[Fedora-directory-commits] dsgw dbtdsgw.h, 1.1.1.1, 1.2 dnedit.c, 1.3, 1.4 domodify.c, 1.2, 1.3 dsgw.h, 1.6, 1.7 dsgwutil.c, 1.8, 1.9 edit.c, 1.3, 1.4 entrydisplay.c, 1.5, 1.6 htmlout.c, 1.2, 1.3 ldaputil.c, 1.2, 1.3
Richard Allen Megginson (rmeggins)
fedora-directory-commits at redhat.com
Tue Feb 19 15:20:23 UTC 2008
- Previous message (by thread): [Fedora-directory-commits] dsgw/tests/dnedit - New directory
- Next message (by thread): [Fedora-directory-commits] dsgw/tests/csearch testpost.1, NONE, 1.1 testpost.10, NONE, 1.1 testpost.11, NONE, 1.1 testpost.12, NONE, 1.1 testpost.13, NONE, 1.1 testpost.14, NONE, 1.1 testpost.15, NONE, 1.1 testpost.2, NONE, 1.1 testpost.3, NONE, 1.1 testpost.4, NONE, 1.1 testpost.5, NONE, 1.1 testpost.6, NONE, 1.1 testpost.7, NONE, 1.1 testpost.8, NONE, 1.1 testpost.9, NONE, 1.1
- Messages sorted by:
[ date ]
[ thread ]
[ subject ]
[ author ]
Author: rmeggins
Update of /cvs/dirsec/dsgw
In directory cvs-int.fedora.redhat.com:/tmp/cvs-serv23811/dsgw
Modified Files:
dbtdsgw.h dnedit.c domodify.c dsgw.h dsgwutil.c edit.c
entrydisplay.c htmlout.c ldaputil.c
Log Message:
1) The old code used a CGI variable called completion_javascript - this variable contained arbitrary javascript code that was eval'd on in the client browser. I have removed this code and put it in the resource file. The dsgw code will set completion_javascript to one of the 3 keywords, and the new function emit_completion_javascript will look up the code in the resource file and output it with any required arguments. It just seems like a really bad idea to execute arbitrary blobs of javascript passed in a CGI argument.
2) Make the checking for the template file names stricter.
3) Added many new tests.
4) When removing unused or duplicate LDAP Mods, if we remove the last one, just free the entire array.
Index: dbtdsgw.h
===================================================================
RCS file: /cvs/dirsec/dsgw/dbtdsgw.h,v
retrieving revision 1.1.1.1
retrieving revision 1.2
diff -u -r1.1.1.1 -r1.2
--- dbtdsgw.h 1 Jun 2006 19:43:40 -0000 1.1.1.1
+++ dbtdsgw.h 19 Feb 2008 15:20:21 -0000 1.2
@@ -464,5 +464,20 @@
ResDef( DBT_missingArgumentForOrgChartSearchAttr_ , 413, "Missing argument for \"orgchart-attrib-farleft-rdn\" directive\n" )/*extracted from config.c*/
ResDef( DBT_theCharsetIsNotSupported , 414, "The charset is not supported\n" )
ResDef( DBT_invalidTemplateVarLen, 415, "The string length %d of template variable \"%s\" is too long\n" )
+ ResDef( DBT_completionJavascriptAdd, 416, "parent.updateList(parent.controlFrame.document.searchForm.faMode.value, parent.dnlist, parent.stagingFrame.dnlist, parent.outputFrame);parent.controlFrame.document.searchForm.faMode.value=\"add\";" )
+ ResDef( DBT_completionJavascriptStd, 417,
+ "if (dsmodify_dn.length == 0) "
+ "document.writeln( \\'<FONT SIZE=+1>\\' + dsmodify_info +"
+ " \\'</FONT>\\' );"
+ " else "
+ "parent.document.location.href=\\'edit?tmplname=%s"
+ "&context=%s&dn=\\' + dsmodify_dn + \\'&info=\\' + escape(dsmodify_info)\n"
+ )
+ ResDef( DBT_completionJavascriptCu, 418,
+ "var comp_js = 'var cu=\\\\\\\'edit?context=%s&dn=%s\\\\\\\'; this.document.location.href=cu;'\n"
+ )
+ ResDef( DBT_unknownValueForCompletionJavascript, 419,
+ "Invalid value '%s' for variable completion_javascript" )
+
END_STR(dsgw)
Index: dnedit.c
===================================================================
RCS file: /cvs/dirsec/dsgw/dnedit.c,v
retrieving revision 1.3
retrieving revision 1.4
diff -u -r1.3 -r1.4
--- dnedit.c 15 Jan 2008 18:23:43 -0000 1.3
+++ dnedit.c 19 Feb 2008 15:20:21 -0000 1.4
@@ -115,8 +115,10 @@
*
* Moral of the story - next time someone asks you to write C code which
* writes JavaScript code which writes JavaScript code... just say "no".
