Changeset 28899

Show
Ignore:
Timestamp:
14.03.2014 22:46:25 (4 years ago)
Author:
ak19
Message:

Third commit for security, for ensuring cgiargs macros are websafe. This time all the changes to the runtime action classes.

Location:
main/trunk/greenstone2/runtime-src/src/recpt
Files:
19 modified

Legend:

Unmodified
Added
Removed
  • main/trunk/greenstone2/runtime-src/src/recpt/authenaction.cpp

    r22984 r28899  
    308308  //      _authen:hiddenargs_   to contain all the arguments that were 
    309309  //                            explicitly set 
    310   disp.setmacro ("messagestatus", "authen", ("_authen:message" + args["us"] 
     310  disp.setmacro ("messagestatus", "authen", ("_authen:message" + encodeForHTML(args["us"]) 
    311311                         + "_")); 
    312312  // change style of header and footer if page is a frame 
     
    339339    saveconfset.find((*args_here).first) == saveconfset.end()) { 
    340340      hiddenargs += "<input type=hidden name=\"" + (*args_here).first + 
    341     "\" value=\"_cgiarg" + (*args_here).first + "_\">\n"; 
     341    "\" value=\"_cgiarg" + (*args_here).first + "Attrsafe_\">\n"; 
    342342    } 
    343343    ++args_here; 
  • main/trunk/greenstone2/runtime-src/src/recpt/basequeryaction.cpp

    r28888 r28899  
    796796    textout << outconvert << disp  
    797797        << "Location: _gwcgi_?e=_compressedoptions_&a=d&c="  
    798         << collection << "&cl=search&d=" << (*section).OID  
     798        << encodeForURL(collection) << "&cl=search&d=" << (*section).OID 
    799799        << "&srn=" << srn << "&srp=" << srp << "\n\n"; 
    800800    textout << flush; 
  • main/trunk/greenstone2/runtime-src/src/recpt/depositoraction.cpp

    r23029 r28899  
    707707  if ((depositor_page == "select") || (stepstring == "step")) { 
    708708          textout << outconvert << disp << ("_depositor:header_\n") 
    709           << ("_depositor:" + depositor_page + "content_\n") 
     709          << ("_depositor:" + encodeForHTML(depositor_page) + "content_\n") 
    710710          << ("_depositor:footer_\n"); 
    711711       
     
    771771      // output page ("bild" page was already output above) 
    772772      textout << outconvert << disp << ("_depositor:header_\n") 
    773           << ("_depositor:" + depositor_page + "content_\n") 
     773          << ("_depositor:" + encodeForHTML(depositor_page) + "content_\n") 
    774774          << ("_depositor:footer_\n"); 
    775775    } 
  • main/trunk/greenstone2/runtime-src/src/recpt/documentaction.cpp

    r27363 r28899  
    607607      outlink = "_httpdocument_&amp;d=" + response.docInfo[0].metadata["section"].values[0]; 
    608608#else 
    609       outlink = "_httpdocumenthandle_("+args["c"]+","+response.docInfo[0].metadata["section"].values[0]+")"; 
     609      outlink = "_httpdocumenthandle_("+encodeForURL(args["c"])+","+response.docInfo[0].metadata["section"].values[0]+")"; 
    610610#endif 
    611611 
     
    10661066#ifndef DOCHANDLE 
    10671067        << "<frame name=\"documenttop\" frameborder=0 src=\"_gwcgi_?_optsite_e=_compressedoptions_&a=d&d="  
    1068         << args["d"] << "\">" 
     1068        << encodeForURL(args["d"]) << "\">" 
    10691069#else 
    10701070        << "<frame name=\"documenttop\" frameborder=0 src=\"_httpdocumenthandle_("  
    1071         << args["c"] << "," << args["d"] << ")\">" 
     1071        << encodeForURL(args["c"]) << "," << encodeForURL(args["d"]) << ")\">" 
    10721072#endif 
    10731073        << "<noframes>\n" 
     
