Changeset 28913

Show
Ignore:
Timestamp:
18.03.2014 20:22:59 (4 years ago)
Author:
ak19
Message:

6th commit for security of cgiargs. Looked over all occurrences of setmacro in *action.cpp files

Location:
main/trunk/greenstone2
Files:
8 modified

Legend:

Unmodified
Added
Removed
  • main/trunk/greenstone2/macros/gti.dm

    r28888 r28913  
    9898# Content of the GTI "find text fragments" page 
    9999_gtifind_ { 
    100 <h2><a href="_gwcgi_?a=gti&amp;p=lang&amp;e=_compressedoptions_">_gtitargetlanguagename_</a> -- <a href="_gwcgi_?a=gti&amp;p=core&amp;e=_compressedoptions_">_gtitranslationfiledesc_</a></h2> 
     100<h2><a href="_gwcgi_?a=gti&amp;p=lang&amp;e=_compressedoptions_">_gtitargetlanguagename_</a> -- <a href="_gwcgi_?a=gti&amp;p=core&amp;e=_compressedoptions_">_gtitranslationfiledescHtmlsafe_</a></h2> 
    101101<p> 
    102102_textgtienterquery_: 
     
    111111# Content of the GTI "offline" page 
    112112_gtioffline_ { 
    113 <h2><a href="_gwcgi_?a=gti&amp;p=lang&amp;e=_compressedoptions_">_gtitargetlanguagename_</a> -- _gtitranslationfiledesc_</h2> 
     113<h2><a href="_gwcgi_?a=gti&amp;p=lang&amp;e=_compressedoptions_">_gtitargetlanguagename_</a> -- _gtitranslationfiledescHtmlsafe_</h2> 
    114114<p> 
    115115_textgtiofflinetranslation_ 
     
    118118# Content of the GTI "core" page (with text areas for entering and updating translations) 
    119119_gticore_ { 
    120 <h2><a href="_gwcgi_?a=gti&amp;p=lang&amp;e=_compressedoptions_">_gtitargetlanguagename_</a> -- _gtitranslationfiledesc_</h2> 
     120<h2><a href="_gwcgi_?a=gti&amp;p=lang&amp;e=_compressedoptions_">_gtitargetlanguagename_</a> -- _gtitranslationfiledescHtmlsafe_</h2> 
    121121<p> 
    122122<center> 
     
    133133# Content of the GTI "done" page, thanking the translator for completing the file 
    134134_gtidone_ { 
    135 <h2><a href="_gwcgi_?a=gti&amp;p=lang&amp;e=_compressedoptions_">_gtitargetlanguagename_</a> -- _gtitranslationfiledesc_</h2> 
     135<h2><a href="_gwcgi_?a=gti&amp;p=lang&amp;e=_compressedoptions_">_gtitargetlanguagename_</a> -- _gtitranslationfiledescHtmlsafe_</h2> 
    136136<p> 
    137137<center> 
     
    169169# -------------------------------------------------------------------------------- 
    170170 
    171 # _If_(_gtiglihelpzipfilepath_ ne "", <a href="_httpprefix_/_gtiglihelpzipfilepath_">_textgtiglihelpzipfile_</a>,)<br> 
     171# _If_(_gtiglihelpzipfilepath_ ne "", <a href="_httpprefix_/_gtiglihelpzipfilepathUrlsafe_">_textgtiglihelpzipfile_</a>,)<br> 
    172172# <a href="_gwcgi_?a=gti&amp;p=glihelp&amp;e=_compressedoptions_">_textgtiglihelpzipfile_</a> 
    173173 
     
    180180     _If_("_4_" eq "_gtidownloadglihelp_", <a href="_4_">, <a href="_httpprefix_/_4_">)_textgtidownloadtargetfile_</a> 
    181181 
    182      _If_(_gtiglihelpzipfilepath_, <a href="_httpprefix_/_gtiglihelpzipfilepath_">_textgtiglihelpzipfile_</a>,)<br> 
     182     _If_(_gtiglihelpzipfilepath_, <a href="_httpprefix_/_gtiglihelpzipfilepathUrlsafe_">_textgtiglihelpzipfile_</a>,)<br> 
    183183 
    184184     <a href="_gwcgi_?a=gti&amp;p=offline&amp;e=_compressedoptions_">_textgtitranslatefileoffline_</a><br> 
    185      _gtiviewtranslationfileinaction_ 
     185     _gtiviewtranslationfileinactionHtmlsafe_ 
    186186  </td></tr>) 
    187187</table> 
  • main/trunk/greenstone2/macros/users.dm

