Changeset 28911 for main/trunk/greenstone2/runtime-src

Timestamp:

2014-03-17T21:36:16+13:00 (10 years ago)

Author:

ak19

Message:

Fourth commit for security and safe cgiargs.

Location:

main/trunk/greenstone2/runtime-src/src/recpt

Files:

• basequeryaction.cpp (modified) (1 diff)
• queryaction.cpp (modified) (2 diffs)
• rssaction.cpp (modified) (3 diffs)
• statusaction.cpp (modified) (1 diff)

main/trunk/greenstone2/runtime-src/src/recpt/basequeryaction.cpp

@@ -606 +606 @@
     histvalue += i;
     disp.setmacro(histvalue, "query", escquery);
+    disp.setmacro(histvalue+"Jssafe", "query", encodeForJavascript(escquery));
     format_user_info(cgiargs, userinfo, args, protos, logout);
     

main/trunk/greenstone2/runtime-src/src/recpt/queryaction.cpp

@@ -743 +743 @@
       << "<form name=\"QueryForm\" method=\"get\" action=\"_gwcgi_\">\n"
       << "<input type=\"hidden\" name=\"a\" value=\"q\">\n"
-          << "<input type=\"hidden\" name=\"site\" value=\"_cgiargsite_\"\n"
+          << "<input type=\"hidden\" name=\"site\" value=\"_cgiargsiteAttrsafe_\"\n"
       << "<input type=\"hidden\" name=\"e\" value=\"_compressedoptions_\">\n"
       << "<input type=\"hidden\" name=\"ccp\" value=\"1\">\n"
@@ -1390 +1390 @@
     decode_cgi_arg (compressedoptions); 
     if (args["w"] == "utf-8") { // if the encoding was utf-8, then compressed options was utf-8, and we need unicode.
-    // if encoding wasn't utf-8, then compressed opotions may be screwed up, but seems to work for 8 bit encodings?
+    // if encoding wasn't utf-8, then compressed options may be screwed up, but seems to work for 8 bit encodings?
       compressedoptions = to_uni(compressedoptions);
     }

main/trunk/greenstone2/runtime-src/src/recpt/rssaction.cpp

@@ -68 +68 @@
       << "<channel>\n"
       << "  <title>_collectionname_</title>\n"
-      << "  <link>_httpdomain__httppageabout_</link>\n"
+      << "  <link>_httpdomainHtmlsafe__httppageabout_</link>\n"
       << "  <description>_collectionextra_</description>\n"
       << "  <language>_cgiarglHtmlsafe_</language>\n"
@@ -79 +79 @@
       << "  <title>_collectionname_</title>\n"
       << "  <url>_iconcollection_</url>\n"
-      << "  <link>_httpdomain__httppageabout_</link>\n"
+      << "  <link>_httpdomainHtmlsafe__httppageabout_</link>\n"
       << "  <description>_collectionextra_</description>\n"
       << "</image>\n";
@@ -125 +125 @@
     
     if(!args["hostname"].empty()) {
-      disp.setmacro("httpdomain", "Global", "http://" + encodeForURL(args["hostname"]));
+      disp.setmacro("httpdomain", "Global", "http://" + args["hostname"]);
+      disp.setmacro("httpdomainHtmlsafe", "Global", "http://" + encodeForHTML(args["hostname"]));
     } 
     else { // we shouldn't have to get here
-      disp.setmacro("httpdomain", "Global", "http://localhost:8282"); // the default used in zextra.dm. (Could perhaps default this to localhost too)
+      text_t default_domain = "http://localhost:8282";
+      disp.setmacro("httpdomain", "Global", default_domain); // the default used in zextra.dm. (Could perhaps default this to localhost too)
+      disp.setmacro("httpdomain", "Global", encodeForHTML(default_domain));
     }
   }

main/trunk/greenstone2/runtime-src/src/recpt/statusaction.cpp

@@ -786 +786 @@
       << "<pre>\n";
 
+  text_t logcontent = file_tail (logfilename, 100, 1500);
+
   // note that we're expecting lines to be no more than 1500 characters on
   // average - should fix this file_tail() thing sometime
-  textout << outconvert << file_tail (logfilename, 100, 1500);
+  textout << outconvert << encodeForHTML(logcontent);
 
   textout << outconvert << disp << "</pre>\n"