+ *
+ * I feel your pain, so I have removed the pain.
*/
- "var comp_js = 'var cu=\\\\\\\'%s?context=%s&dn=%s\\\\\\\'; this.document.location.href=cu;'\n",
+ "var comp_js = 'CU'\n",
dsgw_getvp( DSGW_CGINUM_EDIT ), context, edn );
dsgw_emits("var dnlist = new Array;\n" );
for ( i = 0; attrvals && attrvals[ i ] != NULL; i++ ) {
@@ -403,3 +405,11 @@
"</HTML>\n" );
return 0;
}
+
+/*
+ emacs settings
+ Local Variables:
+ indent-tabs-mode: t
+ tab-width: 8
+ End:
+*/
Index: domodify.c
===================================================================
RCS file: /cvs/dirsec/dsgw/domodify.c,v
retrieving revision 1.2
retrieving revision 1.3
diff -u -r1.2 -r1.3
--- domodify.c 28 Jan 2008 21:22:47 -0000 1.2
+++ domodify.c 19 Feb 2008 15:20:21 -0000 1.3
@@ -348,8 +348,10 @@
dsgw_emitf( "dsmodify_dn = '%s';\n",
( changetype == DSGW_CHANGETYPE_DELETE ) ? "":
encodeddn );
- dsgw_emitf( "eval('%s');\n", jscomp );
dsgw_emits( "</SCRIPT>\n" );
+ dsgw_emit_completion_javascript(jscomp,
+ ( changetype == DSGW_CHANGETYPE_DELETE ) ? "":
+ encodeddn );
}
} else {
jscomp = NULL;
@@ -468,6 +470,11 @@
if ( pmods != NULL ) {
remove_modifyops( pmods, attr );
+ if (!pmods[0]) {
+ /* removed the last one, so just free all of them */
+ free(pmods);
+ pmods = NULL;
+ }
}
}
}
Index: dsgw.h
===================================================================
RCS file: /cvs/dirsec/dsgw/dsgw.h,v
retrieving revision 1.6
retrieving revision 1.7
diff -u -r1.6 -r1.7
--- dsgw.h 31 Jan 2008 03:03:33 -0000 1.6
+++ dsgw.h 19 Feb 2008 15:20:21 -0000 1.7
@@ -793,6 +793,8 @@
char *dsgw_get_auth_cookie();
void dsgw_emit_helpbutton( char *topic );
void dsgw_emit_homebutton();
+void dsgw_emit_completion_javascript( const char *key_str, const char *dn );
+
char *dsgw_build_urlprefix();
void dsgw_init_searchprefs( struct ldap_searchobj **solistp );
void dsgw_addtemplate( dsgwtmpl **tlpp, char *template, int count,
@@ -827,7 +829,7 @@
unsigned long options );
void dsgw_display_entry( dsgwtmplinfo *tip, LDAP *ld, LDAPMessage *entry,
LDAPMessage *attrsonly_entry, char *dn );
-void dsgw_display_done( dsgwtmplinfo *tip );
+void dsgw_display_done( dsgwtmplinfo *tip, char *dn );
char *dsgw_mls_convertlines( char *val, char *sep, int *linesp, int emitlines,
int quote_html_specials );
void dsgw_set_searchdesc( dsgwtmplinfo *tip, char*, char*, char*);
Index: dsgwutil.c
===================================================================
RCS file: /cvs/dirsec/dsgw/dsgwutil.c,v
retrieving revision 1.8
retrieving revision 1.9
diff -u -r1.8 -r1.9
--- dsgwutil.c 1 Feb 2008 17:04:22 -0000 1.8
