Fossil

Check-in [d97752f3]
Login

Check-in [d97752f3]

Many hyperlinks are disabled.
Use anonymous login to enable hyperlinks.

Overview
Comment:Make style_set_base_href_suffix() safe for misuse: if the resulting suffix contains unescaped quotes then escape them. $base_href_suffix is intended for interpolation inside of the quoted href attribute. This check-in should address the case when a user of malfunctioning browser (which mishandles quoting) is tricked by an adversary to visit a specially crafted hyperlink.
Downloads: Tarball | ZIP archive | SQL archive
Timelines: family | ancestors | descendants | both | base-href-fix
Files: files | file ages | folders
SHA3-256: d97752f30b40a495de6f7954b58ec64e1454e55f354ff6fd6e0369beeb679044
User & Date: george 2022-02-14 22:43:26
Context
2022-02-14
23:06
Do not export g.zRelReqURI to TH1 interpreter because getParameter proc can retrieve PATH_INFO and QUERY_STRING. Instead export g.zPath (as $webpagename) since that is typically needed in the TH1 headers/footers of custom skins. ... (check-in: ff4c7ed6 user: george tags: base-href-fix)
22:43
Make style_set_base_href_suffix() safe for misuse: if the resulting suffix contains unescaped quotes then escape them. $base_href_suffix is intended for interpolation inside of the quoted href attribute. This check-in should address the case when a user of malfunctioning browser (which mishandles quoting) is tricked by an adversary to visit a specially crafted hyperlink. ... (check-in: d97752f3 user: george tags: base-href-fix)
2022-02-13
17:54
Rename variable g.zUrlSuffix to g.zRelReqURI (Relative Request URI). Provide it to TH1 interpreter as $relrequri. ... (check-in: 05e3fa76 user: george tags: base-href-fix)
Changes
Hide Diffs Unified Diffs Ignore Whitespace Patch

Changes to src/encode.c. 

203
204
205
206
207
208
209






























210
211
212
213
214
215
216

** characters are encoded as "%HH" where HH is a two-digit hexidecimal
** representation of the character.  The "/" character is not encoded
** by this routine.
*/
char *urlize(const char *z, int n){
  return EncodeHttp(z, n, 0);
}































/*
** Convert a single HEX digit to an integer
*/
static int AsciiToHex(int c){
  if( c>='a' && c<='f' ){
    c += 10 - 'a';








>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>








203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246

** characters are encoded as "%HH" where HH is a two-digit hexidecimal
** representation of the character.  The "/" character is not encoded
** by this routine.
*/
char *urlize(const char *z, int n){
  return EncodeHttp(z, n, 0);
}

/*
** If input string does not contain quotes (niether ' nor ")
** then return the argument itself. Otherwise return a newly allocated
** copy of input with all quotes %-escaped.
*/
const char* escape_quotes(const char *zIn){
  char *zRet, *zOut;
  size_t i, n = 0;
  for(i=0; zIn[i]; i++){
    if( zIn[i]== '"' || zIn[i]== '\'' ) n++;
  }
  if( !n ) return zIn;
  zRet = zOut = fossil_malloc( i + 2*n + 1 );
  for(i=0; zIn[i]; i++){
    if( zIn[i]=='"' ){
      *(zOut++) = '%';
      *(zOut++) = '2';
      *(zOut++) = '2';
    }else if( zIn[i]=='\'' ){
      *(zOut++) = '%';
      *(zOut++) = '2';
      *(zOut++) = '7';
    }else{
      *(zOut++) = zIn[i];
    }
  }
  *zOut = 0;
  return zRet;
}

/*
** Convert a single HEX digit to an integer
*/
static int AsciiToHex(int c){
  if( c>='a' && c<='f' ){
    c += 10 - 'a';

Changes to src/style.c. 

406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422

423

424
425
426


427
428
429
430
431
432
433

    va_end(ap);
  }
}

/* Use this for the $base_href_suffix variable if it is not NULL.
** If it is NULL then use g.zRelReqURI
*/
static char *local_zBaseHrefSuffix = 0;

/*
** Set the desired $base_href_suffix to something other than g.zRelReqURI
*/
void style_set_base_href_suffix(const char *zFormat, ...){
  fossil_free(local_zBaseHrefSuffix);
  if( zFormat==0 ){
    local_zBaseHrefSuffix = 0;
  }else{

    va_list ap;

    va_start(ap, zFormat);
    local_zBaseHrefSuffix = vmprintf(zFormat, ap);
    va_end(ap);


  }
}

/*
** Create a TH1 variable containing the URL for the stylesheet.
**
** The name of the new variable will be "stylesheet_url".








|





|



>

>

|

>
>








406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437

    va_end(ap);
  }
}

/* Use this for the $base_href_suffix variable if it is not NULL.
** If it is NULL then use g.zRelReqURI
*/
static const char *local_zBaseHrefSuffix = 0;

/*
** Set the desired $base_href_suffix to something other than g.zRelReqURI
*/
void style_set_base_href_suffix(const char *zFormat, ...){
  fossil_free( (char*)local_zBaseHrefSuffix );
  if( zFormat==0 ){
    local_zBaseHrefSuffix = 0;
  }else{
    char *z;
    va_list ap;

    va_start(ap, zFormat);
    z = vmprintf(zFormat, ap);
    va_end(ap);
    local_zBaseHrefSuffix = escape_quotes( z );
    if( local_zBaseHrefSuffix!=z ) fossil_free( z );
  }
}

/*
** Create a TH1 variable containing the URL for the stylesheet.
**
** The name of the new variable will be "stylesheet_url".