source: main/trunk/greenstone2/runtime-src/src/recpt/action.h@ 30465

Last change on this file since 30465 was 28888, checked in by ak19, 10 years ago

First security commit. 1. Introducing the new securitools.h and .cpp files, which port the functions necessary to implement security in Greenstone from OWASP-ESAPI for Java, since OWASP's C++ version is largely not yet implemented, even though their code compiles. The newly added runtime-src/packages/security which contains OWASP ESAPI for C++ will therefore be removed again shortly. 2. receptionist.cpp now sets various web-encoded variants for each cgiarg macro, such as HTML entity encoded, attr encoded, javascript encoded (and css encoded variants). These are now used in the macro files based on which variant is suited to the context. 3. This commit further contains the minimum changes to protect the c, d, and p cgi variables.
  • Property svn:executable set to *
  • Property svn:keywords set to Author Date Id Revision
File size: 6.5 KB
Line 
1/**********************************************************************
2 *
3 * action.h --
4 * Copyright (C) 1999 The New Zealand Digital Library Project
5 *
6 * A component of the Greenstone digital library software
7 * from the New Zealand Digital Library Project at the
8 * University of Waikato, New Zealand.
9 *
10 * This program is free software; you can redistribute it and/or modify
11 * it under the terms of the GNU General Public License as published by
12 * the Free Software Foundation; either version 2 of the License, or
13 * (at your option) any later version.
14 *
15 * This program is distributed in the hope that it will be useful,
16 * but WITHOUT ANY WARRANTY; without even the implied warranty of
17 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
18 * GNU General Public License for more details.
19 *
20 * You should have received a copy of the GNU General Public License
21 * along with this program; if not, write to the Free Software
22 * Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.
23 *
24 *********************************************************************/
25
26
27#ifndef ACTION_H
28#define ACTION_H
29
30#include "gsdlconf.h"
31#include "text_t.h"
32#include "cgiargs.h"
33#include "display.h"
34#include "recptproto.h"
35#include "browserclass.h"
36#include "securitytools.h"
37
38#if defined(GSDL_USE_OBJECTSPACE)
39# include <ospace\std\iostream>
40#elif defined(GSDL_USE_IOS_H)
41# include <iostream.h>
42#else
43# include <iostream>
44#endif
45
46
47class action {
48protected:
49 cgiargsinfoclass argsinfo;
50 text_t gsdlhome;
51 text_t collecthome;
52 text_t dbhome;
53
54public:
55 action ();
56 virtual ~action ();
57
58 // configure should be called once for each configuration line
59 virtual void configure (const text_t &key, const text_tarray &cfgline);
60
61 // init should be called after all the configuration is done but
62 // before any other methods are called
63 virtual bool init (ostream &logout);
64
65 // returns the "a" argument value that will specify this action
66 // this name should be short but does not have to be one character
67 // long
68 virtual text_t get_action_name ();
69
70 // check_cgiargs should be called before get_cgihead_info,
71 // define_external_macros, and do_action. If an error is found
72 // a message will be written to logout, if the error is severe
73 // then the function will return false and no page content
74 // should be produced based on the arguments.
75 virtual bool check_cgiargs (cgiargsinfoclass &argsinfo, cgiargsclass &args,
76 recptprotolistclass *protos, ostream &logout);
77
78 // check_external_cgiargs should be called after check_cgiargs
79 // for all actions. It should only be used to override some other
80 // normal behaviour, for example, producing a login page when
81 // the requested page needs authentication.
82 virtual bool check_external_cgiargs (cgiargsinfoclass &argsinfo,
83 cgiargsclass &args,
84 outconvertclass &outconvert,
85 const text_t &saveconf,
86 ostream &logout);
87
88 // get_cgihead_info determines the cgi header information for
89 // a set of cgi arguments. If response contains location then
90 // response_data contains the redirect address. If reponse
91 // contains content then reponse_data contains the content-type.
92 // Note that images can now be produced by the receptionist.
93 virtual void get_cgihead_info (cgiargsclass &args, recptprotolistclass *protos,
94 response_t &response, text_t &response_data,
95 ostream &logout);
96
97 // uses_display should return true if the receptionist should return
98 // true if the display class is needed to output the page content.
99 // The default is to return true.
100 virtual bool uses_display (cgiargsclass &args);
101
102 // define all the macros which are related to pages generated
103 // by this action
104 virtual void define_internal_macros (displayclass &disp, cgiargsclass &args,
105 recptprotolistclass *protos, ostream &logout);
106
107 // define all the macros which might be used by other actions
108 // to produce pages. These macros should be well documented.
109 virtual void define_external_macros (displayclass &disp, cgiargsclass &args,
110 recptprotolistclass *protos, ostream &logout);
111
112 // returns false if there was an error which prevented the action
113 // from outputing anything.
114 virtual bool do_action (cgiargsclass &args, recptprotolistclass *protos,
115 browsermapclass *browsers, displayclass &disp,
116 outconvertclass &outconvert, ostream &textout,
117 ostream &logout);
118
119 // return true if the specified top classifier is handled by this action
120 virtual bool is_my_classifier(const text_t& topcl) { return false; }
121
122 // getargsinfo should be called after all configuration files
123 // have been read
124 cgiargsinfoclass *getargsinfo() {return &argsinfo;};
125};
126
127
128// The actionptr function does not 'own' the action. The
129// action should be deleted by the code which created it.
130class actionptr {
131public:
132 action *a;
133
134 actionptr () {a=NULL;}
135};
136
137bool operator==(const actionptr &x, const actionptr &y);
138bool operator<(const actionptr &x, const actionptr &y);
139
140typedef map<text_t, actionptr, lttext_t> actionptrmap;
141
142// contains a list of actions indexed by their name
143class actionmapclass {
144protected:
145 actionptrmap actionptrs;
146
147public:
148 // type support for actionptrmap
149 typedef actionptrmap::iterator iterator;
150 typedef actionptrmap::const_iterator const_iterator;
151 typedef actionptrmap::reference reference;
152 typedef actionptrmap::const_reference const_reference;
153 typedef actionptrmap::size_type size_type;
154
155 typedef actionptrmap::difference_type difference_type;
156 typedef actionptrmap::const_reverse_iterator const_reverse_iterator;
157 typedef actionptrmap::reverse_iterator reverse_iterator;
158
159 // basic container support
160 iterator begin () {return actionptrs.begin();}
161 const_iterator begin () const {return actionptrs.begin();}
162 iterator end () {return actionptrs.end();}
163 const_iterator end () const {return actionptrs.end();}
164
165 void erase(iterator pos) {actionptrs.erase(pos);}
166 void erase(iterator first, iterator last) {actionptrs.erase(first, last);}
167 actionmapclass &operator=(const actionmapclass &x) {actionptrs=x.actionptrs;return *this;}
168
169 bool empty () const {return actionptrs.empty();}
170 size_type size() const {return actionptrs.size();}
171
172
173 // added functionality
174 void clear () {actionptrs.erase(actionptrs.begin(),actionptrs.end());}
175
176 // theaction remains the property of the calling code but
177 // should not be deleted until it is removed from this list.
178 void addaction (action *theaction);
179
180 // getaction will return NULL if the action could not be found
181 action *getaction (const text_t &key);
182};
183
184
185#endif
Note: See TracBrowser for help on using the repository browser.