-const char cgiedit_rcs[] = "$Id: cgiedit.c,v 1.52 2007/04/12 10:41:23 fabiankeil Exp $";
+const char cgiedit_rcs[] = "$Id: cgiedit.c,v 1.54 2007/05/14 10:33:51 fabiankeil Exp $";
/*********************************************************************
*
* File : $Source: /cvsroot/ijbswa/current/cgiedit.c,v $
*
* Revisions :
* $Log: cgiedit.c,v $
+ * Revision 1.54 2007/05/14 10:33:51 fabiankeil
+ * - Use strlcpy() and strlcat() instead of strcpy() and strcat().
+ *
+ * Revision 1.53 2007/04/15 16:39:20 fabiankeil
+ * Introduce tags as alternative way to specify which
+ * actions apply to a request. At the moment tags can be
+ * created based on client and server headers.
+ *
* Revision 1.52 2007/04/12 10:41:23 fabiankeil
* - Don't mistake VC++'s _snprintf() for a snprintf() replacement.
* - Move some cgi_edit_actions_for_url() variables into structs.
const char *name);
#endif /* unused function */
+static jb_err get_file_name_param(struct client_state *csp,
+ const struct map *parameters,
+ const char *param_name,
+ const char **pfilename);
+
/* Internal convenience functions */
static char *section_target(const unsigned sectionid);
struct file_line * lines;
FILE * fp;
jb_err err;
- const char * filename = NULL;
+ const char *filename = NULL;
struct editable_file * file;
unsigned version = 0;
struct stat statbuf[1];
*pfile = NULL;
- if ((JB_ERR_OK == get_number_param(csp, parameters, "f", &i))
- && (i < MAX_AF_FILES) && (NULL != csp->config->actions_file[i]))
+ err = get_number_param(csp, parameters, "f", &i);
+ if ((JB_ERR_OK == err) && (i < MAX_AF_FILES) && (NULL != csp->config->actions_file[i]))
{
filename = csp->config->actions_file[i];
}
+ else if (JB_ERR_CGI_PARAMS == err)
+ {
+ /*
+ * Probably an old-school URL like
+ * http://config.privoxy.org/edit-actions-list?f=default
+ */
+ err = get_file_name_param(csp, parameters, "f", &filename);
+ }
- if (filename == NULL || stat(filename, statbuf) < 0)
+ if (NULL == filename || stat(filename, statbuf) < 0)
{
/* Error, probably file not found. */
return JB_ERR_FILE;
}
-#if 0
-/*
- * Currently not needed, but may become useful again in the future.
- */
/*********************************************************************
*
* Function : get_file_name_param
*
* Description : Get the name of the file to edit from the parameters
- * passed to a CGI function. This function handles
- * security checks such as blocking urls containing
- * "/" or ".", prepending the config file directory,
- * and adding the specified suffix.
- *
- * (This is an essential security check, otherwise
- * users may be able to pass "../../../etc/passwd"
- * and overwrite the password file [linux], "prn:"
- * and print random data [Windows], etc...)
- *
- * This function only allows filenames contining the
- * characters '-', '_', 'A'-'Z', 'a'-'z', and '0'-'9'.
- * That's probably too restrictive but at least it's
- * secure.
+ * passed to a CGI function using the old syntax.
+ * This function handles security checks and only
+ * accepts files that Privoxy already knows.
*
* Parameters :
* 1 : csp = Current client state (buffers, headers, etc...)
* 2 : parameters = map of cgi parameters
* 3 : param_name = The name of the parameter to read
- * 4 : suffix = File extension, e.g. ".actions"
- * 5 : pfilename = destination for full filename. Caller
- * free()s. Set to NULL on error.
- * 6 : pparam = destination for partial filename,
- * suitable for use in another URL. Allocated as part
- * of the map "parameters", so don't free it.
- * Set to NULL if not specified.
+ * 4 : pfilename = pointer to the filename in
+ * csp->config->actions_file[] if found. Set to NULL on error.
*
* Returns : JB_ERR_OK on success
* JB_ERR_MEMORY on out-of-memory
static jb_err get_file_name_param(struct client_state *csp,
const struct map *parameters,
const char *param_name,
- const char *suffix,
- char **pfilename,
- const char **pparam)
+ const char **pfilename)
{
const char *param;
+ const char suffix[] = ".action";
const char *s;
char *name;
char *fullpath;
char ch;
size_t len;
+ size_t name_size;
+ int i;
assert(csp);
assert(parameters);
- assert(suffix);
assert(pfilename);
- assert(pparam);
*pfilename = NULL;
- *pparam = NULL;
param = lookup(parameters, param_name);
if (!*param)
return JB_ERR_CGI_PARAMS;
}
- *pparam = param;
-
len = strlen(param);
if (len >= FILENAME_MAX)
{
return JB_ERR_CGI_PARAMS;
}
- /* Check every character to see if it's legal */
+ /*
+ * Check every character to see if it's legal.
+ * Totally unnecessary but we do it anyway.
+ */
s = param;
while ((ch = *s++) != '\0')
{
}
/* Append extension */
- name = malloc(len + strlen(suffix) + 1);
+ name_size = len + strlen(suffix) + 1;
+ name = malloc(name_size);
if (name == NULL)
{
return JB_ERR_MEMORY;
}
- strcpy(name, param);
- strcpy(name + len, suffix);
+ strlcpy(name, param, name_size);
+ strlcat(name, suffix, name_size);
/* Prepend path */
fullpath = make_path(csp->config->confdir, name);
return JB_ERR_MEMORY;
}
- /* Success */
- *pfilename = fullpath;
+ /* Check if the file is known */
+ for (i = 0; i < MAX_AF_FILES; i++)
+ {
+ if (NULL != csp->config->actions_file[i] &&
+ !strcmp(fullpath, csp->config->actions_file[i]))
+ {
+ /* Success */
+ *pfilename = csp->config->actions_file[i];
+ freez(fullpath);
- return JB_ERR_OK;
+ return JB_ERR_OK;
+ }
+ }
+ freez(fullpath);
+
+ return JB_ERR_CGI_PARAMS;
}
-#endif /*0*/
/*********************************************************************
const char * values,
int value)
{
- size_t len;
char * buf;
char * p;
char c;
+ const size_t len = strlen(optionname);
+ const size_t buf_size = len + 3;
assert(exports);
assert(optionname);
assert(values);
- len = strlen(optionname);
- buf = malloc(len + 3);
+ buf = malloc(buf_size);
if (buf == NULL)
{
return JB_ERR_MEMORY;
}
- strcpy(buf, optionname);
+ strlcpy(buf, optionname, buf_size);
+
+ /* XXX: this looks ... interesting */
p = buf + len;
*p++ = '-';
p[1] = '\0';
unsigned sectionid;
char * actiontext;
char * newtext;
+ size_t newtext_size;
size_t len;
struct editable_file * file;
struct file_line * cur_line;
len = 1;
}
- if (NULL == (newtext = malloc(len + 2)))
+ newtext_size = len + 2;
+ if (NULL == (newtext = malloc(newtext_size)))
{
/* Out of memory */
free(actiontext);
edit_free_file(file);
return JB_ERR_MEMORY;
}
- strcpy(newtext, actiontext);
+ strlcpy(newtext, actiontext, newtext_size);
free(actiontext);
newtext[0] = '{';
newtext[len] = '}';
projects / privoxy.git / blobdiff