Many hyperlinks are disabled.
Use anonymous login
to enable hyperlinks.
Overview
Comment: | Make style_set_base_href_suffix() safe for misuse:
if the resulting suffix contains unescaped quotes then escape them.
$base_href_suffix is intended for interpolation inside
of the quoted href attribute. This check-in should address the case
when a user of malfunctioning browser (which mishandles quoting)
is tricked by an adversary to visit a specially crafted hyperlink.
|
---|---|
Downloads: | Tarball | ZIP archive | SQL archive |
Timelines: | family | ancestors | descendants | both | base-href-fix |
Files: | files | file ages | folders |
SHA3-256: |
d97752f30b40a495de6f7954b58ec64e |
User & Date: | george 2022-02-14 22:43:26 |
Context
2022-02-14
| ||
23:06 |
Do not export g.zRelReqURI to TH1 interpreter because
getParameter proc can retrieve PATH_INFO
and QUERY_STRING . Instead export g.zPath
(as $webpagename) since that is typically needed in
the TH1 headers/footers of custom skins.
...
(check-in: ff4c7ed6 user: george tags: base-href-fix)
| |
22:43 |
Make style_set_base_href_suffix() safe for misuse:
if the resulting suffix contains unescaped quotes then escape them.
$base_href_suffix is intended for interpolation inside
of the quoted href attribute. This check-in should address the case
when a user of malfunctioning browser (which mishandles quoting)
is tricked by an adversary to visit a specially crafted hyperlink.
...
(check-in: d97752f3 user: george tags: base-href-fix)
| |
2022-02-13
| ||
17:54 | Rename variable g.zUrlSuffix to g.zRelReqURI (Relative Request URI). Provide it to TH1 interpreter as $relrequri. ... (check-in: 05e3fa76 user: george tags: base-href-fix) | |
Changes
Changes to src/encode.c.
︙ | ︙ | |||
203 204 205 206 207 208 209 210 211 212 213 214 215 216 | ** characters are encoded as "%HH" where HH is a two-digit hexidecimal ** representation of the character. The "/" character is not encoded ** by this routine. */ char *urlize(const char *z, int n){ return EncodeHttp(z, n, 0); } /* ** Convert a single HEX digit to an integer */ static int AsciiToHex(int c){ if( c>='a' && c<='f' ){ c += 10 - 'a'; | > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > | 203 204 205 206 207 208 209 210 211 212 213 214 215 216 217 218 219 220 221 222 223 224 225 226 227 228 229 230 231 232 233 234 235 236 237 238 239 240 241 242 243 244 245 246 | ** characters are encoded as "%HH" where HH is a two-digit hexidecimal ** representation of the character. The "/" character is not encoded ** by this routine. */ char *urlize(const char *z, int n){ return EncodeHttp(z, n, 0); } /* ** If input string does not contain quotes (niether ' nor ") ** then return the argument itself. Otherwise return a newly allocated ** copy of input with all quotes %-escaped. */ const char* escape_quotes(const char *zIn){ char *zRet, *zOut; size_t i, n = 0; for(i=0; zIn[i]; i++){ if( zIn[i]== '"' || zIn[i]== '\'' ) n++; } if( !n ) return zIn; zRet = zOut = fossil_malloc( i + 2*n + 1 ); for(i=0; zIn[i]; i++){ if( zIn[i]=='"' ){ *(zOut++) = '%'; *(zOut++) = '2'; *(zOut++) = '2'; }else if( zIn[i]=='\'' ){ *(zOut++) = '%'; *(zOut++) = '2'; *(zOut++) = '7'; }else{ *(zOut++) = zIn[i]; } } *zOut = 0; return zRet; } /* ** Convert a single HEX digit to an integer */ static int AsciiToHex(int c){ if( c>='a' && c<='f' ){ c += 10 - 'a'; |
︙ | ︙ |
Changes to src/style.c.
︙ | ︙ | |||
406 407 408 409 410 411 412 | va_end(ap); } } /* Use this for the $base_href_suffix variable if it is not NULL. ** If it is NULL then use g.zRelReqURI */ | | | > > | > > | 406 407 408 409 410 411 412 413 414 415 416 417 418 419 420 421 422 423 424 425 426 427 428 429 430 431 432 433 434 435 436 437 | va_end(ap); } } /* Use this for the $base_href_suffix variable if it is not NULL. ** If it is NULL then use g.zRelReqURI */ static const char *local_zBaseHrefSuffix = 0; /* ** Set the desired $base_href_suffix to something other than g.zRelReqURI */ void style_set_base_href_suffix(const char *zFormat, ...){ fossil_free( (char*)local_zBaseHrefSuffix ); if( zFormat==0 ){ local_zBaseHrefSuffix = 0; }else{ char *z; va_list ap; va_start(ap, zFormat); z = vmprintf(zFormat, ap); va_end(ap); local_zBaseHrefSuffix = escape_quotes( z ); if( local_zBaseHrefSuffix!=z ) fossil_free( z ); } } /* ** Create a TH1 variable containing the URL for the stylesheet. ** ** The name of the new variable will be "stylesheet_url". |
︙ | ︙ |