Changeset 28913 for main/trunk/greenstone2/runtime-src/src

Timestamp:

2014-03-18T20:22:59+13:00 (10 years ago)

Author:

ak19

Message:

6th commit for security of cgiargs. Looked over all occurrences of setmacro in *action.cpp files

Location:

main/trunk/greenstone2/runtime-src/src/recpt

Files:

• dynamicclassifieraction.cpp (modified) (1 diff)
• extlinkaction.cpp (modified) (1 diff)
• gtiaction.cpp (modified) (4 diffs)
• pagedbrowserclass.cpp (modified) (1 diff)
• rssaction.cpp (modified) (1 diff)
• usersaction.cpp (modified) (1 diff)

main/trunk/greenstone2/runtime-src/src/recpt/dynamicclassifieraction.cpp

@@ -102 +102 @@
     text_t dynamic_classifier_id = (*dynamic_classifier_iterator).first;
     navigation_bar_entries += "_navbarspacer_";
-    navigation_bar_entries += "_navtab_(_gwcgi_?c=" + args["c"] + "&a=dc&dcl=" + dynamic_classifier_id + "," + dynamic_classifier_id;
+    navigation_bar_entries += "_navtab_(_gwcgi_?c=" + encodeForURL(args["c"]) + "&a=dc&dcl=" + dynamic_classifier_id + "," + dynamic_classifier_id;
     if (args["a"] == "dc" && args["dcl"] == dynamic_classifier_id)
     {

main/trunk/greenstone2/runtime-src/src/recpt/extlinkaction.cpp

@@ -124 +124 @@
   // problem in whist, above line changed.  Perhaps decode_cgi_arg ??
   // see also HTML plugin
-  disp.setmacro("nexturl", "extlink", args["href"]);
+
+  text_t nexturl_macro = args["href"];
+  if(!isValidURLProtocol(nexturl_macro)) {
+    nexturl_macro = encodeForURL(nexturl_macro); // URL has invalid protocol like javascript:, so URL encode it
+  } else {
+    nexturl_macro = encodeForHTMLAttr(nexturl_macro);
+  }
+
+  disp.setmacro("nexturl", "extlink", nexturl_macro); // goes into a full-url context
   disp.setmacro("prevdoc", "extlink", args["d"]);
 }

main/trunk/greenstone2/runtime-src/src/recpt/gtiaction.cpp

@@ -386 +386 @@
   languageinfo_tmap loaded_languages = recpt->get_configinfo().languages;
   disp.setmacro("gtitargetlanguagename", "gti", loaded_languages[target_language_code].longname);
-  disp.setmacro("gtitranslationfiledesc", "gti", "_gti:textgti" + encodeForHTML(translation_file_key) + "_");
+  disp.setmacro("gtitranslationfiledesc", "gti", "_gti:textgti" + translation_file_key + "_");
+  disp.setmacro("gtitranslationfiledescHtmlsafe", "gti", "_gti:textgti" + encodeForHTML(translation_file_key) + "_");
 
   if (query_string == "") {
@@ -457 +458 @@
   disp.setmacro("gtitargetlanguagename", "gti", loaded_languages[target_language_code].longname);
   disp.setmacro("gtitranslationfiledesc", "gti", "_gti:textgti" + translation_file_key + "_");
+  disp.setmacro("gtitranslationfiledescHtmlsafe", "gti", "_gti:textgti" + encodeForHTML(translation_file_key) + "_");
 }
 
@@ -496 +498 @@
     disp.setmacro("gtitargetfilepath", "gti", gti_response.translation_files_key_to_target_file_path_mapping[translation_file_key]);
   }
-  disp.setmacro("gtitranslationfiledesc", "gti", "_gti:textgti" + encodeForHTML(translation_file_key) + "_");
-  disp.setmacro("gtiviewtranslationfileinaction", "gti", "_gti:gtiview" + encodeForHTML(translation_file_key) + "inaction_");
+  disp.setmacro("gtitranslationfiledesc", "gti", "_gti:textgti" + translation_file_key + "_");
+  disp.setmacro("gtitranslationfiledescHtmlsafe", "gti", "_gti:textgti" + encodeForHTML(translation_file_key) + "_");
+  disp.setmacro("gtiviewtranslationfileinaction", "gti", "_gti:gtiview" + translation_file_key + "inaction_");
+  disp.setmacro("gtiviewtranslationfileinactionHtmlsafe", "gti", "_gti:gtiview" + encodeForHTML(translation_file_key) + "inaction_");
 
   disp.setmacro("gtinumchunkstranslated", "gti", gti_response.translation_files_key_to_num_chunks_translated_mapping[translation_file_key]);
@@ -660 +664 @@
  do_gti_request(gti_arguments, logout); 
 
- disp.setmacro("gtiglihelpzipfilepath", "gti", encodeForURL(target_language_code) + "_GLIHelp.zip");
+ disp.setmacro("gtiglihelpzipfilepath", "gti", target_language_code + "_GLIHelp.zip");
+ disp.setmacro("gtiglihelpzipfilepathUrlsafe", "gti", encodeForURL(target_language_code) + "_GLIHelp.zip");
 
  return true;

main/trunk/greenstone2/runtime-src/src/recpt/pagedbrowserclass.cpp

@@ -32 +32 @@
 #include "OIDtools.h"
 #include "gsdltools.h"
+#include "securitytools.h"
 
 pagedbrowserclass::pagedbrowserclass () {

main/trunk/greenstone2/runtime-src/src/recpt/rssaction.cpp

@@ -131 +131 @@
       text_t default_domain = "http://localhost:8282";
       disp.setmacro("httpdomain", "Global", default_domain); // the default used in zextra.dm. (Could perhaps default this to localhost too)
-      disp.setmacro("httpdomain", "Global", encodeForHTML(default_domain));
+      disp.setmacro("httpdomainHtmlsafe", "Global", encodeForHTML(default_domain));
     }
   }

main/trunk/greenstone2/runtime-src/src/recpt/usersaction.cpp

@@ -268 +268 @@
   disp.setmacro ("usersargug", "users", args["umug"]);
   disp.setmacro ("usersargc", "users", args["umc"]);
+
+  disp.setmacro ("usersargunAttrsafe", "users", encodeForHTMLAttr(args["umun"]));
+  disp.setmacro ("usersargpwAttrsafe", "users", encodeForHTMLAttr(args["umpw"]));
+  disp.setmacro ("usersargusAttrsafe", "users", encodeForHTMLAttr(args["umus"])); // unused in users.dm or other macro files, but setting this attrsafe'd macro in parallel with the other usersarg* values here.
+  disp.setmacro ("usersargugAttrsafe", "users", encodeForHTMLAttr(args["umug"]));
+  disp.setmacro ("usersargcAttrsafe", "users", encodeForHTMLAttr(args["umc"]));
+
 }