    r28898 r28913  
    6262 
    6363<table border=0> 
    64 <tr><td>_authen:textusername_</td><td><input type="text" name="umun" value="_users:usersargun_" size=15></td> 
     64<tr><td>_authen:textusername_</td><td><input type="text" name="umun" value="_users:usersargunAttrsafe_" size=15></td> 
    6565<td><font color=gray>_textaboutusername_</font></td> 
    6666</tr> 
    67 <tr><td>_authen:textpassword_</td><td><input type="text" name="umpw" value="_users:usersargpw_" size=9></td> 
     67<tr><td>_authen:textpassword_</td><td><input type="text" name="umpw" value="_users:usersargpwAttrsafe_" size=9></td> 
    6868<td><font color=gray>_textaboutpassword_ 
    6969_If_("_cgiarguma_" eq "edituser",_textoldpass_) 
     
    7575</select> 
    7676</td></tr> 
    77 <tr><td>_userslistusers:textgroups_</td><td colspan=2><input type="text" name="umug" value="_users:usersargug_" size=50></td></tr> 
     77<tr><td>_userslistusers:textgroups_</td><td colspan=2><input type="text" name="umug" value="_users:usersargugAttrsafe_" size=50></td></tr> 
    7878<tr><td></td><td></td> 
    7979<td><font color=gray>_textaboutgroups_</font><br/><font color=gray>_textavailablegroups_</font></td></tr> 
    80 <tr><td>_userslistusers:textcomment_</td><td colspan=2><input type="text" name="umc" value="_users:usersargc_" size=50></td></tr> 
     80<tr><td>_userslistusers:textcomment_</td><td colspan=2><input type="text" name="umc" value="_users:usersargcAttrsafe_" size=50></td></tr> 
    8181<tr><td></td><td colspan=2><input type="submit" name=beu value="submit"> 
    8282<input type="submit" name=uma value="cancel"></td></tr> 
  • main/trunk/greenstone2/runtime-src/src/recpt/dynamicclassifieraction.cpp

    r28899 r28913  
    102102    text_t dynamic_classifier_id = (*dynamic_classifier_iterator).first; 
    103103    navigation_bar_entries += "_navbarspacer_"; 
    104     navigation_bar_entries += "_navtab_(_gwcgi_?c=" + args["c"] + "&amp;a=dc&amp;dcl=" + dynamic_classifier_id + "," + dynamic_classifier_id; 
     104    navigation_bar_entries += "_navtab_(_gwcgi_?c=" + encodeForURL(args["c"]) + "&amp;a=dc&amp;dcl=" + dynamic_classifier_id + "," + dynamic_classifier_id; 
    105105    if (args["a"] == "dc" && args["dcl"] == dynamic_classifier_id) 
    106106    { 
  • main/trunk/greenstone2/runtime-src/src/recpt/extlinkaction.cpp

    r22984 r28913  
    124124  // problem in whist, above line changed.  Perhaps decode_cgi_arg ?? 
    125125  // see also HTML plugin 
    126   disp.setmacro("nexturl", "extlink", args["href"]); 
     126 
     127  text_t nexturl_macro = args["href"]; 
     128  if(!isValidURLProtocol(nexturl_macro)) { 
     129    nexturl_macro = encodeForURL(nexturl_macro); // URL has invalid protocol like javascript:, so URL encode it 
     130  } else { 
     131    nexturl_macro = encodeForHTMLAttr(nexturl_macro); 
     132  } 
     133 
     134  disp.setmacro("nexturl", "extlink", nexturl_macro); // goes into a full-url context 
    127135  disp.setmacro("prevdoc", "extlink", args["d"]); 
    128136} 
  • main/trunk/greenstone2/runtime-src/src/recpt/gtiaction.cpp

    r28899 r28913  
    386386  languageinfo_tmap loaded_languages = recpt->get_configinfo().languages; 
    387387  disp.setmacro("gtitargetlanguagename", "gti", loaded_languages[target_language_code].longname); 
    388   disp.setmacro("gtitranslationfiledesc", "gti", "_gti:textgti" + encodeForHTML(translation_file_key) + "_"); 
     388  disp.setmacro("gtitranslationfiledesc", "gti", "_gti:textgti" + translation_file_key + "_"); 
     389  disp.setmacro("gtitranslationfiledescHtmlsafe", "gti", "_gti:textgti" + encodeForHTML(translation_file_key) + "_"); 
    389390 
    390391  if (query_string == "") { 
     