    11431143            #ifndef DOCHANDLE 
    11441144                << "<frame name=\"documenttop\" frameborder=0 src=\"_gwcgi_?_optsite_e=_compressedoptions_&a=d&d="  
    1145                 << args["d"] << "\">" 
     1145                << encodeForURL(args["d"]) << "\">" 
    11461146            #else 
    11471147                << "<frame name=\"documenttop\" frameborder=0 src=\"_httpdocumenthandle_("  
    1148                 << args["c"] << "," << args["d"] << ")\">" 
     1148                << encodeForURL(args["c"]) << "," << encodeForURL(args["d"]) << ")\">" 
    11491149            #endif 
    11501150                << "<noframes>\n" 
     
    14621462                logout << text_t2ascii 
    14631463                    << "documentaction::output_document: call to QueryFilter failed " 
    1464                     << "for " << args["c"] << " collection (" << get_comerror_string (err) << ")\n"; 
     1464                    << "for " << args["c"] << " collection (" << get_comerror_string (err) << ")\n"; 
    14651465                highlight = false; 
    14661466            }  
     
    16451645  if (haschildren) { 
    16461646#ifndef DOCHANLE 
    1647     disp.setmacro ("httpnextarrow", "document", "_httpdocument_&amp;cl=" + args["cl"] + 
    1648            "&amp;d=" + arg_d + ".fc"); 
     1647    disp.setmacro ("httpnextarrow", "document", "_httpdocument_&amp;cl=" + encodeForURL(args["cl"]) + 
     1648           "&amp;d=" + encodeForURL(arg_d) + ".fc"); 
    16491649#else 
    1650     disp.setmacro ("httpnextarrow", "document", "_httpdocumenthandle_("+args["c"]+","+arg_d + ".fc)"; 
     1650    disp.setmacro ("httpnextarrow", "document", "_httpdocumenthandle_("+encodeForURL(args["c"])+","+encodeForURL(arg_d) + ".fc)"; 
    16511651 
    16521652#endif 
     
    16581658      if (!(*h).empty()) { 
    16591659#ifndef DOCHANLE 
    1660     disp.setmacro ("httpnextarrow", "document", "_httpdocument_&amp;cl=" + args["cl"] + 
     1660    disp.setmacro ("httpnextarrow", "document", "_httpdocument_&amp;cl=" + encodeForURL(args["cl"]) + 
    16611661               "&amp;d=" + *h); 
    16621662#else 
    1663     disp.setmacro ("httpnextarrow", "document", "_httpdocumenthandle_("+args["c"]+","+*h+")"; 
     1663    disp.setmacro ("httpnextarrow", "document", "_httpdocumenthandle_("+encodeForURL(args["c"])+","+*h+")"; 
    16641664 
    16651665#endif 
     
    16741674  if (!previous_sibling.empty()) { 
    16751675#ifndef DOCHANDLE 
    1676     disp.setmacro ("httpprevarrow", "document", "_httpdocument_&amp;cl=" + args["cl"] + 
     1676    disp.setmacro ("httpprevarrow", "document", "_httpdocument_&amp;cl=" + encodeForURL(args["cl"]) + 
    16771677           "&amp;d=" + previous_sibling); 
    16781678#else 
    1679     disp.setmacro ("httpprevarrow", "document", "_httpdocumenthandle_("+args["c"]+","+ previous_sibling+")"); 
     1679    disp.setmacro ("httpprevarrow", "document", "_httpdocumenthandle_("+encodeForURL(args["c"])+","+ previous_sibling+")"); 
    16801680 
    16811681#endif 
     
    16841684    if (countchar(arg_d.begin(), arg_d.end(), '.')) { 
    16851685#ifndef DOCHANDLE 
    1686       disp.setmacro ("httpprevarrow", "document", "_httpdocument_&amp;cl=" + args["cl"] + 
     1686      disp.setmacro ("httpprevarrow", "document", "_httpdocument_&amp;cl=" + encodeForURL(args["cl"]) + 
    16871687             "&amp;d=" + get_parent(arg_d)); 
    16881688#else 
    1689       disp.setmacro ("httpprevarrow", "document", "_httpdocumenthandle_("+args["c"]+","+get_parent(arg_d)+")"); 
     1689      disp.setmacro ("httpprevarrow", "document", "_httpdocumenthandle_("+encodeForURL(args["c"])+","+get_parent(arg_d)+")"); 
    16901690 
    16911691#endif 
  • main/trunk/greenstone2/runtime-src/src/recpt/dynamicclassifieraction.cpp

