Ignore:
Timestamp:
2014-03-13T14:34:48+13:00 (10 years ago)
Author:
ak19
Message:

First security commit. 1. Introducing the new securitools.h and .cpp files, which port the functions necessary to implement security in Greenstone from OWASP-ESAPI for Java, since OWASP's C++ version is largely not yet implemented, even though their code compiles. The newly added runtime-src/packages/security which contains OWASP ESAPI for C++ will therefore be removed again shortly. 2. receptionist.cpp now sets various web-encoded variants for each cgiarg macro, such as HTML entity encoded, attr encoded, javascript encoded (and css encoded variants). These are now used in the macro files based on which variant is suited to the context. 3. This commit further contains the minimum changes to protect the c, d, and p cgi variables.

Location:
main/trunk/greenstone2/runtime-src
Files:
2 added
9 edited

Legend:

Unmodified
Added
Removed

  • main/trunk/greenstone2/runtime-src/packages/Makefile.in

    r28865 r28888  
    2929USE_YAZ=@USE_YAZ@
    3030USE_APACHE_HTTPD=@USE_APACHE_HTTPD@
    31 
    32 
    33 SECURITY=security/libgpg-error-1.12
    34 #security/libgcrypt-1.6.1
    3531
    3632ifeq ($(USE_Z3950), 1)
     
    7470# is assumed that each package will have at least four rules: all, install,
    7571# clean, and distclean.
    76 INSTALLDIRS =   $(YAZ) $(D2M) $(CORBA) $(SECURITY)
     72INSTALLDIRS =   $(YAZ) $(D2M) $(CORBA)
    7773PACKAGEDIRS =   $(INSTALLDIRS) $(HTTPD)
    7874
     
    133129    cd yaz/yaz-2.1.4/src; $(MAKE)  $(MDEFINES) install
    134130endif
    135 
    136 # make install all packages in the security folder
    137 
    138131
    139132# now install everything except apache, since that had already been installed during "all"

  • main/trunk/greenstone2/runtime-src/src/recpt/Makefile.in

    r28760 r28888  
    155155APACHE_MODULE =
    156156endif
     157
    157158
    158159# Extension support
     
    229230    $(RSS_SOURCES) \
    230231    statusaction.cpp \
     232    securitytools.cpp \
    231233    summarise.cpp \
    232234    tipaction.cpp \
     
    278280    $(RSS_OBJECTS) \
    279281    statusaction.o \
     282    securitytools.o \
    280283    summarise.o \
    281284    tipaction.o \

  • main/trunk/greenstone2/runtime-src/src/recpt/action.h

    r16310 r28888  
    3434#include "recptproto.h"
    3535#include "browserclass.h"
     36#include "securitytools.h"
    3637
    3738#if defined(GSDL_USE_OBJECTSPACE)

  • main/trunk/greenstone2/runtime-src/src/recpt/basequeryaction.cpp

    r27065 r28888  
    651651
    652652    // Display the "this collection is not installed on this system" page
    653     disp.setmacro("cvariable", displayclass::defaultpackage, collection);
     653    disp.setmacro("cvariable", displayclass::defaultpackage, encodeForHTML(collection));
    654654    disp.setmacro("content", "query", "<p>_textbadcollection_<p>");
    655655

  • main/trunk/greenstone2/runtime-src/src/recpt/cgiutils.cpp

    r28841 r28888  
    4444
    4545// set to false to undo security changes (url-encoding arguments)
    46 static bool do_safe_cgi_args = true;
     46static bool do_safe_cgi_args = false;
    4747
    4848static unsigned short hexdigit (unsigned short c) {

  • main/trunk/greenstone2/runtime-src/src/recpt/pageaction.cpp

    r23058 r28888  
    751751  if (arg_p == "about") {
    752752    if (cinfo == NULL) {
    753       disp.setmacro("cvariable", displayclass::defaultpackage, arg_c);
     753      disp.setmacro("cvariable", displayclass::defaultpackage, encodeForHTML(arg_c));
    754754      disp.setmacro("content", arg_p, "<p>_textbadcollection_<p>");
    755755      return;
     
    797797 
    798798    if (cinfo == NULL) {
    799       disp.setmacro("cvariable", displayclass::defaultpackage, arg_c);
     799      disp.setmacro("cvariable", displayclass::defaultpackage, encodeForHTML(arg_c));
    800800      disp.setmacro("content", arg_p, "<p>_textbadcollection_<p>");
    801801      return;
     
    10091009  text_t &arg_p = args["p"];
    10101010
    1011   textout << outconvert << disp << ("_" + arg_p + ":header_\n")
    1012       << ("_" + arg_p + ":content_\n")
    1013       << ("_" + arg_p + ":footer_\n");
     1011  textout << outconvert << disp << ("_" + encodeForHTML(arg_p) + ":header_\n")
     1012      << ("_" + encodeForHTML(arg_p) + ":content_\n")
     1013      << ("_" + encodeForHTML(arg_p) + ":footer_\n");
    10141014
    10151015  return true;

  • main/trunk/greenstone2/runtime-src/src/recpt/queryaction.cpp

    r28841 r28888  
    10101010
    10111011    // Display the "this collection is not installed on this system" page
    1012     disp.setmacro("cvariable", displayclass::defaultpackage, main_collection);
     1012    disp.setmacro("cvariable", displayclass::defaultpackage, encodeForHTML(main_collection));
    10131013    disp.setmacro("content", "query", "<p>_textbadcollection_<p>");
    10141014
     
