X-Git-Url: http://www.privoxy.org/gitweb/?p=privoxy.git;a=blobdiff_plain;f=cgiedit.c;h=aa8ead382d95a7054ef360b072f5363cd7392480;hp=4e4927d0bd228b15de63eb212172cf6cee7811b2;hb=60adfb320a5a421cf69e91fba0b3c0ad2eb664ae;hpb=e37a59aca86ce1f33b5979f7456084b11919b3b7 diff --git a/cgiedit.c b/cgiedit.c index 4e4927d0..aa8ead38 100644 --- a/cgiedit.c +++ b/cgiedit.c @@ -1,4 +1,4 @@ -const char cgiedit_rcs[] = "$Id: cgiedit.c,v 1.14 2002/03/05 00:24:51 jongfoster Exp $"; +const char cgiedit_rcs[] = "$Id: cgiedit.c,v 1.20 2002/03/16 20:28:34 oes Exp $"; /********************************************************************* * * File : $Source: /cvsroot/ijbswa/current/cgiedit.c,v $ @@ -42,6 +42,26 @@ const char cgiedit_rcs[] = "$Id: cgiedit.c,v 1.14 2002/03/05 00:24:51 jongfoster * * Revisions : * $Log: cgiedit.c,v $ + * Revision 1.20 2002/03/16 20:28:34 oes + * Added descriptions to the filters so users will know what they select in the cgi editor + * + * Revision 1.19 2002/03/16 18:38:14 jongfoster + * Stopping stupid or malicious users from breaking the actions + * file using the web-based editor. + * + * Revision 1.18 2002/03/16 14:57:44 jongfoster + * Full support for enabling/disabling modular filters. + * + * Revision 1.17 2002/03/16 14:26:42 jongfoster + * First version of modular filters support - READ ONLY! + * Fixing a double-free bug in the out-of-memory handling in map_radio(). + * + * Revision 1.16 2002/03/07 03:46:17 oes + * Fixed compiler warnings + * + * Revision 1.15 2002/03/06 22:54:35 jongfoster + * Automated function-comment nitpicking. + * * Revision 1.14 2002/03/05 00:24:51 jongfoster * Patch to always edit the current actions file. * @@ -261,6 +281,8 @@ struct editable_file * (Statically allocated) */ }; +#define CGI_ACTION_PARAM_LEN_MAX 500 + /* FIXME: Following non-static functions should be prototyped in .h or made static */ /* Functions to read and write arbitrary config files */ @@ -316,12 +338,15 @@ static jb_err get_url_spec_param(struct client_state *csp, const struct map *parameters, const char *name, char **pvalue); +static jb_err get_string_param(const struct map *parameters, + const char *param_name, + const char **pparam); /* Internal actionsfile <==> HTML conversion functions */ static jb_err map_radio(struct map * exports, const char * optionname, const char * values, - char value); + int value); static jb_err actions_to_radio(struct map * exports, const struct action_spec *action); static jb_err actions_from_radio(const struct map * parameters, @@ -768,7 +793,7 @@ jb_err edit_write_file(struct editable_file * file) /* Allocate new memory for string */ len = strlen(cur_line->unprocessed); - if (NULL == (str = malloc(len + 1 + numhash))) + if (NULL == (str = malloc((size_t) len + 1 + numhash))) { /* Uh oh, just trashed file! */ fclose(fp); @@ -955,7 +980,7 @@ static void edit_free_file_lines(struct file_line * first_line) *********************************************************************/ static int match_actions_file_header_line(const char * line, const char * name) { - int len; + size_t len; assert(line); assert(name); @@ -1021,7 +1046,7 @@ static jb_err split_line_on_equals(const char * line, char ** pname, char ** pva { const char * name_end; const char * value_start; - int name_len; + size_t name_len; assert(line); assert(pname); @@ -1101,7 +1126,7 @@ static jb_err split_line_on_equals(const char * line, char ** pname, char ** pva jb_err edit_parse_actions_file(struct editable_file * file) { struct file_line * cur_line; - int len; + size_t len; const char * text; /* Text from a line */ char * name; /* For