X-Git-Url: http://www.privoxy.org/gitweb/?a=blobdiff_plain;f=cgiedit.c;h=923f19a590c9464b84f6906dd662edf7b2e97ab6;hb=21b0eb515f9e0a5c27e2f9802b167123692ef508;hp=4caaeaf266b7266904a6999610749d8c9b1b6aa2;hpb=a77309974a2c2d0b2f7d34be313fa079f77d3b63;p=privoxy.git diff --git a/cgiedit.c b/cgiedit.c index 4caaeaf2..923f19a5 100644 --- a/cgiedit.c +++ b/cgiedit.c @@ -1,4 +1,4 @@ -const char cgiedit_rcs[] = "$Id: cgiedit.c,v 1.17 2002/03/16 14:26:42 jongfoster Exp $"; +const char cgiedit_rcs[] = "$Id: cgiedit.c,v 1.29 2002/04/08 16:59:08 oes Exp $"; /********************************************************************* * * File : $Source: /cvsroot/ijbswa/current/cgiedit.c,v $ @@ -16,7 +16,7 @@ const char cgiedit_rcs[] = "$Id: cgiedit.c,v 1.17 2002/03/16 14:26:42 jongfoster * Stick to the short names in this file for consistency. * * Copyright : Written by and Copyright (C) 2001 the SourceForge - * IJBSWA team. http://ijbswa.sourceforge.net + * Privoxy team. http://www.privoxy.org/ * * Based on the Internet Junkbuster originally written * by and Copyright (C) 1997 Anonymous Coders and @@ -42,6 +42,43 @@ const char cgiedit_rcs[] = "$Id: cgiedit.c,v 1.17 2002/03/16 14:26:42 jongfoster * * Revisions : * $Log: cgiedit.c,v $ + * Revision 1.29 2002/04/08 16:59:08 oes + * Fixed comment + * + * Revision 1.28 2002/03/27 12:30:29 oes + * Deleted unsused variable + * + * Revision 1.27 2002/03/26 23:06:04 jongfoster + * Removing duplicate @ifs on the toggle page + * + * Revision 1.26 2002/03/26 22:59:17 jongfoster + * Fixing /toggle to display status consistently. + * + * Revision 1.25 2002/03/26 22:29:54 swa + * we have a new homepage! + * + * Revision 1.24 2002/03/24 15:23:33 jongfoster + * Name changes + * + * Revision 1.23 2002/03/24 13:32:41 swa + * name change related issues + * + * Revision 1.22 2002/03/24 13:25:43 swa + * name change related issues + * + * Revision 1.21 2002/03/22 18:02:48 jongfoster + * Fixing remote toggle + * + * Revision 1.20 2002/03/16 20:28:34 oes + * Added descriptions to the filters so users will know what they select in the cgi editor + * + * Revision 1.19 2002/03/16 18:38:14 jongfoster + * Stopping stupid or malicious users from breaking the actions + * file using the web-based editor. + * + * Revision 1.18 2002/03/16 14:57:44 jongfoster + * Full support for enabling/disabling modular filters. + * * Revision 1.17 2002/03/16 14:26:42 jongfoster * First version of modular filters support - READ ONLY! * Fixing a double-free bug in the out-of-memory handling in map_radio(). @@ -250,7 +287,7 @@ struct file_line struct editable_file { struct file_line * lines; - const char * filename; /* Full pathname - e.g. "/etc/junkbuster/wibble.action" */ + const char * filename; /* Full pathname - e.g. "/etc/privoxy/wibble.action" */ const char * identifier; /* Filename stub - e.g. "wibble". Use for CGI param. */ /* Pre-encoded with url_encode() for ease of use. */ const char * version_str; /* Last modification time, as a string. For CGI param */ @@ -271,6 +308,8 @@ struct editable_file * (Statically allocated) */ }; +#define CGI_ACTION_PARAM_LEN_MAX 500 + /* FIXME: Following non-static functions should be prototyped in .h or made static */ /* Functions to read and write arbitrary config files */ @@ -326,6 +365,9 @@ static jb_err get_url_spec_param(struct client_state *csp, const struct map *parameters, const char *name, char **pvalue); +static jb_err get_string_param(const struct map *parameters, + const char *param_name, + const char **pparam); /* Internal actionsfile <==> HTML conversion functions */ static jb_err map_radio(struct map * exports, @@ -1843,6 +1885,111 @@ static jb_err get_file_name_param(struct client_state *csp, } +/********************************************************************* + * + * Function : get_char_param + * + * Description : Get a single-character parameter passed to a CGI + * function. + * + * Parameters : + * 1 : parameters = map of cgi parameters + * 2 : param_name = The name of the parameter to read + * + * Returns : Uppercase character on success, '\0' on error. + * + *********************************************************************/ +static char get_char_param(const struct map *parameters, + const char *param_name) +{ + char ch; + + assert(parameters); + assert(param_name); + + ch = *(lookup(parameters, param_name)); + if ((ch >= 'a') && (ch <= 'z')) + { + ch = ch - 'a' + 'A'; + } + + return ch; +} + + +/********************************************************************* + * + * Function : get_string_param + * + * Description : Get a string paramater, to be used as an + * ACTION_STRING or ACTION_MULTI paramater. + * Validates the input to prevent stupid/malicious + * users from corrupting their action file. + * + * Parameters : + * 1 : parameters = map of cgi parameters + * 2 : param_name = The name of the parameter to read + * 3 : pparam = destination for paramater. Allocated as + * part of the map "parameters", so don't free it. + * Set to NULL if not specified. + * + * Returns : JB_ERR_OK on success, or if the paramater + * was not specified. + * JB_ERR_MEMORY on out-of-memory. + * JB_ERR_CGI_PARAMS if the paramater is not valid. + * + *********************************************************************/ +static jb_err get_string_param(const struct map *parameters, + const char *param_name, + const char **pparam) +{ + const char *param; + const char *s; + char ch; + + assert(parameters); + assert(param_name); + assert(pparam); + + *pparam = NULL; + + param = lookup(parameters, param_name); + if (!*param) + { + return JB_ERR_OK; + } + + if (strlen(param) >= CGI_ACTION_PARAM_LEN_MAX) + { + /* + * Too long. + * + * Note that the length limit is arbitrary, it just seems + * sensible to limit it to *something*. There's no + * technical reason for any limit at all. + */ + return JB_ERR_CGI_PARAMS; + } + + /* Check every character to see if it's legal */ + s = param; + while ((ch = *s++) != '\0') + { + if ( ((unsigned char)ch < (unsigned char)' ') + || (ch == '}') ) + { + /* Probable hack attempt, or user accidentally used '}'. */ + return JB_ERR_CGI_PARAMS; + } + } + + /* Success */ + *pparam = param; + + return JB_ERR_OK; +} + + /********************************************************************* * * Function : get_number_param @@ -2262,10 +2409,10 @@ jb_err cgi_error_file(struct client_state *csp, /********************************************************************* * - * Function : cgi_error_bad_param + * Function : cgi_error_disabled * - * Description : CGI function that is called if the parameters - * (query string) for a CGI were wrong. + * Description : CGI function that is called if the actions editor + * is called although it's disabled in config * * Parameters : * 1 : csp = Current client state (buffers, headers, etc...) @@ -2323,13 +2470,13 @@ jb_err cgi_edit_actions(struct client_state *csp, } /* FIXME: Incomplete */ - rsp->status = strdup("302 Local Redirect from Junkbuster"); + rsp->status = strdup("302 Local Redirect from Privoxy"); if (rsp->status == NULL) { return JB_ERR_MEMORY; } if (enlist_unique_header(rsp->headers, "Location", - CGI_PREFIX "edit-actions-list?f=ijb")) + CGI_PREFIX "edit-actions-list?f=default")) { free(rsp->status); rsp->status = NULL; @@ -2412,7 +2559,7 @@ jb_err cgi_edit_actions_list(struct client_state *csp, /* Should do all global exports above this point */ - err = template_load(csp, §ion_template, "edit-actions-list-section"); + err = template_load(csp, §ion_template, "edit-actions-list-section", 0); if (err) { edit_free_file(file); @@ -2424,7 +2571,7 @@ jb_err