crtxcr
/
cgitsb
1
0
Fork 0
Código Issues Pull requests Versões Wiki Atividade

ui-plain.c: fix html and links generated by print_dir() and print_dir_entry() 

This patch fixes the following issues:
* the base argument usually isn't zero-terminated, so printing base
  without considering baselen will usually generate random garbage
* when the current url represents a directory but doesn't end in a slash,
  relative urls would be incorrect
* using unescaped paths allows XSS

Signed-off-by: Lars Hjemli <hjemli@gmail.com>
Esse commit está contido em:
Lars Hjemli 2011-06-12 20:49:35 +00:00
pai 2a8f553163
commit 7f88d20823
1 arquivos alterados com 46 adições e 19 exclusões
Mostrar estatísticas Baixar arquivo de patch Baixar arquivo de diferenças Expandir todos os arquivos Colapsar todos os arquivos

65
ui-plain.c
Ver arquivo

@ -52,30 +52,57 @@ static void print_object(const unsigned char *sha1, const char *path)
match = 1; match = 1;
} }
static void print_dir(const unsigned char *sha1, const char *path, static char *buildpath(const char *base, int baselen, const char *path)
const char *base)
{ {
char *fullpath; if (path[0])
if (path[0] || base[0]) return fmt("%.*s%s/", baselen, base, path);
fullpath = fmt("/%s%s/", base, path);
else else
fullpath = "/"; return fmt("%.*s/", baselen, base);
}
static void print_dir(const unsigned char *sha1, const char *base,
int baselen, const char *path)
{
char *fullpath, *slash;
size_t len;
fullpath = buildpath(base, baselen, path);
slash = (fullpath[0] == '/' ? "" : "/");
ctx.page.etag = sha1_to_hex(sha1); ctx.page.etag = sha1_to_hex(sha1);
cgit_print_http_headers(&ctx); cgit_print_http_headers(&ctx);
htmlf("<html><head><title>%s</title></head>\n<body>\n" htmlf("<html><head><title>%s", slash);
" <h2>%s</h2>\n <ul>\n", fullpath, fullpath); html_txt(fullpath);
if (path[0] || base[0]) htmlf("</title></head>\n<body>\n<h2>%s", slash);
html(" <li><a href=\"../\">../</a></li>\n"); html_txt(fullpath);
html("</h2>\n<ul>\n");
len = strlen(fullpath);
if (len > 1) {
fullpath[len - 1] = 0;
slash = strrchr(fullpath, '/');
if (slash)
*(slash + 1) = 0;
else
fullpath = NULL;
html("<li>");
cgit_plain_link("../", NULL, NULL, ctx.qry.head, ctx.qry.sha1,
fullpath);
html("</li>\n");
}
match = 2; match = 2;
} }
static void print_dir_entry(const unsigned char *sha1, const char *path, static void print_dir_entry(const unsigned char *sha1, const char *base,
unsigned mode) int baselen, const char *path, unsigned mode)
{ {
const char *sep = ""; char *fullpath;
if (S_ISDIR(mode))
sep = "/"; fullpath = buildpath(base, baselen, path);
htmlf(" <li><a href=\"%s%s\">%s%s</a></li>\n", path, sep, path, sep); if (!S_ISDIR(mode))
fullpath[strlen(fullpath) - 1] = 0;
html(" <li>");
cgit_plain_link(path, NULL, NULL, ctx.qry.head, ctx.qry.sha1,
fullpath);
html("</li>\n");
match = 2; match = 2;
} }
@ -92,12 +119,12 @@ static int walk_tree(const unsigned char *sha1, const char *base, int baselen,
if (S_ISREG(mode)) if (S_ISREG(mode))
print_object(sha1, pathname); print_object(sha1, pathname);
else if (S_ISDIR(mode)) { else if (S_ISDIR(mode)) {
print_dir(sha1, pathname, base); print_dir(sha1, base, baselen, pathname);
return READ_TREE_RECURSIVE; return READ_TREE_RECURSIVE;
} }
} }
else if (baselen > match_baselen) else if (baselen > match_baselen)
print_dir_entry(sha1, pathname, mode); print_dir_entry(sha1, base, baselen, pathname, mode);
else if (S_ISDIR(mode)) else if (S_ISDIR(mode))
return READ_TREE_RECURSIVE; return READ_TREE_RECURSIVE;
@ -134,7 +161,7 @@ void cgit_print_plain(struct cgit_context *ctx)
if (!paths[0]) { if (!paths[0]) {
paths[0] = ""; paths[0] = "";
match_baselen = -1; match_baselen = -1;
print_dir(commit->tree->object.sha1, "", ""); print_dir(commit->tree->object.sha1, "", 0, "");
} }
else else
match_baselen = basedir_len(paths[0]); match_baselen = basedir_len(paths[0]);