    457458  disp.setmacro("gtitargetlanguagename", "gti", loaded_languages[target_language_code].longname); 
    458459  disp.setmacro("gtitranslationfiledesc", "gti", "_gti:textgti" + translation_file_key + "_"); 
     460  disp.setmacro("gtitranslationfiledescHtmlsafe", "gti", "_gti:textgti" + encodeForHTML(translation_file_key) + "_"); 
    459461} 
    460462 
     
    496498    disp.setmacro("gtitargetfilepath", "gti", gti_response.translation_files_key_to_target_file_path_mapping[translation_file_key]); 
    497499  } 
    498   disp.setmacro("gtitranslationfiledesc", "gti", "_gti:textgti" + encodeForHTML(translation_file_key) + "_"); 
    499   disp.setmacro("gtiviewtranslationfileinaction", "gti", "_gti:gtiview" + encodeForHTML(translation_file_key) + "inaction_"); 
     500  disp.setmacro("gtitranslationfiledesc", "gti", "_gti:textgti" + translation_file_key + "_"); 
     501  disp.setmacro("gtitranslationfiledescHtmlsafe", "gti", "_gti:textgti" + encodeForHTML(translation_file_key) + "_"); 
     502  disp.setmacro("gtiviewtranslationfileinaction", "gti", "_gti:gtiview" + translation_file_key + "inaction_"); 
     503  disp.setmacro("gtiviewtranslationfileinactionHtmlsafe", "gti", "_gti:gtiview" + encodeForHTML(translation_file_key) + "inaction_"); 
    500504 
    501505  disp.setmacro("gtinumchunkstranslated", "gti", gti_response.translation_files_key_to_num_chunks_translated_mapping[translation_file_key]); 
     
    660664 do_gti_request(gti_arguments, logout);  
    661665 
    662  disp.setmacro("gtiglihelpzipfilepath", "gti", encodeForURL(target_language_code) + "_GLIHelp.zip"); 
     666 disp.setmacro("gtiglihelpzipfilepath", "gti", target_language_code + "_GLIHelp.zip"); 
     667 disp.setmacro("gtiglihelpzipfilepathUrlsafe", "gti", encodeForURL(target_language_code) + "_GLIHelp.zip"); 
    663668 
    664669 return true; 
  • main/trunk/greenstone2/runtime-src/src/recpt/pagedbrowserclass.cpp

    r28912 r28913  
    3232#include "OIDtools.h" 
    3333#include "gsdltools.h" 
     34#include "securitytools.h" 
    3435 
    3536pagedbrowserclass::pagedbrowserclass () { 
  • main/trunk/greenstone2/runtime-src/src/recpt/rssaction.cpp

    r28911 r28913  
    131131      text_t default_domain = "http://localhost:8282"; 
    132132      disp.setmacro("httpdomain", "Global", default_domain); // the default used in zextra.dm. (Could perhaps default this to localhost too) 
    133       disp.setmacro("httpdomain", "Global", encodeForHTML(default_domain)); 
     133      disp.setmacro("httpdomainHtmlsafe", "Global", encodeForHTML(default_domain)); 
    134134    } 
    135135  } 
  • main/trunk/greenstone2/runtime-src/src/recpt/usersaction.cpp

    r28899 r28913  
    268268  disp.setmacro ("usersargug", "users", args["umug"]); 
    269269  disp.setmacro ("usersargc", "users", args["umc"]); 
     270 
     271  disp.setmacro ("usersargunAttrsafe", "users", encodeForHTMLAttr(args["umun"])); 
     272  disp.setmacro ("usersargpwAttrsafe", "users", encodeForHTMLAttr(args["umpw"])); 
     273  disp.setmacro ("usersargusAttrsafe", "users", encodeForHTMLAttr(args["umus"])); // unused in users.dm or other macro files, but setting this attrsafe'd macro in parallel with the other usersarg* values here. 
     274  disp.setmacro ("usersargugAttrsafe", "users", encodeForHTMLAttr(args["umug"])); 
     275  disp.setmacro ("usersargcAttrsafe", "users", encodeForHTMLAttr(args["umc"])); 
     276 
    270277} 
    271278