    r22984 r28899  
    151151  if (cinfo->dynamic_classifiers.find(arg_dcl) == cinfo->dynamic_classifiers.end()) 
    152152  { 
    153     textout << outconvert << disp << "Error: Invalid dcl value \"" << arg_dcl << "\".\n"; 
     153    textout << outconvert << disp << "Error: Invalid dcl value \"" << encodeForHTML(arg_dcl) << "\".\n"; 
    154154    textout << outconvert << disp << "_dynamicclassifier:footer_\n"; 
    155155    return true; 
  • main/trunk/greenstone2/runtime-src/src/recpt/gtiaction.cpp

    r22984 r28899  
    386386  languageinfo_tmap loaded_languages = recpt->get_configinfo().languages; 
    387387  disp.setmacro("gtitargetlanguagename", "gti", loaded_languages[target_language_code].longname); 
    388   disp.setmacro("gtitranslationfiledesc", "gti", "_gti:textgti" + translation_file_key + "_"); 
     388  disp.setmacro("gtitranslationfiledesc", "gti", "_gti:textgti" + encodeForHTML(translation_file_key) + "_"); 
    389389 
    390390  if (query_string == "") { 
     
    496496    disp.setmacro("gtitargetfilepath", "gti", gti_response.translation_files_key_to_target_file_path_mapping[translation_file_key]); 
    497497  } 
    498   disp.setmacro("gtitranslationfiledesc", "gti", "_gti:textgti" + translation_file_key + "_"); 
    499   disp.setmacro("gtiviewtranslationfileinaction", "gti", "_gti:gtiview" + translation_file_key + "inaction_"); 
     498  disp.setmacro("gtitranslationfiledesc", "gti", "_gti:textgti" + encodeForHTML(translation_file_key) + "_"); 
     499  disp.setmacro("gtiviewtranslationfileinaction", "gti", "_gti:gtiview" + encodeForHTML(translation_file_key) + "inaction_"); 
    500500 
    501501  disp.setmacro("gtinumchunkstranslated", "gti", gti_response.translation_files_key_to_num_chunks_translated_mapping[translation_file_key]); 
     
    660660 do_gti_request(gti_arguments, logout);  
    661661 
    662  disp.setmacro("gtiglihelpzipfilepath", "gti", target_language_code + "_GLIHelp.zip"); 
     662 disp.setmacro("gtiglihelpzipfilepath", "gti", encodeForURL(target_language_code) + "_GLIHelp.zip"); 
    663663 
    664664 return true; 
  • main/trunk/greenstone2/runtime-src/src/recpt/pageaction.cpp

    r28888 r28899  
    212212           
    213213          text_t link = "_gwcgi_?"+optsite+"a=p&amp;p=about&amp;c=" + *collist_here; 
    214           link += "&amp;l=" + args["l"] + "&amp;w=" + args["w"]; 
     214          link += "&amp;l=" + encodeForURL(args["l"]) + "&amp;w=" + encodeForURL(args["w"]); 
    215215 
    216216          // We are "dynamically" overriding so to speak the 
     
    335335          if (cinfo->isCollectGroup) { 
    336336        link = "<a class=\"collectiontitle\" href=\"_gwcgi_?"+optsite+"a=p&amp;p=home&amp;g=" + *collist_here; 
    337         link += "&amp;l=" + args["l"] + "&amp;w=" + args["w"] + "\">"; 
     337        link += "&amp;l=" + encodeForURL(args["l"]) + "&amp;w=" + encodeForURL(args["w"]) + "\">"; 
    338338          } 
    339339          else { 
    340340        link = "<a class=\"collectiontitle\" href=\"_gwcgi_?"+optsite+"a=p&amp;p=about&amp;c=" + *collist_here; 
    341         link += "&amp;l=" + args["l"] + "&amp;w=" + args["w"] + "\">"; 
     341        link += "&amp;l=" + encodeForURL(args["l"]) + "&amp;w=" + encodeForURL(args["w"]) + "\">"; 
    342342          } 
    343343           
     
