions_"> 
     451<input type=hidden name="e" value="_decodedcompressedoptionsAttrsafe_"> 
    452452<input type=hidden name="p" value="_cgiargpAttrsafe_"> 
    453453 
     
    508508_bildstatuscontent_ { 
    509509<form name="depositorform" method=post action="_gwcgi_"> 
    510 <input type=hidden name="e" value="_decodedcompressedoptions_"> 
     510<input type=hidden name="e" value="_decodedcompressedoptionsAttrsafe_"> 
    511511 
    512512<center> 
     
    572572_bildfailcontent_ { 
    573573<form name="depositorform" method=post action="_gwcgi_"> 
    574 <input type=hidden name="e" value="_decodedcompressedoptions_"> 
     574<input type=hidden name="e" value="_decodedcompressedoptionsAttrsafe_"> 
    575575<input type=hidden name="p" value="_cgiargpAttrsafe_"> 
    576576 
     
    631631_messagehead_ { 
    632632<form name="depositorform" method=post action="_gwcgi_"> 
    633 <input type=hidden name="e" value="_decodedcompressedoptions_"> 
     633<input type=hidden name="e" value="_decodedcompressedoptionsAttrsafe_"> 
    634634 
    635635<center> 
  • main/trunk/greenstone2/macros/depositdspace.dm

    r28888 r28898  
    636636_selectcontent_ { 
    637637<form name="depositorform" method=post action="_gwcgi_"> 
    638 <input type=hidden name="e" value="_decodedcompressedoptions_"> 
     638<input type=hidden name="e" value="_decodedcompressedoptionsAttrsafe_"> 
    639639<input type=hidden name="p" value="intro"> 
    640640<input type=hidden name="c" value=""> 
     
    672672_step0content_ { 
    673673<form name="depositorform" method=post action="_gwcgi_" enctype="multipart/form-data"> 
    674 <input type=hidden name="e" value="_decodedcompressedoptions_"> 
     674<input type=hidden name="e" value="_decodedcompressedoptionsAttrsafe_"> 
    675675<input type=hidden name="p" value="step1"> 
    676676 
     
    803803_step1content_ { 
    804804<form name="depositorform" method=post action="_gwcgi_" enctype="multipart/form-data"> 
    805 <input type=hidden name="e" value="_decodedcompressedoptions_"> 
     805<input type=hidden name="e" value="_decodedcompressedoptionsAttrsafe_"> 
    806806<input type=hidden name="p" value="step1"> 
    807807        <center> 
     
    10181018_step2content_ { 
    10191019<form name="depositorform" method=post action="_gwcgi_" enctype="multipart/form-data"> 
    1020 <input type=hidden name="e" value="_decodedcompressedoptions_"> 
     1020<input type=hidden name="e" value="_decodedcompressedoptionsAttrsafe_"> 
    10211021<input type=hidden name="p" value="step2"> 
    10221022 
     
    11271127_step3content_ { 
    11281128<form name="depositorform" method=post action="_gwcgi_" enctype="multipart/form-data"> 
    1129 <input type=hidden name="e" value="_decodedcompressedoptions_"> 
     1129<input type=hidden name="e" value="_decodedcompressedoptionsAttrsafe_"> 
    11301130<input type=hidden name="p" value="step3"> 
    11311131 
     
    12101210_step4content_ { 
    12111211<form name="depositorform" method=post action="_gwcgi_" enctype="multipart/form-data"> 
    1212 <input type=hidden name="e" value="_decodedcompressedoptions_"> 
     1212<input type=hidden name="e" value="_decodedcompressedoptionsAttrsafe_"> 
    12131213<input type=hidden name="p" value="step4"> 
    12141214 
     
    13241324_step5content_ { 
    13251325<form name="depositorform" method=post action="_gwcgi_" enctype="multipart/form-data"> 
    1326 <input type=hidden name="e" value="_decodedcompressedoptions_"> 
     1326<input type=hidden name="e" value="_decodedcompressedoptionsAttrsafe_"> 
    13271327<input type=hidden name="p" value="step5"> 
    13281328 
     
