Changeset 30465 for main


Ignore:
Timestamp:
2016-04-07T13:55:26+12:00 (8 years ago)
Author:
kjdon
Message:

fixes for depositor. when getting the post ata and putting it together into form data, need to escape cgi args special characters

Location:
main/trunk/greenstone2/runtime-src/src/recpt
Files:
2 edited

Legend:

Unmodified
Added
Removed

  • main/trunk/greenstone2/runtime-src/src/recpt/cgiutils.cpp

    r30373 r30465  
    103103      }
    104104      if (!argstr.empty()) argstr += "&";
     105 
     106      // we need to convert arg to cgi safe variant - escape '&' and '%', '+', '=', turn space to +
     107      cgi_safe_post_arg(argdata);
    105108      argstr += argname + "=" + argdata;
    106109
     
    162165  if (findword(content_type_begin, content_type_end, "multipart/form-data") == content_type_end) {
    163166    // a simple post request
    164 
    165167    return raw_post_data;
    166168
     
    331333}
    332334
     335//Need to escape special chars in post data so they don't interfere with arg parsing once its a get style string
     336void cgi_safe_post_arg(text_t &argstr) {
     337
     338  text_t::iterator in = argstr.begin();
     339  text_t out = "";
     340  text_t::iterator end = argstr.end();
     341 
     342  while (in != end) {
     343    if (*in == '&') out += "%26";
     344    else if (*in == '%') out += "%2525";
     345    else if (*in == '+') out += "%2B";
     346    else if (*in == '=') out += "%3D";
     347    else if (*in == ' ') out += "+";
     348    else { // append whatever char is in *in, but as a char, not int
     349            //out += *in; // appends as int
     350      out.push_back(*in);
     351    }
     352    ++in;
     353  }
     354 
     355  argstr.erase (argstr.begin(), end);
     356  argstr += out; 
     357}
     358
     359
     360
    333361// Ensure dangerous tags and chars in cgi-args are URL encoded, to prevent obvious XSS attempts
    334362// (e.g. c=<script>alert("hacked")</script>) and log poisoning (apache writes unrecognised URLs
     
    414442  // get seems to be not unicode, while post is, so don't want to just assume encoding is 1 (not unicode)
    415443  unsigned short args_encoding = argstr.getencoding();
    416   cerr << "args enc = "<< args_encoding<<endl;
     444
    417445  text_t key, value;
    418446 

  • main/trunk/greenstone2/runtime-src/src/recpt/cgiutils.h

    r28841 r30465  
    3838// convert %xx and + to their appropriate equivalents
    3939void decode_cgi_arg (text_t &argstr);
     40// convert &,%,+,=,space to encoded versions so that post args can be put together into a get style string
     41void cgi_safe_post_arg(text_t &argstr);
    4042
    4143// split up the cgi arguments
Note: See TracChangeset for help on using the changeset viewer.