Changeset 28912


Ignore:
Timestamp:
03/18/14 16:45:46 (7 years ago)
Author:
ak19
Message:

Commit 5 for security. Handles setmacro() occurrences in non action.cpp files. cl is safe from hacks now.

Location:
main/trunk/greenstone2/runtime-src/src/recpt
Files:
3 edited

Legend:

Unmodified
Added
Removed
  • main/trunk/greenstone2/runtime-src/src/recpt/browsetoolsclass.cpp

    r21758 r28912  
    3131#include "OIDtools.h"
    3232#include "gsdlunicode.h"
     33#include "securitytools.h"
    3334
    3435#if defined(GSDL_USE_IOS_H)
     
    831832  if (formatinfo.DocumentContents || args["d"].empty()) {
    832833    if (args["d"].empty()) {
    833       disp.setmacro("tocopenextra", "document", "id=\"" + cl_top + "\"");
     834      disp.setmacro("tocopenextra", "document", "id=\"" + encodeForHTMLAttr(cl_top) + "\"");
    834835    } else {
    835836      disp.setmacro("tocopenextra", "document", "");
  • main/trunk/greenstone2/runtime-src/src/recpt/pagedbrowserclass.cpp

    r19047 r28912  
    107107
    108108  if (section.OID != args["d"]) {
    109     text_t httpprevarrow = "_httpdocument_&cl=" + args["cl"] + "&d=" + dm_safe(section.OID);
     109    text_t httpprevarrow = "_httpdocument_&cl=" + encodeForURL(args["cl"]) + "&d=" + dm_safe(section.OID);
    110110    text_t parentarrow = "<a href=\"" + httpprevarrow + "\">_iconprev_</a>\n";
    111111    disp.setmacro ("httpprevarrow", "document", httpprevarrow);
     
    176176
    177177  if (!found) {
    178     httpnextarrow = "_httpdocument_&cl=" + args["cl"] + "&d=" + sections.docInfo[0].OID;
     178    httpnextarrow = "_httpdocument_&cl=" + encodeForURL(args["cl"]) + "&d=" + sections.docInfo[0].OID;
    179179    nextarrow = "<a href=\"" + httpnextarrow + "\">" +
    180180      sections.docInfo[0].metadata["Title"].values[0] + "_iconnext_</a>\n";
     
    182182  } else {
    183183    if (!previousOID.empty()) {
    184       httpprevarrow = "_httpdocument_&cl=" + args["cl"] + "&d=" + dm_safe(previousOID);
     184      httpprevarrow = "_httpdocument_&cl=" + encodeForURL(args["cl"]) + "&d=" + dm_safe(previousOID);
    185185      prevarrow = "<a href=\"" + httpprevarrow + "\">_iconprev_" + previoustitle + "</a>\n";
    186186    }
    187187    if (!nextOID.empty()) {
    188       httpnextarrow = "_httpdocument_&cl=" + args["cl"] + "&d=" + dm_safe(nextOID);
     188      httpnextarrow = "_httpdocument_&cl=" + encodeForURL(args["cl"]) + "&d=" + dm_safe(nextOID);
    189189      nextarrow = "<a href=\"" + httpnextarrow + "\">" + nexttitle + "_iconnext_</a>\n";
    190190    }
  • main/trunk/greenstone2/runtime-src/src/recpt/receptionist.cpp

    r28899 r28912  
    14781478  text_t compressedoptions = get_compressed_arg(args, logout);
    14791479  disp.setmacro ("compressedoptions", displayclass::defaultpackage, dm_safe(compressedoptions));
     1480  //disp.setmacro ("compressedoptionsUrlsafe", displayclass::defaultpackage, encodeForURL(dm_safe(compressedoptions))); // seems to be unnecessary after testing e=hack or e=hack<collect>... or e=...<collect>hack in a live server
     1481
    14801482  // need a decoded version of compressedoptions for use within forms
    14811483  // as browsers encode values from forms before sending to server
     
    16351637      if (!cinfo.httpdomain.empty()) httpcollection = "http://";
    16361638      httpcollection += cinfo.httpdomain + httpprefix + "/collect/"
    1637     + collection;
     1639    + encodeForURL(collection);
    16381640      disp.setmacro ("httpcollection", displayclass::defaultpackage,
    16391641             httpcollection);
Note: See TracChangeset for help on using the changeset viewer.