Show
Ignore:
Timestamp:
07.04.2016 13:55:26 (4 years ago)
Author:
kjdon
Message:

fixes for depositor. when getting the post ata and putting it together into form data, need to escape cgi args special characters

Location:
main/trunk/greenstone2/runtime-src/src/recpt
Files:
2 modified

Legend:

Unmodified
Added
Removed
  • main/trunk/greenstone2/runtime-src/src/recpt/cgiutils.cpp

    r30373 r30465  
    103103      } 
    104104      if (!argstr.empty()) argstr += "&"; 
     105  
     106      // we need to convert arg to cgi safe variant - escape '&' and '%', '+', '=', turn space to + 
     107      cgi_safe_post_arg(argdata); 
    105108      argstr += argname + "=" + argdata; 
    106109 
     
    162165  if (findword(content_type_begin, content_type_end, "multipart/form-data") == content_type_end) { 
    163166    // a simple post request 
    164  
    165167    return raw_post_data; 
    166168 
     
    331333} 
    332334 
     335//Need to escape special chars in post data so they don't interfere with arg parsing once its a get style string 
     336void cgi_safe_post_arg(text_t &argstr) { 
     337 
     338  text_t::iterator in = argstr.begin(); 
     339  text_t out = ""; 
     340  text_t::iterator end = argstr.end(); 
     341   
     342  while (in != end) { 
     343    if (*in == '&') out += "%26"; 
     344    else if (*in == '%') out += "%2525"; 
     345    else if (*in == '+') out += "%2B"; 
     346    else if (*in == '=') out += "%3D"; 
     347    else if (*in == ' ') out += "+"; 
     348    else { // append whatever char is in *in, but as a char, not int 
     349            //out += *in; // appends as int 
     350      out.push_back(*in); 
     351    } 
     352    ++in; 
     353  } 
     354   
     355  argstr.erase (argstr.begin(), end); 
     356  argstr += out;   
     357} 
     358 
     359 
     360 
    333361// Ensure dangerous tags and chars in cgi-args are URL encoded, to prevent obvious XSS attempts 
    334362// (e.g. c=<script>alert("hacked")</script>) and log poisoning (apache writes unrecognised URLs 
     
    414442  // get seems to be not unicode, while post is, so don't want to just assume encoding is 1 (not unicode) 
    415443  unsigned short args_encoding = argstr.getencoding(); 
    416   cerr << "args enc = "<< args_encoding<<endl; 
     444 
    417445  text_t key, value; 
    418446  
  • main/trunk/greenstone2/runtime-src/src/recpt/cgiutils.h

    r28841 r30465  
    3838// convert %xx and + to their appropriate equivalents 
    3939void decode_cgi_arg (text_t &argstr); 
     40// convert &,%,+,=,space to encoded versions so that post args can be put together into a get style string 
     41void cgi_safe_post_arg(text_t &argstr); 
    4042 
    4143// split up the cgi arguments