[Fedora-directory-commits] dsgw doauth.c, 1.5, 1.6 newentry.c, 1.5, 1.6

Richard Allen Megginson (rmeggins) fedora-directory-commits at redhat.com
Thu Jun 12 14:01:35 UTC 2008


Author: rmeggins

Update of /cvs/dirsec/dsgw
In directory cvs-int.fedora.redhat.com:/tmp/cvs-serv13576/dsgw

Modified Files:
	doauth.c newentry.c 
Log Message:
Resolves: bug 450971
Bug Description: Continue after auth for new entry does not work
Reviewed by: nkinder (Thanks!)
Fix Description: I had previously changed the way authdesturl worked.  I wanted to disallow the user to pass in a full URL with host and port because that could lead to XSS attacks.  So I introduced authdestdn which just contained the DN of the entry to edit.  However, in doing that, I broke new entry creation, because that needs to know what type of entry to create - it cannot guess from the DN or existing entry.  Since authdesturl already has that info, I just make sure I strip off everything before the '?' so as to avoid those types of problems.  I also changed the URL by default to not have the http:, host, port, etc. - just the name of the command followed by the arguments.
Platforms tested: RHEL5
Flag Day: no
Doc impact: no



Index: doauth.c
===================================================================
RCS file: /cvs/dirsec/dsgw/doauth.c,v
retrieving revision 1.5
retrieving revision 1.6
diff -u -r1.5 -r1.6
--- doauth.c	6 Mar 2008 22:00:09 -0000	1.5
+++ doauth.c	12 Jun 2008 14:01:33 -0000	1.6
@@ -197,10 +197,22 @@
 	    "<!-- Hide from non-JavaScript browsers\n" );
 
 	if ( authdesturl != NULL && strlen( authdesturl ) > 0 ) {
-	    char *authdestdn = dsgw_get_cgi_var( "authdestdn", DSGW_CGIVAR_OPTIONAL );
-	    dsgw_emitf( "var authdesturl='%s?context=%s&dn=%s';\n",
-			dsgw_getvp( DSGW_CGINUM_EDIT ), context,
-			authdestdn ? authdestdn : "" );
+	    /* strip off everything before the ? in authdesturl */
+	    char *theargs = strchr(authdesturl, '?');
+	    if (NULL == theargs) {
+		/* see if we have an authdestdn */
+		char *authdestdn = dsgw_get_cgi_var( "authdestdn", DSGW_CGIVAR_OPTIONAL );
+		if (authdestdn) {
+		    dsgw_emitf( "var authdesturl='%s?context=%s&dn=%s';\n",
+				DSGW_CGINAME_EDIT, context, authdestdn );
+		} else {
+		    dsgw_emitf( "var authdesturl=null;\n" ); /* bogus url */
+		}
+	    } else {
+		theargs++; /* skip the '?' character */
+		dsgw_emitf( "var authdesturl='%s?%s';\n",
+			    DSGW_CGINAME_EDIT, theargs );
+	    }
 	} else {
 	    dsgw_emitf( "var authdesturl=null;\n" );
 	}


Index: newentry.c
===================================================================
RCS file: /cvs/dirsec/dsgw/newentry.c,v
retrieving revision 1.5
retrieving revision 1.6
diff -u -r1.5 -r1.6
--- newentry.c	20 Mar 2008 02:18:39 -0000	1.5
+++ newentry.c	12 Jun 2008 14:01:33 -0000	1.6
@@ -271,7 +271,7 @@
     free(dn);
 		     
     newurl = PR_smprintf(DSGW_URLPREFIX_CGI_HTTP "%s?tmplname=%s&context=%s&ADD=1&dn=%s",
-			 dsgw_getvp( DSGW_CGINUM_EDIT ), entryType, context, edn);
+			 DSGW_CGINAME_EDIT, entryType, context, edn);
     free(edn);
 
     return newurl;
@@ -329,7 +329,7 @@
 static void
 post_request()
 {
-    char* newurl = compute_newurl();
+    char *newurl = compute_newurl();
     if (client_is_authenticated()) {
 	/* Direct the client to GET newurl */
 	dsgw_emits( "<!DOCTYPE html PUBLIC \"-//W3C//DTD HTML 4.01//EN\"\n" );




More information about the Fedora-directory-commits mailing list