    13941394    }
    13951395
    1396     disp.setmacro ("decodedcompressedoptions", displayclass::defaultpackage, dm_safe(compressedoptions));
     1396    text_t macrovalue = dm_safe(compressedoptions);
     1397    disp.setmacro ("decodedcompressedoptions", displayclass::defaultpackage, macrovalue);
     1398    disp.setmacro ("decodedcompressedoptionsAttrsafe", displayclass::defaultpackage, encodeForHTMLAttr(macrovalue));
     1399   
    13971400      }
    13981401    } // form search

  • main/trunk/greenstone2/runtime-src/src/recpt/receptionist.cpp

    r24895 r28888  
    3636#include "gsdltimes.h"
    3737#include "OIDtools.h"
     38#include "securitytools.h"
    3839#include <assert.h>
    3940#include <time.h>
     
    14851486    compressedoptions = to_uni(compressedoptions);
    14861487  }
    1487   disp.setmacro ("decodedcompressedoptions", displayclass::defaultpackage, dm_safe(compressedoptions));
     1488
     1489  text_t dmacrovalue = dm_safe(compressedoptions);
     1490  disp.setmacro ("decodedcompressedoptions", displayclass::defaultpackage, dmacrovalue);
     1491  disp.setmacro ("decodedcompressedoptionsAttrsafe", displayclass::defaultpackage, encodeForHTMLAttr(dmacrovalue));
    14881492
    14891493#if defined (__WIN32__)
     
    14951499  cgiargsclass::const_iterator argsend = args.end();
    14961500  while (argshere != argsend) {
     1501
     1502    text_t macrovalue = (*argshere).second.value; // and stays like that if ((*argshere).first == "hp")
     1503
    14971504    if (((*argshere).first == "q") ||
    14981505    ((*argshere).first == "qa") ||
     
    15021509    ((*argshere).first == "qpl") ||
    15031510    ((*argshere).first == "qr") ||
    1504     ((*argshere).first == "q2"))
     1511    ((*argshere).first == "q2")) {
     1512
    15051513      // need to escape special characters from query string
    1506       disp.setmacro ("cgiarg" + (*argshere).first,
    1507              displayclass::defaultpackage, html_safe((*argshere).second.value));
    1508     else if ((*argshere).first == "hp") {
    1509       disp.setmacro ("cgiarg" + (*argshere).first, displayclass::defaultpackage, (*argshere).second.value);
    1510     } else {
    1511       disp.setmacro ("cgiarg" + (*argshere).first, displayclass::defaultpackage, dm_safe((*argshere).second.value));
    1512     }
     1514      macrovalue = html_safe(macrovalue);
     1515
     1516    } else  if ((*argshere).first == "hp") {
     1517      if(!isValidURLProtocol(macrovalue)) {
     1518    macrovalue = encodeForURL(macrovalue); // URL has invalid protocol like javascript:, so URL encode it
     1519      }
     1520    }
     1521    else {
     1522      macrovalue = dm_safe(macrovalue);
     1523    }   
     1524
     1525    // set the default value for the macro
     1526    disp.setmacro ("cgiarg" + (*argshere).first, displayclass::defaultpackage, macrovalue);
     1527
     1528    // set macros for the encoded versions of the same value. Uses the functions in securitytools.h
     1529    // https://www.owasp.org/index.php/XSS_%28Cross_Site_Scripting%29_Prevention_Cheat_Sheet
     1530
     1531    text_t htmlsafe = encodeForHTML(macrovalue);
     1532    text_t attrsafe = encodeForHTMLAttr(macrovalue);
     1533    text_t urlsafe = encodeForURL(macrovalue);
     1534    text_t jssafe = encodeForJavascript(macrovalue);
     1535    text_t csssafe = encodeForCSS(macrovalue);
     1536
     1537    disp.setmacro ("cgiarg" + (*argshere).first + "Htmlsafe", displayclass::defaultpackage, htmlsafe);   
     1538    disp.setmacro ("cgiarg" + (*argshere).first + "Attrsafe", displayclass::defaultpackage, attrsafe);
     1539    disp.setmacro ("cgiarg" + (*argshere).first + "Jssafe", displayclass::defaultpackage, jssafe);
     1540    disp.setmacro ("cgiarg" + (*argshere).first + "Csssafe", displayclass::defaultpackage, csssafe);
     1541    disp.setmacro ("cgiarg" + (*argshere).first + "Urlsafe", displayclass::defaultpackage, urlsafe);
     1542   
     1543
    15131544    ++argshere;
    15141545  }

  • main/trunk/greenstone2/runtime-src/src/recpt/sqlqueryaction.cpp

    r28841 r28888  
    309309      compressedoptions = to_uni(compressedoptions);
    310310    }
    311 
    312     disp.setmacro ("decodedcompressedoptions", displayclass::defaultpackage, dm_safe(compressedoptions));
     311   
     312    text_t dmacrovalue = dm_safe(compressedoptions);
     313    disp.setmacro ("decodedcompressedoptions", displayclass::defaultpackage, dmacrovalue);
     314    disp.setmacro ("decodedcompressedoptionsAttrsafe", displayclass::defaultpackage, encodeForHTMLAttr(dmacrovalue));
    313315      }
    314316    } // form search
     
    317319    logout << "ERROR (sqlqueryaction::get_formatted_query_string): querytype not defined\n";
    318320  }
    319 
    320 
    321 
    322 
    323321
    324322}
Note: See TracChangeset for help on using the changeset viewer.