    15471547_step6content_ { 
    15481548<form id="depositorform" name="depositorform" method=post action="_gwcgi_" enctype="multipart/form-data"> 
    1549 <input type=hidden name="e" value="_decodedcompressedoptions_"> 
     1549<input type=hidden name="e" value="_decodedcompressedoptionsAttrsafe_"> 
    15501550<input type=hidden name="p" value="step6"> 
    15511551 
     
    16491649_step7content_ { 
    16501650<form name="depositorform" method=post action="_gwcgi_" enctype="multipart/form-data"> 
    1651 <input type=hidden name="e" value="_decodedcompressedoptions_"> 
     1651<input type=hidden name="e" value="_decodedcompressedoptionsAttrsafe_"> 
    16521652<input type=hidden name="p" value="step7"> 
    16531653 
     
    17001700 
    17011701<form name="depositorform" method=post action="_gwcgi_"> 
    1702 <input type=hidden name="e" value="_decodedcompressedoptions_"> 
     1702<input type=hidden name="e" value="_decodedcompressedoptionsAttrsafe_"> 
    17031703<input type=hidden name="p" value="_cgiargpAttrsafe_"> 
    17041704 
     
    17591759_bildframe1content_ { 
    17601760<form name="depositorform" method=post action="_gwcgi_"> 
    1761 <input type=hidden name="e" value="_decodedcompressedoptions_"> 
     1761<input type=hidden name="e" value="_decodedcompressedoptionsAttrsafe_"> 
    17621762<input type=hidden name="p" value="bildcancel"> 
    17631763 
     
    18021802_bildcancelcontent_ { 
    18031803<form name="depositorform" method=post action="_gwcgi_"> 
    1804 <input type=hidden name="e" value="_decodedcompressedoptions_"> 
     1804<input type=hidden name="e" value="_decodedcompressedoptionsAttrsafe_"> 
    18051805<input type=hidden name="p" value="_cgiargpAttrsafe_"> 
    18061806 
     
    18611861_bildstatuscontent_ { 
    18621862<form name="depositorform" method=post action="_gwcgi_"> 
    1863 <input type=hidden name="e" value="_decodedcompressedoptions_"> 
     1863<input type=hidden name="e" value="_decodedcompressedoptionsAttrsafe_"> 
    18641864 
    18651865<center> 
     
    19251925_bildfailcontent_ { 
    19261926<form name="depositorform" method=post action="_gwcgi_"> 
    1927 <input type=hidden name="e" value="_decodedcompressedoptions_"> 
     1927<input type=hidden name="e" value="_decodedcompressedoptionsAttrsafe_"> 
    19281928<input type=hidden name="p" value="_cgiargpAttrsafe_"> 
    19291929 
     
    19841984_messagehead_ { 
    19851985<form name="depositorform" method=post action="_gwcgi_"> 
    1986 <input type=hidden name="e" value="_decodedcompressedoptions_"> 
     1986<input type=hidden name="e" value="_decodedcompressedoptionsAttrsafe_"> 
    19871987 
    19881988<center> 
  • main/trunk/greenstone2/macros/document.dm

    r28888 r28898  
    296296_gotoform_ { 
    297297<form name="GotoForm" method="get" action="_gwcgi_"> 
    298 <input type=hidden name="e" value="_decodedcompressedoptions_"> 
     298<input type=hidden name="e" value="_decodedcompressedoptionsAttrsafe_"> 
    299299<input type=hidden name="d" value="_cgiargdAttrsafe_"> 
    300300<input type=hidden name="cl" value="_cgiargclAttrsafe_"> 
  • main/trunk/greenstone2/macros/pref.dm