cgi_edit_actions_list(struct client_state *csp, return err; } - err = template_load(csp, &url_template, "edit-actions-list-url"); + err = template_load(csp, &url_template, "edit-actions-list-url", 0); if (err) { free(section_template); @@ -2798,7 +2945,7 @@ jb_err cgi_edit_actions_for_url(struct client_state *csp, int index = 0; char * filter_template; - err = template_load(csp, &filter_template, "edit-actions-for-url-filter"); + err = template_load(csp, &filter_template, "edit-actions-for-url-filter", 0); if (err) { edit_free_file(file); @@ -2822,7 +2969,7 @@ jb_err cgi_edit_actions_for_url(struct client_state *csp, filter_name = cur_line->data.action->multi_add[ACTION_MULTI_FILTER]->first; while ((filter_name != NULL) - && (0 != strcmp(filter_group->filtername, filter_name->str))) + && (0 != strcmp(filter_group->name, filter_name->str))) { filter_name = filter_name->next; } @@ -2835,7 +2982,7 @@ jb_err cgi_edit_actions_for_url(struct client_state *csp, { filter_name = cur_line->data.action->multi_remove[ACTION_MULTI_FILTER]->first; while ((filter_name != NULL) - && (0 != strcmp(filter_group->filtername, filter_name->str))) + && (0 != strcmp(filter_group->name, filter_name->str))) { filter_name = filter_name->next; } @@ -2858,7 +3005,8 @@ jb_err cgi_edit_actions_for_url(struct client_state *csp, else { if (!err) err = map(line_exports, "index", 1, number, 1); - if (!err) err = map(line_exports, "name", 1, filter_group->filtername, 1); + if (!err) err = map(line_exports, "name", 1, filter_group->name, 1); + if (!err) err = map(line_exports, "description", 1, filter_group->description, 1); if (!err) err = map_radio(line_exports, "this-filter", "ynx", current_mode); this_line = NULL; @@ -2976,7 +3124,7 @@ jb_err cgi_edit_actions_submit(struct client_state *csp, return err; } - ch = ijb_toupper((int)lookup(parameters, "filter_all")[0]); + ch = get_char_param(parameters, "filter_all"); if (ch == 'N') { list_remove_all(cur_line->data.action->multi_add[ACTION_MULTI_FILTER]); @@ -2988,7 +3136,7 @@ jb_err cgi_edit_actions_submit(struct client_state *csp, cur_line->data.action->multi_remove_all[ACTION_MULTI_FILTER] = 0; } - for (index = 0; ; index++) + for (index = 0; !err; index++) { char key_value[30]; char key_name[30]; @@ -3001,16 +3149,17 @@ jb_err cgi_edit_actions_submit(struct client_state *csp, snprintf(key_name, sizeof(key_name), "filter_n%x", index); key_name[sizeof(key_name) - 1] = '\0'; - name = lookup(parameters, key_name); + err = get_string_param(parameters, key_name, &name); + if (err) break; - if (*name == '\0') + if (name == NULL) { /* End of list */ break; } - value = ijb_toupper((int)lookup(parameters, key_value)[0]); + value = get_char_param(parameters, key_value); if (value == 'Y') { list_remove_item(cur_line->data.action->multi_add[ACTION_MULTI_FILTER], name); @@ -3093,7 +3242,7 @@ jb_err cgi_edit_actions_submit(struct client_state *csp, return JB_ERR_MEMORY; } - rsp->status = strdup("302 Local Redirect from Junkbuster"); + rsp->status = strdup("302 Local Redirect from Privoxy"); if (rsp->status == NULL) { free(target); @@ -3215,7 +3364,7 @@ jb_err cgi_edit_actions_url(struct client_state *csp, return JB_ERR_MEMORY; } - rsp->status = strdup("302 Local Redirect from Junkbuster"); + rsp->status = strdup("302 Local Redirect from Privoxy"); if (rsp->status == NULL) { free(target); @@ -3354,7 +3503,7 @@ jb_err cgi_edit_actions_add_url(struct client_state *csp, return JB_ERR_MEMORY; } - rsp->status = strdup("302 Local Redirect from Junkbuster"); + rsp->status = strdup("302 Local Redirect from Privoxy"); if (rsp->status == NULL) { free(target); @@ -3470,7 +3619,7 @@ jb_err cgi_edit_actions_remove_url(struct client_state *csp, return JB_ERR_MEMORY; } - rsp->status = strdup("302 Local Redirect from Junkbuster"); + rsp->status = strdup("302 Local Redirect from Privoxy"); if (rsp->status == NULL) { free(target); @@ -3602,7 +3751,7 @@ jb_err cgi_edit_actions_section_remove(struct client_state *csp, return JB_ERR_MEMORY; } - rsp->status = strdup("302 Local Redirect from Junkbuster"); + rsp->status = strdup("302 Local Redirect from Privoxy"); if (rsp->status == NULL) { free(target); @@ -3776,7 +3925,7 @@ jb_err cgi_edit_actions_section_add(struct client_state *csp, return JB_ERR_MEMORY; } - rsp->status = strdup("302 Local Redirect from Junkbuster"); + rsp->status = strdup("302 Local Redirect from Privoxy"); if (rsp->status == NULL) { free(target); @@ -3975,7 +4124,7 @@ jb_err cgi_edit_actions_section_swap(struct client_state *csp, return JB_ERR_MEMORY; } - rsp->status = strdup("302 Local Redirect from Junkbuster"); + rsp->status = strdup("302 Local Redirect from Privoxy"); if (rsp->status == NULL) { free(target); @@ -4016,7 +4165,6 @@ jb_err cgi_toggle(struct client_state *csp, struct map *exports; char mode; const char *template_name; - jb_err err; assert(csp); assert(rsp); @@ -4027,37 +4175,30 @@ jb_err cgi_toggle(struct client_state *csp, return cgi_error_disabled(csp, rsp); } - if (NULL == (exports = default_exports(csp, "toggle"))) - { - return JB_ERR_MEMORY; - } - - mode = *(lookup(parameters, "set")); + mode = get_char_param(parameters, "set"); - if (mode == 'e') + if (mode == 'E') { /* Enable */ g_bToggleIJB = 1; } - else if (mode == 'd') + else if (mode == 'D') { /* Disable */ g_bToggleIJB = 0; } - else if (mode == 't') + else if (mode == 'T') { /* Toggle */ g_bToggleIJB = !g_bToggleIJB; } - err = map_conditional(exports, "enabled", g_bToggleIJB); - if (err) + if (NULL == (exports = default_exports(csp, "toggle"))) { - free_map(exports); - return err; + return JB_ERR_MEMORY; } - template_name = (*(lookup(parameters, "mini")) + template_name = (get_char_param(parameters, "mini") ? "toggle-mini" : "toggle"); @@ -4257,6 +4398,7 @@ static jb_err actions_from_radio(const struct map * parameters, char * param_dup; char ch; const char * js_name; + jb_err err = JB_ERR_OK; assert(parameters); assert(action); @@ -4279,8 +4421,7 @@ static jb_err actions_from_radio(const struct map * parameters, #define DEFINE_ACTION_BOOL(name, bit) \ JAVASCRIPTIFY(js_name, name); \ - param = lookup(parameters, js_name); \ - ch = ijb_toupper(param[0]); \ + ch = get_char_param(parameters, js_name); \ if (ch == 'Y') \ { \ action->add |= bit; \ @@ -4299,18 +4440,18 @@ static jb_err actions_from_radio(const struct map * parameters, #define DEFINE_ACTION_STRING(name, bit, index) \ JAVASCRIPTIFY(js_name, name); \ - param = lookup(parameters, js_name); \ - ch = ijb_toupper(param[0]); \ + ch = get_char_param(parameters, js_name); \ if (ch == 'Y') \ { \ + param = NULL; \ JAVASCRIPTIFY(js_name, name "-mode"); \ - param = lookup(parameters, js_name); \ - if ((*param == '\0') || (0 == strcmp(param, "CUSTOM"))) \ - { \ - JAVASCRIPTIFY(js_name, name "-param"); \ - param = lookup(parameters, js_name); \ + if (!err) err = get_string_param(parameters, js_name, ¶m); \ + if ((param == NULL) || (0 == strcmp(param, "CUSTOM"))) \ + { \ + JAVASCRIPTIFY(js_name, name "-param"); \ + if (!err) err = get_string_param(parameters, js_name, ¶m); \ } \ - if (*param != '\0') \ + if (param != NULL) \ { \ if (NULL == (param_dup = strdup(param))) \ { \ @@ -4343,8 +4484,7 @@ static jb_err actions_from_radio(const struct map * parameters, #define DEFINE_ACTION_MULTI(name, index) \ JAVASCRIPTIFY(js_name, name); \ - param = lookup(parameters, js_name); \ - ch = ijb_toupper((int)param[0]); \ + ch = get_char_param(parameters, js_name); \ if (ch == 'Y') \ { \ /* FIXME */ \ @@ -4374,7 +4514,7 @@ static jb_err actions_from_radio(const struct map * parameters, first_time = 0; - return JB_ERR_OK; + return err; }