    515515 
    516516void pageaction::set_macro_to_file_contents (displayclass &disp, const text_t &macroname, 
    517                          const text_t &packagename, const text_t &filename) { 
     517                         const text_t &packagename, const text_t &filename, bool encode) { 
    518518 
    519519  text_t filecontent; 
     
    531531    file_in.close(); 
    532532  } 
     533 
     534  // if we ever need to encode the contents into HTML, call this function with encode=true 
     535  if(encode) { 
     536    filecontent = encodeForHTML(filecontent); 
     537  } 
     538 
    533539  disp.setmacro (macroname, packagename, dm_safe(filecontent)); 
    534540} 
  • main/trunk/greenstone2/runtime-src/src/recpt/pageaction.h

    r11998 r28899  
    8585 
    8686  void set_macro_to_file_contents (displayclass &disp, const text_t &macroname, 
    87                    const text_t &packagename, const text_t &filename); 
     87                   const text_t &packagename, const text_t &filename, bool encode=false); 
    8888 
    8989  void set_language_encoding_macros(displayclass &disp, cgiargsclass &args, 
  • main/trunk/greenstone2/runtime-src/src/recpt/phindaction.cpp

    r22984 r28899  
    152152 
    153153  unsigned long count_l, count_e, count_d; 
    154   unsigned long phrase = args["ppnum"].getulong(); 
     154  unsigned long phrase = args["ppnum"].getulong(); // needn't encodeFor<web> on vars which have getulong() applied 
    155155  text_t &word = args["pptext"]; 
    156156  unsigned long first_e = args["pfe"].getulong(); 
     
    208208     
    209209    if (result.empty()) { 
    210       output_error("phindaction: The search term ("+word+") does not occur in the collection", 
     210      output_error("phindaction: The search term ("+encodeForHTML(word)+") does not occur in the collection", 
    211211           textout, outconvert, disp, logout, XMLmode); 
    212212      return true; 
     
    255255  if (XMLmode) { 
    256256    textout << "<phinddata id=\"" << phrase  
    257         << "\" text=\"" << word  
     257        << "\" text=\"" << encodeForHTMLAttr(word)  
    258258        << "\" tf=\"" << tf  
    259259        << "\" ef=\"" << ef  
     
    262262        << "\">\n"; 
    263263  } else { 
    264     textout << "<html><head><title>" << word << "</title></head>\n" 
     264    textout << "<html><head><title>" << encodeForHTML(word) << "</title></head>\n" 
    265265        << "<body><center>\n" 
    266         << "<p><h1>" << word << "</h1>\n" 
    267         << "<p><b>"<< word << "</b> occurs "  
     266        << "<p><h1>" << encodeForHTML(word) << "</h1>\n" 
     267        << "<p><b>"<< encodeForHTML(word) << "</b> occurs "  
    268268        << tf << " times in " << df << " documents\n"; 
    269269  } 
     
    316316      textout << outconvert << disp  
    317317          << "<br><a href=\"_gwcgi_?" 
    318           << "c=" << args["c"] 
     318          << "c=" << encodeForURL(args["c"]) 
    319319          << "&ppnum=" << phrase  
    320320          << "&pfe=" << first_e  
     
    328328    textout << outconvert << disp 
    329329        << "<br><a href=\"_gwcgi_?" 
    330         << "c=" << args["c"] 
     330        << "c=" << encodeForURL(args["c"]) 
    331331        << "&ppnum=" << phrase  
    332332        << "&pfe=" << first_e  
     
    379379      textout << outconvert << disp  
    380380          << "<br><a href=\"_gwcgi_?" 
    381           << "c=" << args["c"] 
     381          << "c=" << encodeForURL(args["c"]) 
    382382          << "&ppnum=" << phrase  
    383383          << "&pfe=" << first_e  
     
    391391    textout << outconvert << disp 
    392392        << "<br><a href=\"_gwcgi_?" 
    393         << "c=" << args["c"] 
     393        << "c=" << encodeForURL(args["c"]) 
    394394        << "&ppnum=" << phrase  
    395395        << "&pfe=" << first_e  
     
    453453      textout << outconvert << disp 
    454454          << "<br><a href=\"_gwcgi_?" 
    455           << "c=" << args["c"] 
     455          << "c=" << encodeForURL(args["c"]) 
    456456          << "&ppnum=" << phrase  
    457457          << "&pfe=" << first_e  
     
