Changeset 30465
- Timestamp:
- 2016-04-07T13:55:26+12:00 (8 years ago)
- Location:
- main/trunk/greenstone2/runtime-src/src/recpt
- Files:
-
- 2 edited
Legend:
- Unmodified
- Added
- Removed
-
main/trunk/greenstone2/runtime-src/src/recpt/cgiutils.cpp
r30373 r30465 103 103 } 104 104 if (!argstr.empty()) argstr += "&"; 105 106 // we need to convert arg to cgi safe variant - escape '&' and '%', '+', '=', turn space to + 107 cgi_safe_post_arg(argdata); 105 108 argstr += argname + "=" + argdata; 106 109 … … 162 165 if (findword(content_type_begin, content_type_end, "multipart/form-data") == content_type_end) { 163 166 // a simple post request 164 165 167 return raw_post_data; 166 168 … … 331 333 } 332 334 335 //Need to escape special chars in post data so they don't interfere with arg parsing once its a get style string 336 void cgi_safe_post_arg(text_t &argstr) { 337 338 text_t::iterator in = argstr.begin(); 339 text_t out = ""; 340 text_t::iterator end = argstr.end(); 341 342 while (in != end) { 343 if (*in == '&') out += "%26"; 344 else if (*in == '%') out += "%2525"; 345 else if (*in == '+') out += "%2B"; 346 else if (*in == '=') out += "%3D"; 347 else if (*in == ' ') out += "+"; 348 else { // append whatever char is in *in, but as a char, not int 349 //out += *in; // appends as int 350 out.push_back(*in); 351 } 352 ++in; 353 } 354 355 argstr.erase (argstr.begin(), end); 356 argstr += out; 357 } 358 359 360 333 361 // Ensure dangerous tags and chars in cgi-args are URL encoded, to prevent obvious XSS attempts 334 362 // (e.g. c=<script>alert("hacked")</script>) and log poisoning (apache writes unrecognised URLs … … 414 442 // get seems to be not unicode, while post is, so don't want to just assume encoding is 1 (not unicode) 415 443 unsigned short args_encoding = argstr.getencoding(); 416 cerr << "args enc = "<< args_encoding<<endl; 444 417 445 text_t key, value; 418 446 -
main/trunk/greenstone2/runtime-src/src/recpt/cgiutils.h
r28841 r30465 38 38 // convert %xx and + to their appropriate equivalents 39 39 void decode_cgi_arg (text_t &argstr); 40 // convert &,%,+,=,space to encoded versions so that post args can be put together into a get style string 41 void cgi_safe_post_arg(text_t &argstr); 40 42 41 43 // split up the cgi arguments
Note:
See TracChangeset
for help on using the changeset viewer.