source: main/trunk/greenstone2/runtime-src/src/recpt/securitytools.h@ 28888

Last change on this file since 28888 was 28888, checked in by ak19, 10 years ago

First security commit. 1. Introducing the new securitools.h and .cpp files, which port the functions necessary to implement security in Greenstone from OWASP-ESAPI for Java, since OWASP's C++ version is largely not yet implemented, even though their code compiles. The newly added runtime-src/packages/security which contains OWASP ESAPI for C++ will therefore be removed again shortly. 2. receptionist.cpp now sets various web-encoded variants for each cgiarg macro, such as HTML entity encoded, attr encoded, javascript encoded (and css encoded variants). These are now used in the macro files based on which variant is suited to the context. 3. This commit further contains the minimum changes to protect the c, d, and p cgi variables.
File size: 1.7 KB
Line 
1#ifndef SECURITYTOOLS_H
2#define SECURITYTOOLS_H
3
4#include "text_t.h"
5
6// enums start numbering at 0 unless otherwise specified
7enum SQLMode { STANDARD, ANSI }; // public static enum Mode { ANSI(1),STANDARD(0); ...}
8
9
10// two bytes
11static const text_t REPLACEMENT_HEX = "fffd";
12//static const unsigned short REPLACEMENT_CHAR = '\ufffd';
13static const text_t IMMUNE_CSS = "";
14static const text_t IMMUNE_HTML = ",.-_ ";
15static const text_t IMMUNE_HTMLATTR = ",.-_";
16static const text_t IMMUNE_JAVASCRIPT = ",._";
17static const text_t IMMUNE_URL = "*.-_"; // See http://docs.oracle.com/javase/6/docs/api/java/net/URLEncoder.html
18static const text_t IMMUNE_SQL = " ";
19
20
21// a very simple version of esapi's Validator.isValidInput()
22bool isValidURLProtocol(const text_t& url);
23
24// String conversion
25text_t encodeForHTML(const text_t& input, const text_t& immuneChars=IMMUNE_HTML);
26text_t encodeForURL(const text_t& input, const text_t& immuneChars=IMMUNE_URL);
27text_t encodeForJavascript(const text_t& input, const text_t& immuneChars=IMMUNE_JAVASCRIPT);
28text_t encodeForHTMLAttr(const text_t& input, const text_t& immuneChars=IMMUNE_HTMLATTR);
29text_t encodeForCSS(const text_t& input, const text_t& immuneChars=IMMUNE_CSS);
30text_t encodeForMySQL(const text_t& input, const text_t& immuneChars=IMMUNE_SQL, const SQLMode mode=STANDARD);
31
32// Character conversions
33text_t encodeForHTML(const text_t& immuneChars, const unsigned short input);
34text_t encodeForURL(const text_t& immuneChars, const unsigned short input);
35text_t encodeForJavascript(const text_t& immuneChars, const unsigned short input);
36text_t encodeForCSS(const text_t& immuneChars, const unsigned short input);
37text_t encodeForMySQL(const text_t& immuneChars, const unsigned short input, const SQLMode mode);
38
39
40#endif
Note: See TracBrowser for help on using the repository browser.