Ignore:
Timestamp:
2014-03-14T22:46:25+13:00 (10 years ago)
Author:
ak19
Message:

Third commit for security, for ensuring cgiargs macros are websafe. This time all the changes to the runtime action classes.

File:
1 edited

Legend:

Unmodified
Added
Removed

  • main/trunk/greenstone2/runtime-src/src/recpt/documentaction.cpp

    r27363 r28899  
    607607      outlink = "_httpdocument_&d=" + response.docInfo[0].metadata["section"].values[0];
    608608#else
    609       outlink = "_httpdocumenthandle_("+args["c"]+","+response.docInfo[0].metadata["section"].values[0]+")";
     609      outlink = "_httpdocumenthandle_("+encodeForURL(args["c"])+","+response.docInfo[0].metadata["section"].values[0]+")";
    610610#endif
    611611
     
    10661066#ifndef DOCHANDLE
    10671067        << "<frame name=\"documenttop\" frameborder=0 src=\"_gwcgi_?_optsite_e=_compressedoptions_&a=d&d="
    1068         << args["d"] << "\">"
     1068        << encodeForURL(args["d"]) << "\">"
    10691069#else
    10701070        << "<frame name=\"documenttop\" frameborder=0 src=\"_httpdocumenthandle_("
    1071         << args["c"] << "," << args["d"] << ")\">"
     1071        << encodeForURL(args["c"]) << "," << encodeForURL(args["d"]) << ")\">"
    10721072#endif
    10731073        << "<noframes>\n"
     
    11431143            #ifndef DOCHANDLE
    11441144                << "<frame name=\"documenttop\" frameborder=0 src=\"_gwcgi_?_optsite_e=_compressedoptions_&a=d&d="
    1145                 << args["d"] << "\">"
     1145                << encodeForURL(args["d"]) << "\">"
    11461146            #else
    11471147                << "<frame name=\"documenttop\" frameborder=0 src=\"_httpdocumenthandle_("
    1148                 << args["c"] << "," << args["d"] << ")\">"
     1148                << encodeForURL(args["c"]) << "," << encodeForURL(args["d"]) << ")\">"
    11491149            #endif
    11501150                << "<noframes>\n"
     
    14621462                logout << text_t2ascii
    14631463                    << "documentaction::output_document: call to QueryFilter failed "
    1464                     << "for " << args["c"] << " collection (" << get_comerror_string (err) << ")\n";
     1464                    << "for " << args["c"] << " collection (" << get_comerror_string (err) << ")\n";
    14651465                highlight = false;
    14661466            }
     
    16451645  if (haschildren) {
    16461646#ifndef DOCHANLE
    1647     disp.setmacro ("httpnextarrow", "document", "_httpdocument_&amp;cl=" + args["cl"] +
    1648            "&amp;d=" + arg_d + ".fc");
     1647    disp.setmacro ("httpnextarrow", "document", "_httpdocument_&amp;cl=" + encodeForURL(args["cl"]) +
     1648           "&amp;d=" + encodeForURL(arg_d) + ".fc");
    16491649#else
    1650     disp.setmacro ("httpnextarrow", "document", "_httpdocumenthandle_("+args["c"]+","+arg_d + ".fc)";
     1650    disp.setmacro ("httpnextarrow", "document", "_httpdocumenthandle_("+encodeForURL(args["c"])+","+encodeForURL(arg_d) + ".fc)";
    16511651
    16521652#endif
     
    16581658      if (!(*h).empty()) {
    16591659#ifndef DOCHANLE
    1660     disp.setmacro ("httpnextarrow", "document", "_httpdocument_&amp;cl=" + args["cl"] +
     1660    disp.setmacro ("httpnextarrow", "document", "_httpdocument_&amp;cl=" + encodeForURL(args["cl"]) +
    16611661               "&amp;d=" + *h);
    16621662#else
    1663     disp.setmacro ("httpnextarrow", "document", "_httpdocumenthandle_("+args["c"]+","+*h+")";
     1663    disp.setmacro ("httpnextarrow", "document", "_httpdocumenthandle_("+encodeForURL(args["c"])+","+*h+")";
    16641664
    16651665#endif
     
    16741674  if (!previous_sibling.empty()) {
    16751675#ifndef DOCHANDLE
    1676     disp.setmacro ("httpprevarrow", "document", "_httpdocument_&amp;cl=" + args["cl"] +
     1676    disp.setmacro ("httpprevarrow", "document", "_httpdocument_&amp;cl=" + encodeForURL(args["cl"]) +
    16771677           "&amp;d=" + previous_sibling);
    16781678#else
    1679     disp.setmacro ("httpprevarrow", "document", "_httpdocumenthandle_("+args["c"]+","+ previous_sibling+")");
     1679    disp.setmacro ("httpprevarrow", "document", "_httpdocumenthandle_("+encodeForURL(args["c"])+","+ previous_sibling+")");
    16801680
    16811681#endif
     
    16841684    if (countchar(arg_d.begin(), arg_d.end(), '.')) {
    16851685#ifndef DOCHANDLE
    1686       disp.setmacro ("httpprevarrow", "document", "_httpdocument_&amp;cl=" + args["cl"] +
     1686      disp.setmacro ("httpprevarrow", "document", "_httpdocument_&amp;cl=" + encodeForURL(args["cl"]) +
    16871687             "&amp;d=" + get_parent(arg_d));
    16881688#else
    1689       disp.setmacro ("httpprevarrow", "document", "_httpdocumenthandle_("+args["c"]+","+get_parent(arg_d)+")");
     1689      disp.setmacro ("httpprevarrow", "document", "_httpdocumenthandle_("+encodeForURL(args["c"])+","+get_parent(arg_d)+")");
    16901690
    16911691#endif
Note: See TracChangeset for help on using the changeset viewer.