    465465    textout << outconvert << disp  
    466466        << "<br><a href=\"_gwcgi_?" 
    467         << "c=" << args["c"] 
     467        << "c=" << encodeForURL(args["c"]) 
    468468        << "&ppnum=" << phrase  
    469469        << "&pfe=" << first_e  
     
    742742      textout << "<tr valign=top><td>" << type << "</td><td>"; 
    743743      textout << outconvert << disp 
    744           << "<a href=\"_gwcgi_?c=" << collection; 
     744          << "<a href=\"_gwcgi_?c=" << encodeForURL(collection); 
    745745      textout << "&ppnum=" << phrase << "\">" << text << "</a>" 
    746746          << "</td><td>" << tf << "</td><td>" << df << "</td></tr>\n"; 
     
    847847          << "\" df=\"" << df; 
    848848      if (!prefix.empty()) { 
    849     textout << "\" prefix=\"" << prefix; 
     849    text_t prefix_txt;  
     850    fromUCArray(prefix, prefix_txt); 
     851    textout << "\" prefix=\"" << encodeForHTMLAttr(prefix_txt); 
    850852      } 
    851853      if (!suffix.empty()) { 
    852     textout << "\" suffix=\"" << suffix; 
     854    text_t suffix_txt;  
     855    fromUCArray(suffix, suffix_txt); 
     856    textout << "\" suffix=\"" << encodeForHTMLAttr(suffix_txt); 
    853857      } 
    854858      textout << "\"/>\n"; 
     
    856860      textout << outconvert << disp  
    857861          << "<tr valign=top><td align=right><a href=\"_gwcgi_?" 
    858           << "c=" << collection << "&ppnum=" << phrase << "\">"; 
     862          << "c=" << encodeForURL(collection) << "&ppnum=" << phrase << "\">"; 
    859863      textout << prefix << "</a></td>"; 
    860864      textout <<outconvert << disp 
    861865          << "<td align=center><a href=\"_gwcgi_?" 
    862           << "c=" << collection << "&ppnum=" << phrase << "\">" 
    863           << body << "</a></td>" 
     866          << "c=" << encodeForURL(collection) << "&ppnum=" << phrase << "\">" 
     867          << encodeForHTML(body) << "</a></td>" 
    864868          << "<td align=left><a href=\"_gwcgi_?" 
    865           << "c=" << collection << "&ppnum=" << phrase << "\">"; 
     869          << "c=" << encodeForURL(collection) << "&ppnum=" << phrase << "\">"; 
    866870      textout << suffix << "</a></td>" 
    867871          << "<td>" << tf << "</td><td>" << df << "</td></tr>\n"; 
     
    986990      textout << outconvert << disp 
    987991          << "<tr valign=top><td><a href=\"_gwcgi_?" 
    988           << "c=" << collection; 
     992          << "c=" << encodeForURL(collection); 
    989993      textout << "&a=d&d=" << hash << "\">" << title << "</a>" 
    990994          << "</td><td>" << freq << "</td></tr>\n";  
     
    10571061} 
    10581062 
     1063void phindaction::fromUCArray(const UCArray &arrin, text_t &txtout) { 
     1064  txtout.clear(); 
     1065  if (txtout.capacity() < arrin.size() + 1) { 
     1066    txtout.reserve(arrin.size() + 1); 
     1067  } 
     1068  vector<unsigned char>::const_iterator here = arrin.begin(); 
     1069  vector<unsigned char>::const_iterator end = arrin.end(); 
     1070  while (here != end) { 
     1071    txtout.push_back(*here); // don't need to cast unsigned char to unsigned short 
     1072    ++here; 
     1073  } 
     1074} 
     1075 
     1076 
    10591077void phindaction::output_error (const text_t &message, ostream &textout,  
    10601078                outconvertclass &outconvert, 
  • main/trunk/greenstone2/runtime-src/src/recpt/phindaction.h