+++ dsgwutil.c 19 Feb 2008 15:20:21 -0000 1.9
@@ -262,8 +262,7 @@
char *path, *pattern;
int len;
- if ( strstr( filename, "//" ) != NULL ||
- strstr( filename, ".." ) != NULL ) {
+ if ( !dsgw_valid_docname(filename) ) {
dsgw_error( DSGW_ERR_BADFILEPATH, filename, DSGW_ERROPT_EXIT, 0, NULL );
}
Index: edit.c
===================================================================
RCS file: /cvs/dirsec/dsgw/edit.c,v
retrieving revision 1.3
retrieving revision 1.4
diff -u -r1.3 -r1.4
--- edit.c 28 Jan 2008 21:22:47 -0000 1.3
+++ edit.c 19 Feb 2008 15:20:21 -0000 1.4
@@ -233,7 +233,7 @@
tip = dsgw_display_init( DSGW_TMPLTYPE_DISPLAY, tmplname, options );
dsgw_display_entry( tip, ld, NULL, NULL, dn );
- dsgw_display_done( tip );
+ dsgw_display_done( tip, dn );
}
}
Index: entrydisplay.c
===================================================================
RCS file: /cvs/dirsec/dsgw/entrydisplay.c,v
retrieving revision 1.5
retrieving revision 1.6
diff -u -r1.5 -r1.6
--- entrydisplay.c 1 Feb 2008 17:04:22 -0000 1.5
+++ entrydisplay.c 19 Feb 2008 15:20:21 -0000 1.6
@@ -681,7 +681,7 @@
void
-dsgw_display_done( dsgwtmplinfo *tip )
+dsgw_display_done( dsgwtmplinfo *tip, char *dn )
{
char line[ BIG_LINE ], *jscomp;
@@ -700,6 +700,7 @@
jscomp = dsgw_get_cgi_var( "completion_javascript",
DSGW_CGIVAR_OPTIONAL );
if ( jscomp != NULL ) {
+ dsgw_emit_completion_javascript(jscomp, dn ? dn : "");
dsgw_emits( "<SCRIPT LANGUAGE=\"JavaScript\">\n" );
dsgw_emitf( "eval('%s');\n", jscomp );
dsgw_emits( "</SCRIPT>\n" );
@@ -2853,14 +2854,10 @@
{
if ( template != NULL ) {
dsgw_emitf(
- "<INPUT TYPE=\"hidden\" NAME=\"completion_javascript\" VALUE=\""
- "if (dsmodify_dn.length == 0) "
- "document.writeln( \\'<FONT SIZE=+1>\\' + dsmodify_info +"
- " \\'</FONT>\\' );"
- " else "
- "parent.document.location.href=\\'%s?tmplname=%s"
- "&context=%s&dn=\\' + dsmodify_dn + \\'&info=\\' + escape(dsmodify_info)\">\n",
- dsgw_getvp( DSGW_CGINUM_EDIT ), template, context );
+ "<INPUT TYPE=\"hidden\" NAME=\"compjs_tmplname\" VALUE=\"%s\">\n",
+ template);
+ dsgw_emits(
+ "<INPUT TYPE=\"hidden\" NAME=\"completion_javascript\" VALUE=\"STD\">\n");
}
}
Index: htmlout.c
===================================================================
RCS file: /cvs/dirsec/dsgw/htmlout.c,v
retrieving revision 1.2
retrieving revision 1.3
diff -u -r1.2 -r1.3
--- htmlout.c 14 Jan 2008 22:58:30 -0000 1.2
+++ htmlout.c 19 Feb 2008 15:20:21 -0000 1.3
@@ -458,6 +458,62 @@
dsgw_emits ( "document.confirmForm.submit();\n");
}
+void
+dsgw_emit_completion_javascript(
+ const char *key_str,