    r28888 r28898  
    511511 
    512512<form name=PrefForm method=get action="_gwcgi_"> 
    513 <input type="hidden" name="e" value="_decodedcompressedoptions_"> 
     513<input type="hidden" name="e" value="_decodedcompressedoptionsAttrsafe_"> 
    514514_If_(_collectionoption_,_collectionprefs_) 
    515515_presentationprefs_ 
  • main/trunk/greenstone2/macros/query.dm

    r28888 r28898  
    884884} 
    885885 
    886 _smallquerybox_ {<nobr><input type="text" name="q" value="_cgiargqAttrsafe_" size="50">&nbsp;<input type="submit" value="_textbeginsearch_"></nobr>} 
     886_smallquerybox_ {<nobr><input type="text" name="q" value="_cgiargq_" size="50">&nbsp;<input type="submit" value="_textbeginsearch_"></nobr>} 
    887887 
    888888_largequerybox_ { 
    889889<tr><td><textarea name="q" cols="63" rows="10"> 
    890 _cgiargqHtmlsafe_ 
     890_cgiargq_ 
    891891</textarea></td></tr> 
    892892<tr align="right"><td><table> 
     
    973973<table> 
    974974<tr><td align="left">_textadvquery_</td></tr> 
    975 <tr><td><textarea name="q" cols="57" rows="3" onChange="updateq();">_cgiargqHtmlsafe_</textarea></td> 
     975<tr><td><textarea name="q" cols="57" rows="3" onChange="updateq();">_cgiargq_</textarea></td> 
    976976<td valign="bottom"> 
    977977<input type="button" value="_textrunquery_" onClick="runQuery();"></td></tr> 
  • main/trunk/greenstone2/macros/status.dm

    r18652 r28898  
    123123<form name="maincfgform" method=post action="_gwcgi_"> 
    124124<input type=hidden name="p" value="changemaincfg"> 
    125 <input type=hidden name="e" value="_decodedcompressedoptions_"> 
     125<input type=hidden name="e" value="_decodedcompressedoptionsAttrsafe_"> 
    126126<p>_If_(_maincfgfile_,<textarea name="cfgfile" cols=72 rows=18 wrap=off> 
    127127_maincfgfile_ 
  • main/trunk/greenstone2/macros/users.dm

    r28888 r28898  
    5757 
    5858<form name="edituser" method="post" action="_gwcgi_"> 
    59 <input type=hidden name="e" value="_decodedcompressedoptions_"> 
     59<input type=hidden name="e" value="_decodedcompressedoptionsAttrsafe_"> 
    6060<input type=hidden name="a" value="um"> 
    6161<input type=hidden name="uma" value="_cgiargumaAttrsafe_"> 
     
    110110<tr><td> 
    111111<form name="deleteuser" method="post" action="_gwcgi_"> 
    112 <input type=hidden name="e" value="_decodedcompressedoptions_"> 
     112<input type=hidden name="e" value="_decodedcompressedoptionsAttrsafe_"> 
    113113<input type=hidden name="a" value="um"> 
    114114<input type=hidden name="uma" value="_cgiargumaAttrsafe_"> 
     
    148148<p> 
    149149<form name="changepasswd" method="post" action="_gwcgi_"> 
    150 <input type=hidden name="e" value="_decodedcompressedoptions_"> 
     150<input type=hidden name="e" value="_decodedcompressedoptionsAttrsafe_"> 
    151151<input type=hidden name="a" value="um"> 
    152152<input type=hidden name="uma" value="_cgiargumaAttrsafe_"> 
  • main/trunk/greenstone2/runtime-src/src/recpt/receptionist.cpp

    r28888 r28898  
    15321532    text_t attrsafe = encodeForHTMLAttr(macrovalue); 
    15331533    text_t urlsafe = encodeForURL(macrovalue); 
    1534     text_t jssafe = encodeForJavascript(macrovalue); 
     1534    text_t jssafe = encodeForJavascript(macrovalue); // with default setting will return \\x and \\u for macro files 
    15351535    text_t csssafe = encodeForCSS(macrovalue); 
    15361536 
  • main/trunk/greenstone2/runtime-src/src/recpt/securitytools.cpp