    r7734 r28899  
    9393 
    9494  void toUCArray(const text_t &in, UCArray &out); 
     95  void fromUCArray(const UCArray &arrin, text_t &txtout); 
    9596 
    9697  void output_error (const text_t &message, ostream &textout,  
  • main/trunk/greenstone2/runtime-src/src/recpt/pingaction.cpp

    r25559 r28899  
    7676    textout << outconvert << "Ping"; 
    7777  } else { 
    78     textout << outconvert << "Ping for \"" << args["c"] << "\""; 
     78        textout << outconvert << "Ping for \"" << encodeForHTML(args["c"]) << "\""; 
    7979  } 
    8080 
  • main/trunk/greenstone2/runtime-src/src/recpt/queryaction.cpp

    r28888 r28899  
    747747      << "<input type=\"hidden\" name=\"ccp\" value=\"1\">\n" 
    748748      << "<center><table width=\"_pagewidth_\"><tr valign=\"top\">\n" 
    749       << "<td>Select collections to search for \"" << args["q"]  
    750       << "\" <i>(index=" << index << " subcollection=" << subcollection 
    751       << " language=" << language << ")</i></td>\n" 
     749      << "<td>Select collections to search for \"" << encodeForHTML(args["q"]) 
     750      << "\" <i>(index=" << encodeForHTML(index) << " subcollection=" << encodeForHTML(subcollection) 
     751      << " language=" << encodeForHTML(language) << ")</i></td>\n" 
    752752      << "<td><input type=\"submit\" value=\"_query:textbeginsearch_\"></td>\n" 
    753753      << "</tr></table></center>\n" 
  • main/trunk/greenstone2/runtime-src/src/recpt/receptionist.cpp

    r28898 r28899  
    15331533    text_t urlsafe = encodeForURL(macrovalue); 
    15341534    text_t jssafe = encodeForJavascript(macrovalue); // with default setting will return \\x and \\u for macro files 
    1535     text_t csssafe = encodeForCSS(macrovalue); 
     1535    text_t csssafe = encodeForCSS(macrovalue); // not yet used anywhere, but is available for use in macros 
     1536    text_t sqlsafe = encodeForSQL(macrovalue); 
    15361537 
    15371538    disp.setmacro ("cgiarg" + (*argshere).first + "Htmlsafe", displayclass::defaultpackage, htmlsafe);     
    15381539    disp.setmacro ("cgiarg" + (*argshere).first + "Attrsafe", displayclass::defaultpackage, attrsafe); 
     1540    disp.setmacro ("cgiarg" + (*argshere).first + "Urlsafe", displayclass::defaultpackage, urlsafe); 
    15391541    disp.setmacro ("cgiarg" + (*argshere).first + "Jssafe", displayclass::defaultpackage, jssafe); 
    15401542    disp.setmacro ("cgiarg" + (*argshere).first + "Csssafe", displayclass::defaultpackage, csssafe); 
    1541     disp.setmacro ("cgiarg" + (*argshere).first + "Urlsafe", displayclass::defaultpackage, urlsafe); 
     1543    disp.setmacro ("cgiarg" + (*argshere).first + "Sqlsafe", displayclass::defaultpackage, sqlsafe); 
    15421544     
    15431545 
  • main/trunk/greenstone2/runtime-src/src/recpt/rssaction.cpp

    r27095 r28899  
    7070      << "  <link>_httpdomain__httppageabout_</link>\n" 
    7171      << "  <description>_collectionextra_</description>\n" 
    72       << "  <language>_cgiargl_</language>\n" 
     72      << "  <language>_cgiarglHtmlsafe_</language>\n" 
    7373      << "  <pubDate>Thu, 23 Aug 1999 07:00:00 GMT</pubDate>\n" 
    7474      << "  <lastBuildDate>Thu, 23 Aug 1999 16:20:26 GMT</lastBuildDate>\n" 
     
