Changeset 28899 for main/trunk/greenstone2/runtime-src/src/recpt/statusaction.cpp

Timestamp:

2014-03-14T22:46:25+13:00 (10 years ago)

Author:

ak19

Message:

Third commit for security, for ensuring cgiargs macros are websafe. This time all the changes to the runtime action classes.

File:

• main/trunk/greenstone2/runtime-src/src/recpt/statusaction.cpp (modified) (5 diffs)

main/trunk/greenstone2/runtime-src/src/recpt/statusaction.cpp

@@ -353 +353 @@
     arg_value = args.getarg (ainfo.shortname);
     if (arg_value == NULL) textout << outconvert << "<td></td></tr>\n";
-    else textout << outconvert << "<td>\"" << *arg_value << "\"</td></tr>\n";
+    else textout << outconvert << "<td>\"" << encodeForHTML(*arg_value) << "\"</td></tr>\n";
     
     ++argsinfohere;
@@ -547 +547 @@
   
   if (rprotolist_here == rprotolist_end) {
-    textout << outconvert << "Protocol \"" << arg_pr << "\" with collection \""
-        << arg_c << "\" was not found\n";
+    textout << outconvert << "Protocol \"" << encodeForHTML(arg_pr) << "\" with collection \""
+        << encodeForHTML(arg_c) << "\" was not found\n";
 
   } else {
@@ -819 +819 @@
     text_t errorpage = "<p><pre>\n";
 
+    text_t errorpage_content;
     char c;
     errin.get(c);
     while (!errin.eof ()) {
-      errorpage.push_back(c);
+      errorpage_content.push_back(c);
       errin.get(c);
     }
-    
+    // need to ensure that error_log displayed from Admin pages is encoded/safe for an HTML context
+    errorpage += encodeForHTML(errorpage_content);
+
     errorpage += "</pre>\n";
     errin.close();
@@ -849 +852 @@
   text_t llssite_cfg = filename_cat (gsdlhome, "llssite.cfg");
 #else
-  text_t llssite_cfg = "llssite.cfg";
+  text_t llssite_cfg = filename_cat (gsdlhome, "llssite.cfg"); //"llssite.cfg";
 #endif
 
@@ -1138 +1141 @@
   else {
     output_errorpage (outconvert, textout, logout, 
-              "Unknown page \"" + arg_p + "\".\n");
+              "Unknown page \"" + encodeForHTML(arg_p) + "\".\n");
   }