    r28888 r28898  
    125125} 
    126126 
    127 text_t encodeForJavascript(const text_t& in, const text_t& immuneChars) { 
    128   text_t out; 
    129   text_t::const_iterator here = in.begin(); 
    130   text_t::const_iterator end = in.end(); 
    131   while (here != end) { 
    132     out += encodeForJavascript(immuneChars, *here); // IMMUNE_JAVASCRIPT by default 
    133     ++here; 
    134   } 
    135   return out; 
    136 } 
     127text_t encodeForJavascript(const text_t& in, const text_t& immuneChars, bool dmsafe) { 
     128  text_t out; 
     129  text_t::const_iterator here = in.begin(); 
     130  text_t::const_iterator end = in.end(); 
     131  while (here != end) { 
     132    out += encodeForJavascript(immuneChars, *here, dmsafe); // IMMUNE_JAVASCRIPT by default 
     133    ++here; 
     134  } 
     135  return out; 
     136} 
     137 
    137138 
    138139text_t encodeForMySQL(const text_t& in, const text_t& immuneChars, const SQLMode mode) { 
     
    259260 
    260261// http://code.google.com/p/owasp-esapi-java/source/browse/trunk/src/main/java/org/owasp/esapi/codecs/JavaScriptCodec.java 
    261 text_t encodeForJavascript(const text_t& immuneChars, const unsigned short in) { 
     262text_t encodeForJavascript(const text_t& immuneChars, const unsigned short in, bool dmsafe) { 
    262263   
    263264  text_t result = ""; 
     
    294295      char hex_char[3]; 
    295296      sprintf(hex_char,"%02X",in); 
    296       result = "\\x" + text_t(hex_char); 
     297 
     298      if(dmsafe) { // double escape backslashes for macro files 
     299    result = "\\\\x" + text_t(hex_char); 
     300      } else { 
     301    result = "\\x" + text_t(hex_char); 
     302      } 
    297303    } 
    298304    // otherwise encode with \\uHHHH 
     
    300306      char hex_char[5]; 
    301307      sprintf(hex_char,"%04X",in); 
    302       result = "\\u" + text_t(hex_char); 
     308      if(dmsafe) { // double escape backslashes for macro files 
     309    result = "\\\\u" + text_t(hex_char); 
     310      } else { 
     311    result = "\\u" + text_t(hex_char);       
     312      } 
    303313    } 
    304314     
  • main/trunk/greenstone2/runtime-src/src/recpt/securitytools.h

    r28888 r28898  
    2525text_t encodeForHTML(const text_t& input, const text_t& immuneChars=IMMUNE_HTML); 
    2626text_t encodeForURL(const text_t& input, const text_t& immuneChars=IMMUNE_URL); 
    27 text_t encodeForJavascript(const text_t& input, const text_t& immuneChars=IMMUNE_JAVASCRIPT); 
     27text_t encodeForJavascript(const text_t& input, const text_t& immuneChars=IMMUNE_JAVASCRIPT, bool dmsafe=true); 
    2828text_t encodeForHTMLAttr(const text_t& input, const text_t& immuneChars=IMMUNE_HTMLATTR); 
    2929text_t encodeForCSS(const text_t& input, const text_t& immuneChars=IMMUNE_CSS); 
     
    3333text_t encodeForHTML(const text_t& immuneChars, const unsigned short input); 
    3434text_t encodeForURL(const text_t& immuneChars, const unsigned short input); 
    35 text_t encodeForJavascript(const text_t& immuneChars, const unsigned short input); 
     35text_t encodeForJavascript(const text_t& immuneChars, const unsigned short input, bool dmsafe); 
    3636text_t encodeForCSS(const text_t& immuneChars, const unsigned short input); 
    3737text_t encodeForMySQL(const text_t& immuneChars, const unsigned short input, const SQLMode mode);