    122122  // If ever adding a custom macro file like rss.dm that mentions the package, need to list rss.dm in etc/main.cfg 
    123123 
    124   if(disp.havemacro("Global", "httpdomain") == 0) { // if using rss package, willcheck rss and Global packages in order. And if not found: 
     124  if(disp.havemacro("Global", "httpdomain") == 0) { // if using rss package, will check rss and Global packages in order. And if not found: 
    125125     
    126126    if(!args["hostname"].empty()) { 
    127       disp.setmacro("httpdomain", "Global", "http://" + args["hostname"]); 
     127      disp.setmacro("httpdomain", "Global", "http://" + encodeForURL(args["hostname"])); 
    128128    }  
    129129    else { // we shouldn't have to get here 
  • main/trunk/greenstone2/runtime-src/src/recpt/securitytools.cpp

    r28898 r28899  
    136136} 
    137137 
    138  
    139 text_t encodeForMySQL(const text_t& in, const text_t& immuneChars, const SQLMode mode) { 
    140   text_t out; 
    141   text_t::const_iterator here = in.begin(); 
    142   text_t::const_iterator end = in.end(); 
    143   while (here != end) { 
    144     out += encodeForMySQL(immuneChars, *here, mode); // IMMUNE_SQL and STANDARD SQLMode by default 
     138text_t encodeForSQL(const text_t& in, const text_t& immuneChars, const SQLMode mode) { 
     139  text_t out; 
     140  text_t::const_iterator here = in.begin(); 
     141  text_t::const_iterator end = in.end(); 
     142  while (here != end) { 
     143    out += encodeForSQL(immuneChars, *here, mode); // IMMUNE_SQL and STANDARD SQLMode by default 
    145144    ++here; 
    146145  } 
     
    320319 
    321320/*  
     321 
     322 C++ port of OWASP-ESAPI for MySQL. Not sure if this is is the same for SQLite 
     323 
    322324http://code.google.com/p/owasp-esapi-java/source/browse/trunk/src/main/java/org/owasp/esapi/codecs/MySQLCodec.java 
    323325 Defense Option 3 of https://www.owasp.org/index.php/SQL_Injection_Prevention_Cheat_Sheet 
     
    335337 
    336338*/ 
    337 text_t encodeForMySQL(const text_t& immuneChars, const unsigned short in, const SQLMode mode) { 
     339text_t encodeForSQL(const text_t& immuneChars, const unsigned short in, const SQLMode mode) { 
    338340   
    339341  text_t result = ""; 
     
    392394} 
    393395 
     396// Unused at present. 
    394397// See Codec.hex[] initialization and Codec.getHexForNonAlphanumeric(c) and Codec.toHex(c) 
    395398// http://code.google.com/p/owasp-esapi-java/source/browse/trunk/src/main/java/org/owasp/esapi/codecs/Codec.java 
  • main/trunk/greenstone2/runtime-src/src/recpt/securitytools.h

    r28898 r28899  
    2828text_t encodeForHTMLAttr(const text_t& input, const text_t& immuneChars=IMMUNE_HTMLATTR); 
    2929text_t encodeForCSS(const text_t& input, const text_t& immuneChars=IMMUNE_CSS); 
    30 text_t encodeForMySQL(const text_t& input, const text_t& immuneChars=IMMUNE_SQL, const SQLMode mode=STANDARD); 
     30// C++ port of OWASP-ESAPI for MySQL, not sure if this is is the same for SQLite 
     31text_t encodeForSQL(const text_t& input, const text_t& immuneChars=IMMUNE_SQL, const SQLMode mode=STANDARD); 
    3132 
    3233// Character conversions 
     
    3536text_t encodeForJavascript(const text_t& immuneChars, const unsigned short input, bool dmsafe); 
    3637text_t encodeForCSS(const text_t& immuneChars, const unsigned short input); 
    37 text_t encodeForMySQL(const text_t& immuneChars, const unsigned short input, const SQLMode mode); 
     38text_t encodeForSQL(const text_t& immuneChars, const unsigned short input, const SQLMode mode); 
    3839 
    3940 
  • main/trunk/greenstone2/runtime-src/src/recpt/sqlqueryaction.cpp

    r28888 r28899  
    270270  if (args["qt"]=="0" && args["sqlqto"] != "1") { // normal text search 
    271271    unsafe_cgi_arg("ALL", args["q"]); 
    272     formattedstring = "SELECT DISTINCT docOID FROM document_metadata WHERE " + args["q"];     
     272    formattedstring = "SELECT DISTINCT docOID FROM document_metadata WHERE " + encodeForSQL(args["q"]);     
    273273  } 
    274274  else if (args["qt"]=="1" || args["sqlqto"]=="1"){ // form search 
  • main/trunk/greenstone2/runtime-src/src/recpt/statusaction.cpp

    r22984 r28899  
    353353    arg_value = args.getarg (ainfo.shortname); 
    354354    if (arg_value == NULL) textout << outconvert << "<td></td></tr>\n"; 
    355     else textout << outconvert << "<td>\"" << *arg_value << "\"</td></tr>\n"; 
     355    else textout << outconvert << "<td>\"" << encodeForHTML(*arg_value) << "\"</td></tr>\n"; 
    356356     
    357357    ++argsinfohere; 
     
