Changeset 28912

Show
Ignore:
Timestamp:
18.03.2014 16:45:46 (4 years ago)
Author:
ak19
Message:

Commit 5 for security. Handles setmacro() occurrences in non action.cpp files. cl is safe from hacks now.

Location:
main/trunk/greenstone2/runtime-src/src/recpt
Files:
3 modified

Legend:

Unmodified
Added
Removed
  • main/trunk/greenstone2/runtime-src/src/recpt/browsetoolsclass.cpp

    r21758 r28912  
    3131#include "OIDtools.h" 
    3232#include "gsdlunicode.h" 
     33#include "securitytools.h" 
    3334 
    3435#if defined(GSDL_USE_IOS_H) 
     
    831832  if (formatinfo.DocumentContents || args["d"].empty()) { 
    832833    if (args["d"].empty()) { 
    833       disp.setmacro("tocopenextra", "document", "id=\"" + cl_top + "\""); 
     834      disp.setmacro("tocopenextra", "document", "id=\"" + encodeForHTMLAttr(cl_top) + "\""); 
    834835    } else { 
    835836      disp.setmacro("tocopenextra", "document", ""); 
  • main/trunk/greenstone2/runtime-src/src/recpt/pagedbrowserclass.cpp

    r19047 r28912  
    107107 
    108108  if (section.OID != args["d"]) { 
    109     text_t httpprevarrow = "_httpdocument_&cl=" + args["cl"] + "&d=" + dm_safe(section.OID); 
     109    text_t httpprevarrow = "_httpdocument_&cl=" + encodeForURL(args["cl"]) + "&d=" + dm_safe(section.OID); 
    110110    text_t parentarrow = "<a href=\"" + httpprevarrow + "\">_iconprev_</a>\n"; 
    111111    disp.setmacro ("httpprevarrow", "document", httpprevarrow); 
     
    176176 
    177177  if (!found) { 
    178     httpnextarrow = "_httpdocument_&cl=" + args["cl"] + "&d=" + sections.docInfo[0].OID; 
     178    httpnextarrow = "_httpdocument_&cl=" + encodeForURL(args["cl"]) + "&d=" + sections.docInfo[0].OID; 
    179179    nextarrow = "<a href=\"" + httpnextarrow + "\">" +  
    180180      sections.docInfo[0].metadata["Title"].values[0] + "_iconnext_</a>\n"; 
     
    182182  } else { 
    183183    if (!previousOID.empty()) { 
    184       httpprevarrow = "_httpdocument_&cl=" + args["cl"] + "&d=" + dm_safe(previousOID); 
     184      httpprevarrow = "_httpdocument_&cl=" + encodeForURL(args["cl"]) + "&d=" + dm_safe(previousOID); 
    185185      prevarrow = "<a href=\"" + httpprevarrow + "\">_iconprev_" + previoustitle + "</a>\n"; 
    186186    } 
    187187    if (!nextOID.empty()) { 
    188       httpnextarrow = "_httpdocument_&cl=" + args["cl"] + "&d=" + dm_safe(nextOID); 
     188      httpnextarrow = "_httpdocument_&cl=" + encodeForURL(args["cl"]) + "&d=" + dm_safe(nextOID); 
    189189      nextarrow = "<a href=\"" + httpnextarrow + "\">" + nexttitle + "_iconnext_</a>\n"; 
    190190    } 
  • main/trunk/greenstone2/runtime-src/src/recpt/receptionist.cpp

    r28899 r28912  
    14781478  text_t compressedoptions = get_compressed_arg(args, logout); 
    14791479  disp.setmacro ("compressedoptions", displayclass::defaultpackage, dm_safe(compressedoptions)); 
     1480  //disp.setmacro ("compressedoptionsUrlsafe", displayclass::defaultpackage, encodeForURL(dm_safe(compressedoptions))); // seems to be unnecessary after testing e=hack or e=hack<collect>... or e=...<collect>hack in a live server 
     1481 
    14801482  // need a decoded version of compressedoptions for use within forms 
    14811483  // as browsers encode values from forms before sending to server 
     
    16351637      if (!cinfo.httpdomain.empty()) httpcollection = "http://"; 
    16361638      httpcollection += cinfo.httpdomain + httpprefix + "/collect/" 
    1637     + collection;  
     1639    + encodeForURL(collection);  
    16381640      disp.setmacro ("httpcollection", displayclass::defaultpackage, 
    16391641             httpcollection);