Show
Ignore:
Timestamp:
14.03.2014 22:46:25 (5 years ago)
Author:
ak19
Message:

Third commit for security, for ensuring cgiargs macros are websafe. This time all the changes to the runtime action classes.

Files:
1 modified

Legend:

Unmodified
Added
Removed
  • main/trunk/greenstone2/runtime-src/src/recpt/documentaction.cpp

    r27363 r28899  
    607607      outlink = "_httpdocument_&d=" + response.docInfo[0].metadata["section"].values[0]; 
    608608#else 
    609       outlink = "_httpdocumenthandle_("+args["c"]+","+response.docInfo[0].metadata["section"].values[0]+")"; 
     609      outlink = "_httpdocumenthandle_("+encodeForURL(args["c"])+","+response.docInfo[0].metadata["section"].values[0]+")"; 
    610610#endif 
    611611 
     
    10661066#ifndef DOCHANDLE 
    10671067        << "<frame name=\"documenttop\" frameborder=0 src=\"_gwcgi_?_optsite_e=_compressedoptions_&a=d&d="  
    1068         << args["d"] << "\">" 
     1068        << encodeForURL(args["d"]) << "\">" 
    10691069#else 
    10701070        << "<frame name=\"documenttop\" frameborder=0 src=\"_httpdocumenthandle_("  
    1071         << args["c"] << "," << args["d"] << ")\">" 
     1071        << encodeForURL(args["c"]) << "," << encodeForURL(args["d"]) << ")\">" 
    10721072#endif 
    10731073        << "<noframes>\n" 
     
    11431143            #ifndef DOCHANDLE 
    11441144                << "<frame name=\"documenttop\" frameborder=0 src=\"_gwcgi_?_optsite_e=_compressedoptions_&a=d&d="  
    1145                 << args["d"] << "\">" 
     1145                << encodeForURL(args["d"]) << "\">" 
    11461146            #else 
    11471147                << "<frame name=\"documenttop\" frameborder=0 src=\"_httpdocumenthandle_("  
    1148                 << args["c"] << "," << args["d"] << ")\">" 
     1148                << encodeForURL(args["c"]) << "," << encodeForURL(args["d"]) << ")\">" 
    11491149            #endif 
    11501150                << "<noframes>\n" 
     
    14621462                logout << text_t2ascii 
    14631463                    << "documentaction::output_document: call to QueryFilter failed " 
    1464                     << "for " << args["c"] << " collection (" << get_comerror_string (err) << ")\n"; 
     1464                    << "for " << args["c"] << " collection (" << get_comerror_string (err) << ")\n"; 
    14651465                highlight = false; 
    14661466            }  
     
    16451645  if (haschildren) { 
    16461646#ifndef DOCHANLE 
    1647     disp.setmacro ("httpnextarrow", "document", "_httpdocument_&amp;cl=" + args["cl"] + 
    1648            "&amp;d=" + arg_d + ".fc"); 
     1647    disp.setmacro ("httpnextarrow", "document", "_httpdocument_&amp;cl=" + encodeForURL(args["cl"]) + 
     1648           "&amp;d=" + encodeForURL(arg_d) + ".fc"); 
    16491649#else 
    1650     disp.setmacro ("httpnextarrow", "document", "_httpdocumenthandle_("+args["c"]+","+arg_d + ".fc)"; 
     1650    disp.setmacro ("httpnextarrow", "document", "_httpdocumenthandle_("+encodeForURL(args["c"])+","+encodeForURL(arg_d) + ".fc)"; 
    16511651 
    16521652#endif 
     
    16581658      if (!(*h).empty()) { 
    16591659#ifndef DOCHANLE 
    1660     disp.setmacro ("httpnextarrow", "document", "_httpdocument_&amp;cl=" + args["cl"] + 
     1660    disp.setmacro ("httpnextarrow", "document", "_httpdocument_&amp;cl=" + encodeForURL(args["cl"]) + 
    16611661               "&amp;d=" + *h); 
    16621662#else 
    1663     disp.setmacro ("httpnextarrow", "document", "_httpdocumenthandle_("+args["c"]+","+*h+")"; 
     1663    disp.setmacro ("httpnextarrow", "document", "_httpdocumenthandle_("+encodeForURL(args["c"])+","+*h+")"; 
    16641664 
    16651665#endif 
     
    16741674  if (!previous_sibling.empty()) { 
    16751675#ifndef DOCHANDLE 
    1676     disp.setmacro ("httpprevarrow", "document", "_httpdocument_&amp;cl=" + args["cl"] + 
     1676    disp.setmacro ("httpprevarrow", "document", "_httpdocument_&amp;cl=" + encodeForURL(args["cl"]) + 
    16771677           "&amp;d=" + previous_sibling); 
    16781678#else 
    1679     disp.setmacro ("httpprevarrow", "document", "_httpdocumenthandle_("+args["c"]+","+ previous_sibling+")"); 
     1679    disp.setmacro ("httpprevarrow", "document", "_httpdocumenthandle_("+encodeForURL(args["c"])+","+ previous_sibling+")"); 
    16801680 
    16811681#endif 
     
    16841684    if (countchar(arg_d.begin(), arg_d.end(), '.')) { 
    16851685#ifndef DOCHANDLE 
    1686       disp.setmacro ("httpprevarrow", "document", "_httpdocument_&amp;cl=" + args["cl"] + 
     1686      disp.setmacro ("httpprevarrow", "document", "_httpdocument_&amp;cl=" + encodeForURL(args["cl"]) + 
    16871687             "&amp;d=" + get_parent(arg_d)); 
    16881688#else 
    1689       disp.setmacro ("httpprevarrow", "document", "_httpdocumenthandle_("+args["c"]+","+get_parent(arg_d)+")"); 
     1689      disp.setmacro ("httpprevarrow", "document", "_httpdocumenthandle_("+encodeForURL(args["c"])+","+get_parent(arg_d)+")"); 
    16901690 
    16911691#endif