    547547   
    548548  if (rprotolist_here == rprotolist_end) { 
    549     textout << outconvert << "Protocol \"" << arg_pr << "\" with collection \"" 
    550         << arg_c << "\" was not found\n"; 
     549    textout << outconvert << "Protocol \"" << encodeForHTML(arg_pr) << "\" with collection \"" 
     550        << encodeForHTML(arg_c) << "\" was not found\n"; 
    551551 
    552552  } else { 
     
    819819    text_t errorpage = "<p><pre>\n"; 
    820820 
     821    text_t errorpage_content; 
    821822    char c; 
    822823    errin.get(c); 
    823824    while (!errin.eof ()) { 
    824       errorpage.push_back(c); 
     825      errorpage_content.push_back(c); 
    825826      errin.get(c); 
    826827    } 
    827      
     828    // need to ensure that error_log displayed from Admin pages is encoded/safe for an HTML context 
     829    errorpage += encodeForHTML(errorpage_content); 
     830 
    828831    errorpage += "</pre>\n"; 
    829832    errin.close(); 
     
    849852  text_t llssite_cfg = filename_cat (gsdlhome, "llssite.cfg"); 
    850853#else 
    851   text_t llssite_cfg = "llssite.cfg"; 
     854  text_t llssite_cfg = filename_cat (gsdlhome, "llssite.cfg"); //"llssite.cfg"; 
    852855#endif 
    853856 
     
    11381141  else { 
    11391142    output_errorpage (outconvert, textout, logout,  
    1140               "Unknown page \"" + arg_p + "\".\n"); 
     1143              "Unknown page \"" + encodeForHTML(arg_p) + "\".\n"); 
    11411144  } 
    11421145 
  • main/trunk/greenstone2/runtime-src/src/recpt/usersaction.cpp

    r22984 r28899  
    235235    if (user_database->get_user_info(*users_here, userinfo) == ERRNO_SUCCEED) { 
    236236      textout << outconvert << disp 
    237           << "<tr><td bgcolor=\"\\#eeeeee\">" << userinfo.username << "</td>\n" 
     237          << "<tr><td bgcolor=\"\\#eeeeee\">" << encodeForHTML(userinfo.username) << "</td>\n" 
    238238              << "<td bgcolor=\"\\#eeeeee\">" << (char *) (userinfo.enabled ? "enabled" : "disabled") << "</td>\n" 
    239           << "<td bgcolor=\"\\#eeeeee\">" << userinfo.groups << "&nbsp;</td>\n" 
    240           << "<td bgcolor=\"\\#eeeeee\">" << userinfo.comment << "&nbsp;</td>\n" 
     239          << "<td bgcolor=\"\\#eeeeee\">" << encodeForHTML(userinfo.groups) << "&nbsp;</td>\n" 
     240          << "<td bgcolor=\"\\#eeeeee\">" << encodeForHTML(userinfo.comment) << "&nbsp;</td>\n" 
    241241          << "<td><a href=\"_httpcurrentdocument_&a=um&uma=edituser&umun=" 
    242           << userinfo.username << "\">_userslistusers:textedituser_</a> " 
     242          << encodeForHTML(userinfo.username) << "\">_userslistusers:textedituser_</a> " 
    243243          << "<a href=\"_httpcurrentdocument_&a=um&uma=deleteuser&umun=" 
    244           << userinfo.username << "\">_userslistusers:textdeleteuser_</a>" 
     244          << encodeForHTML(userinfo.username) << "\">_userslistusers:textdeleteuser_</a>" 
    245245          << "</td></tr>\n\n"; 
    246246