lines of the form name=value */ char * value; /* For lines of the form name=value */ @@ -1833,6 +1858,111 @@ static jb_err get_file_name_param(struct client_state *csp, } +/********************************************************************* + * + * Function : get_char_param + * + * Description : Get a single-character parameter passed to a CGI + * function. + * + * Parameters : + * 1 : parameters = map of cgi parameters + * 2 : param_name = The name of the parameter to read + * + * Returns : Uppercase character on success, '\0' on error. + * + *********************************************************************/ +static char get_char_param(const struct map *parameters, + const char *param_name) +{ + char ch; + + assert(parameters); + assert(param_name); + + ch = *(lookup(parameters, param_name)); + if ((ch >= 'a') && (ch <= 'z')) + { + ch = ch - 'a' + 'A'; + } + + return ch; +} + + +/********************************************************************* + * + * Function : get_string_param + * + * Description : Get a string paramater, to be used as an + * ACTION_STRING or ACTION_MULTI paramater. + * Validates the input to prevent stupid/malicious + * users from corrupting their action file. + * + * Parameters : + * 1 : parameters = map of cgi parameters + * 2 : param_name = The name of the parameter to read + * 3 : pparam = destination for paramater. Allocated as + * part of the map "parameters", so don't free it. + * Set to NULL if not specified. + * + * Returns : JB_ERR_OK on success, or if the paramater + * was not specified. + * JB_ERR_MEMORY on out-of-memory. + * JB_ERR_CGI_PARAMS if the paramater is not valid. + * + *********************************************************************/ +static jb_err get_string_param(const struct map *parameters, + const char *param_name, + const char **pparam) +{ + const char *param; + const char *s; + char ch; + + assert(parameters); + assert(param_name); + assert(pparam); + + *pparam = NULL; + + param = lookup(parameters, param_name); + if (!*param) + { + return JB_ERR_OK; + } + + if (strlen(param) >= CGI_ACTION_PARAM_LEN_MAX) + { + /* + * Too long. + * + * Note that the length limit is arbitrary, it just seems + * sensible to limit it to *something*. There's no + * technical reason for any limit at all. + */ + return JB_ERR_CGI_PARAMS; + } + + /* Check every character to see if it's legal */ + s = param; + while ((ch = *s++) != '\0') + { + if ( ((unsigned char)ch < (unsigned char)' ') + || (ch == '}') ) + { + /* Probable hack attempt, or user accidentally used '}'. */ + return JB_ERR_CGI_PARAMS; + } + } + + /* Success */ + *pparam = param; + + return JB_ERR_OK; +} + + /********************************************************************* * * Function : get_number_param @@ -1867,7 +1997,7 @@ static jb_err get_number_param(struct client_state *csp, assert(name); assert(pvalue); - *pvalue = -1; + *pvalue = 0; param = lookup(parameters, name); if (!*param) @@ -1906,6 +2036,7 @@ static jb_err get_number_param(struct client_state *csp, *pvalue = value; return JB_ERR_OK; + } @@ -2065,9 +2196,9 @@ static jb_err get_url_spec_param(struct client_state *csp, static jb_err map_radio(struct map * exports, const char * optionname, const char * values, - char value) + int value) { - int len; + size_t len; char * buf; char * p; char c; @@ -2095,20 +2226,13 @@ static jb_err map_radio(struct map * exports, *p = c; if (map(exports, buf, 1, "", 1)) { - free(buf); return JB_ERR_MEMORY; } } } *p = value; - if (map(exports, buf, 0, "checked", 1)) - { - free(buf); - return JB_ERR_MEMORY; - } - - return JB_ERR_OK; + return