+ const char *dn
+)
+{
+ char *tmplname = NULL;
+ char *context = dsgw_get_cgi_var("context", DSGW_CGIVAR_OPTIONAL);
+ int key;
+ char *msg = NULL;
+
+ if (!key_str) {
+ return;
+ }
+
+ if (!strcasecmp(key_str, "ADD")) {
+ key = DBT_completionJavascriptAdd;
+ } else if (!strcasecmp(key_str, "STD")) {
+ key = DBT_completionJavascriptStd;
+ } else if (!strcasecmp(key_str, "CU")) {
+ key = DBT_completionJavascriptCu;
+ } else {
+ char *fmt = XP_GetClientStr(DBT_unknownValueForCompletionJavascript);
+ msg = PR_smprintf(fmt, key_str);
+ dsgw_error( DSGW_ERR_BADFORMDATA, msg, DSGW_ERROPT_EXIT, 0, NULL );
+ return;
+ }
+
+ msg = XP_GetClientStr(key);
+
+ dsgw_emits( "<SCRIPT LANGUAGE=\"JavaScript\">\n" );
+ switch (key) {
+ case DBT_completionJavascriptAdd:
+ dsgw_emits(msg);
+ break;
+ case DBT_completionJavascriptStd:
+ tmplname = dsgw_get_cgi_var("compjs_tmplname", DSGW_CGIVAR_REQUIRED);
+ if (!dsgw_valid_docname(tmplname)) {
+ dsgw_error( DSGW_ERR_BADFILEPATH, tmplname,
+ DSGW_ERROPT_EXIT, 0, NULL );
+ } else {
+ dsgw_emitf(msg, tmplname, context);
+ }
+ break;
+ case DBT_completionJavascriptCu:
+ dsgw_emitf(msg, context, dn);
+ break;
+ default:
+ /* error unknown key %d for completion javascript handling */
+ break;
+ }
+ dsgw_emits( "</SCRIPT>\n" );
+
+ return;
+}
+
/*
emacs settings
Local Variables:
Index: ldaputil.c
===================================================================
RCS file: /cvs/dirsec/dsgw/ldaputil.c,v
retrieving revision 1.2
retrieving revision 1.3
diff -u -r1.2 -r1.3
--- ldaputil.c 28 Jan 2008 21:22:47 -0000 1.2
+++ ldaputil.c 19 Feb 2008 15:20:21 -0000 1.3
@@ -793,7 +793,7 @@
}
}
- dsgw_display_done( tip );
+ dsgw_display_done( tip, NULL );
}
@@ -930,7 +930,7 @@
} else {
/* use template to create a nicely formatted display */
dsgw_display_entry( tip, ld, entry, aoentry, NULL );
- dsgw_display_done( tip );
+ dsgw_display_done( tip, dn );
}
if ( attr0 != NULL ) {
- Previous message (by thread): [Fedora-directory-commits] dsgw/tests/dnedit - New directory
- Next message (by thread): [Fedora-directory-commits] dsgw/tests/csearch testpost.1, NONE, 1.1 testpost.10, NONE, 1.1 testpost.11, NONE, 1.1 testpost.12, NONE, 1.1 testpost.13, NONE, 1.1 testpost.14, NONE, 1.1 testpost.15, NONE, 1.1 testpost.2, NONE, 1.1 testpost.3, NONE, 1.1 testpost.4, NONE, 1.1 testpost.5, NONE, 1.1 testpost.6, NONE, 1.1 testpost.7, NONE, 1.1 testpost.8, NONE, 1.1 testpost.9, NONE, 1.1
- Messages sorted by:
[ date ]
[ thread ]
[ subject ]
[ author ]
More information about the Fedora-directory-commits
mailing list