map(exports, buf, 0, "checked", 1); } @@ -2721,6 +2845,8 @@ jb_err cgi_edit_actions_for_url(struct client_state *csp, struct file_line * cur_line; unsigned line_number; jb_err err; + struct file_list *filter_file; + struct re_filterfile_spec *filter_group; if (0 == (csp->config->feature_flags & RUNTIME_FEATURE_CGI_EDIT_ACTIONS)) { @@ -2769,6 +2895,118 @@ jb_err cgi_edit_actions_for_url(struct client_state *csp, if (!err) err = actions_to_radio(exports, cur_line->data.action); + filter_file = csp->rlist; + filter_group = ((filter_file != NULL) ? filter_file->f : NULL); + + if (!err) err = map_conditional(exports, "any-filters-defined", (filter_group != NULL)); + + if (err) + { + edit_free_file(file); + free_map(exports); + return err; + } + + if (filter_group == NULL) + { + err = map(exports, "filter-params", 1, "", 1); + } + else + { + /* We have some entries in the filter list */ + char * result; + int index = 0; + char * filter_template; + + err = template_load(csp, &filter_template, "edit-actions-for-url-filter"); + if (err) + { + edit_free_file(file); + free_map(exports); + if (err == JB_ERR_FILE) + { + return cgi_error_no_template(csp, rsp, "edit-actions-for-url-filter"); + } + return err; + } + + result = strdup(""); + + for (;(!err) && (filter_group != NULL); filter_group = filter_group->next) + { + char current_mode = 'x'; + struct list_entry *filter_name; + char * this_line; + struct map *line_exports; + char number[20]; + + filter_name = cur_line->data.action->multi_add[ACTION_MULTI_FILTER]->first; + while ((filter_name != NULL) + && (0 != strcmp(filter_group->name, filter_name->str))) + { + filter_name = filter_name->next; + } + + if (filter_name != NULL) + { + current_mode = 'y'; + } + else + { + filter_name = cur_line->data.action->multi_remove[ACTION_MULTI_FILTER]->first; + while ((filter_name != NULL) + && (0 != strcmp(filter_group->name, filter_name->str))) + { + filter_name = filter_name->next; + } + if (filter_name != NULL) + { + current_mode = 'n'; + } + } + + /* Generate a unique serial number */ + snprintf(number, sizeof(number), "%x", index++); + number[sizeof(number) - 1] = '\0'; + + line_exports = new_map(); + if (line_exports == NULL) + { + err = JB_ERR_MEMORY; + freez(result); + } + else + { + if (!err) err = map(line_exports, "index", 1, number, 1); + if (!err) err = map(line_exports, "name", 1, filter_group->name, 1); + if (!err) err = map(line_exports, "description", 1, filter_group->description, 1); + if (!err) err = map_radio(line_exports, "this-filter", "ynx", current_mode); + + this_line = NULL; + if (!err) + { + this_line = strdup(filter_template); + if (this_line == NULL) err = JB_ERR_MEMORY; + } + if (!err) err = template_fill(&this_line, line_exports); + string_join(&result, this_line); + + free_map(line_exports); + } + } + if (!err) + { + err = map(exports, "filter-params", 1, result, 0); + } + else + { + freez(result); + } + } + + if (!err) err = map_radio(exports, "filter-all", "nx", + (cur_line->data.action->multi_remove_all[ACTION_MULTI_FILTER] ? 'n' : 'x')); + edit_free_file(file); if (err) @@ -2807,12 +3045,14 @@ jb_err cgi_edit_actions_submit(struct client_state *csp, unsigned sectionid; char * actiontext; char * newtext; - int len; + size_t len; struct editable_file * file; struct file_line * cur_line; unsigned line_number; char * target; jb_err err; + int index; + char ch; if (0 == (csp->config->feature_flags & RUNTIME_FEATURE_CGI_EDIT_ACTIONS)) { @@ -2857,6 +3097,71 @@ jb_err cgi_edit_actions_submit(struct client_state *csp, return err; } + ch = get_char_param(parameters, "filter_all"); + if (ch == 'N') + { + list_remove_all(cur_line->data.action->multi_add[ACTION_MULTI_FILTER]); + list_remove_all(cur_line->data.action->multi_remove[ACTION_MULTI_FILTER]); + cur_line->data.action->multi_remove_all[ACTION_MULTI_FILTER] = 1; + } + else if (ch == 'X') + { + cur_line->data.action->multi_remove_all[ACTION_MULTI_FILTER] = 0; + } + + for (index = 0; !err; index++) + { + char key_value[30]; + char key_name[30]; + const char *name; + char value; + + /* Generate the keys */ + snprintf(key_value, sizeof(key_value), "filter_r%x", index); + key_value[sizeof(key_value) - 1] = '\0'; + snprintf(key_name, sizeof(key_name), "filter_n%x", index); + key_name[sizeof(key_name) - 1] = '\0'; + + err = get_string_param(parameters, key_name, &name); + if (err) break; + + if (name == NULL) + { + /* End of list */ + break; + } + + + value = get_char_param(parameters, key_value); + if (value == 'Y') + { + list_remove_item(cur_line->data.action->multi_add[ACTION_MULTI_FILTER], name); + if (!err) err = enlist(cur_line->data.action->multi_add[ACTION_MULTI_FILTER], name); + list_remove_item(cur_line->data.action->multi_remove[ACTION_MULTI_FILTER], name); + } + else if (value == 'N') + { + list_remove_item(cur_line->data.action->multi_add[ACTION_MULTI_FILTER], name); + if (!cur_line->data.action->multi_remove_all[ACTION_MULTI_FILTER]) + { + list_remove_item(cur_line->data.action->multi_remove[ACTION_MULTI_FILTER], name); + if (!err) err = enlist(cur_line->data.action->multi_remove[ACTION_MULTI_FILTER], name); + } + } + else if (value == 'X') + { + list_remove_item(cur_line->data.action->multi_add[ACTION_MULTI_FILTER], name); + list_remove_item(cur_line->data.action->multi_remove[ACTION_MULTI_FILTER], name); + } + } + + if(err) + { + /* Out of memory */ + edit_free_file(file); + return err; + } + if (NULL == (actiontext = actions_to_text(cur_line->data.action))) { /* Out of memory */ @@ -3849,19 +4154,19 @@ jb_err cgi_toggle(struct client_state *csp, return JB_ERR_MEMORY; } - mode = *(lookup(parameters, "set")); + mode = get_char_param(parameters, "set"); - if (mode == 'e') + if (mode == 'E') { /* Enable */ g_bToggleIJB = 1; } - else if (mode == 'd') + else if (mode == 'D') { /* Disable */ g_bToggleIJB = 0; } - else if (mode == 't') + else if (mode == 'T') { /* Toggle */ g_bToggleIJB = !g_bToggleIJB; @@ -3874,7 +4179,7 @@ jb_err cgi_toggle(struct client_state *csp, return err; } - template_name = (*(lookup(parameters, "mini")) + template_name = (get_char_param(parameters, "mini") ? "toggle-mini" : "toggle"); @@ -3882,6 +4187,44 @@ jb_err cgi_toggle(struct client_state *csp, } +/********************************************************************* + * + * Function : javascriptify + * + * Description : Converts a string into a form JavaScript will like. + * + * Netscape 4's JavaScript sucks - it doesn't use + * "id" parameters, so you have to set the "name" + * used to submit a form element to something JavaScript + * will like. (Or access the elements by index in an + * array. That array contains >60 elements and will + * be changed whenever we add a new action to the + * editor, so I'm NOT going to use indexes that have + * to be figured out by hand.) + * + * Currently the only thing we have to worry about + * is "-" ==> "_" conversion. + * + * This is a length-preserving operation so it is + * carried out in-place, no memory is allocated + * or freed. + * + * Parameters : + * 1 : identifier = String to make JavaScript-friendly. + * + * Returns : N/A + * + *********************************************************************/ +static void javascriptify(char * identifier) +{ + char * p = identifier; + while (NULL != (p = strchr(p, '-'))) + { + *p++ = '_'; + } +} + + /********************************************************************* * * Function : actions_to_radio @@ -4011,44 +4354,6 @@ static jb_err actions_to_radio(struct map * exports, } -/********************************************************************* - * - * Function : javascriptify - * - * Description : Converts a string into a form JavaScript will like. - * - * Netscape 4's JavaScript sucks - it doesn't use - * "id" parameters, so you have to set the "name" - * used to submit a form element to something JavaScript - * will like. (Or access the elements by index in an - * array. That array contains >60 elements and will - * be changed whenever we add a new action to the - * editor, so I'm NOT going to use indexes that have - * to be figured out by hand.) - * - * Currently the only thing we have to worry about - * is "-" ==> "_" conversion. - * - * This is a length-preserving operation so it is - * carried out in-place, no memory is allocated - * or freed. - * - * Parameters : - * 1 : identifier = String to make JavaScript-friendly. - * - * Returns : N/A - * - *********************************************************************/ -static void javascriptify(char * identifier) -{ - char * p = identifier; - while (NULL != (p = strchr(p, '-'))) - { - *p++ = '_'; - } -} - - /********************************************************************* * * Function : actions_from_radio @@ -4067,13 +4372,14 @@ static void javascriptify(char * identifier) * *********************************************************************/ static jb_err actions_from_radio(const struct map * parameters, - struct action_spec *action) + struct action_spec *action) { static int first_time = 1; const char * param; char * param_dup; char ch; const char * js_name; + jb_err err = JB_ERR_OK; assert(parameters); assert(action); @@ -4096,8 +4402,7 @@ static jb_err actions_from_radio(const struct map * parameters, #define DEFINE_ACTION_BOOL(name, bit) \ JAVASCRIPTIFY(js_name, name); \ - param = lookup(parameters, js_name); \ - ch = ijb_toupper(param[0]); \ + ch = get_char_param(parameters, js_name); \ if (ch == 'Y') \ { \ action->add |= bit; \ @@ -4116,18 +4421,18 @@ static jb_err actions_from_radio(const struct map * parameters, #define DEFINE_ACTION_STRING(name, bit, index) \ JAVASCRIPTIFY(js_name, name); \ - param = lookup(parameters, js_name); \ - ch = ijb_toupper(param[0]); \ + ch = get_char_param(parameters, js_name); \ if (ch == 'Y') \ { \ + param = NULL; \ JAVASCRIPTIFY(js_name, name "-mode"); \ - param = lookup(parameters, js_name); \ - if ((*param == '\0') || (0 == strcmp(param, "CUSTOM"))) \ - { \ - JAVASCRIPTIFY(js_name, name "-param"); \ - param = lookup(parameters, js_name); \ + if (!err) err = get_string_param(parameters, js_name, ¶m); \ + if ((param == NULL) || (0 == strcmp(param, "CUSTOM"))) \ + { \ + JAVASCRIPTIFY(js_name, name "-param"); \ + if (!err) err = get_string_param(parameters, js_name, ¶m); \ } \ - if (*param != '\0') \ + if (param != NULL) \ { \ if (NULL == (param_dup = strdup(param))) \ { \ @@ -4160,8 +4465,7 @@ static jb_err actions_from_radio(const struct map * parameters, #define DEFINE_ACTION_MULTI(name, index) \ JAVASCRIPTIFY(js_name, name); \ - param = lookup(parameters, js_name); \ - ch = ijb_toupper((int)param[0]); \ + ch = get_char_param(parameters, js_name); \ if (ch == 'Y') \ { \ /* FIXME */ \ @@ -4191,7 +4495,7 @@ static jb_err actions_from_radio(const struct map * parameters, first_time = 0; - return JB_ERR_OK; + return err; }