summaryrefslogtreecommitdiffabout
authorLars Hjemli <hjemli@gmail.com>2011-06-12 20:49:35 (UTC)
committer Lars Hjemli <hjemli@gmail.com>2011-06-12 21:21:30 (UTC)
commit7f88d20823ad9d375900657334bc27793860f6ee (patch) (side-by-side diff)
treec9f9a0048cae2d94e97138e9ea82e2a103b215ad
parent2a8f553163d642e60092ced20631e1020581273b (diff)
downloadcgit-7f88d20823ad9d375900657334bc27793860f6ee.zip
cgit-7f88d20823ad9d375900657334bc27793860f6ee.tar.gz
cgit-7f88d20823ad9d375900657334bc27793860f6ee.tar.bz2
ui-plain.c: fix html and links generated by print_dir() and print_dir_entry()
This patch fixes the following issues: * the base argument usually isn't zero-terminated, so printing base without considering baselen will usually generate random garbage * when the current url represents a directory but doesn't end in a slash, relative urls would be incorrect * using unescaped paths allows XSS Signed-off-by: Lars Hjemli <hjemli@gmail.com>
Diffstat (more/less context) (ignore whitespace changes)
-rw-r--r--ui-plain.c65
1 files changed, 46 insertions, 19 deletions
diff --git a/ui-plain.c b/ui-plain.c
index 1b2b672..733db4d 100644
--- a/ui-plain.c
+++ b/ui-plain.c
@@ -43,70 +43,97 @@ static void print_object(const unsigned char *sha1, const char *path)
ctx.page.mimetype = "application/octet-stream";
else
ctx.page.mimetype = "text/plain";
}
ctx.page.filename = fmt("%s", path);
ctx.page.size = size;
ctx.page.etag = sha1_to_hex(sha1);
cgit_print_http_headers(&ctx);
html_raw(buf, size);
match = 1;
}
-static void print_dir(const unsigned char *sha1, const char *path,
- const char *base)
+static char *buildpath(const char *base, int baselen, const char *path)
{
- char *fullpath;
- if (path[0] || base[0])
- fullpath = fmt("/%s%s/", base, path);
+ if (path[0])
+ return fmt("%.*s%s/", baselen, base, path);
else
- fullpath = "/";
+ return fmt("%.*s/", baselen, base);
+}
+
+static void print_dir(const unsigned char *sha1, const char *base,
+ int baselen, const char *path)
+{
+ char *fullpath, *slash;
+ size_t len;
+
+ fullpath = buildpath(base, baselen, path);
+ slash = (fullpath[0] == '/' ? "" : "/");
ctx.page.etag = sha1_to_hex(sha1);
cgit_print_http_headers(&ctx);
- htmlf("<html><head><title>%s</title></head>\n<body>\n"
- " <h2>%s</h2>\n <ul>\n", fullpath, fullpath);
- if (path[0] || base[0])
- html(" <li><a href=\"../\">../</a></li>\n");
+ htmlf("<html><head><title>%s", slash);
+ html_txt(fullpath);
+ htmlf("</title></head>\n<body>\n<h2>%s", slash);
+ html_txt(fullpath);
+ html("</h2>\n<ul>\n");
+ len = strlen(fullpath);
+ if (len > 1) {
+ fullpath[len - 1] = 0;
+ slash = strrchr(fullpath, '/');
+ if (slash)
+ *(slash + 1) = 0;
+ else
+ fullpath = NULL;
+ html("<li>");
+ cgit_plain_link("../", NULL, NULL, ctx.qry.head, ctx.qry.sha1,
+ fullpath);
+ html("</li>\n");
+ }
match = 2;
}
-static void print_dir_entry(const unsigned char *sha1, const char *path,
- unsigned mode)
+static void print_dir_entry(const unsigned char *sha1, const char *base,
+ int baselen, const char *path, unsigned mode)
{
- const char *sep = "";
- if (S_ISDIR(mode))
- sep = "/";
- htmlf(" <li><a href=\"%s%s\">%s%s</a></li>\n", path, sep, path, sep);
+ char *fullpath;
+
+ fullpath = buildpath(base, baselen, path);
+ if (!S_ISDIR(mode))
+ fullpath[strlen(fullpath) - 1] = 0;
+ html(" <li>");
+ cgit_plain_link(path, NULL, NULL, ctx.qry.head, ctx.qry.sha1,
+ fullpath);
+ html("</li>\n");
match = 2;
}
static void print_dir_tail(void)
{
html(" </ul>\n</body></html>\n");
}
static int walk_tree(const unsigned char *sha1, const char *base, int baselen,
const char *pathname, unsigned mode, int stage,
void *cbdata)
{
if (baselen == match_baselen) {
if (S_ISREG(mode))
print_object(sha1, pathname);
else if (S_ISDIR(mode)) {
- print_dir(sha1, pathname, base);
+ print_dir(sha1, base, baselen, pathname);
return READ_TREE_RECURSIVE;
}
}
else if (baselen > match_baselen)
- print_dir_entry(sha1, pathname, mode);
+ print_dir_entry(sha1, base, baselen, pathname, mode);
else if (S_ISDIR(mode))
return READ_TREE_RECURSIVE;
return 0;
}
static int basedir_len(const char *path)
{
char *p = strrchr(path, '/');
if (p)
return p - path + 1;
return 0;
@@ -125,22 +152,22 @@ void cgit_print_plain(struct cgit_context *ctx)
if (get_sha1(rev, sha1)) {
html_status(404, "Not found", 0);
return;
}
commit = lookup_commit_reference(sha1);
if (!commit || parse_commit(commit)) {
html_status(404, "Not found", 0);
return;
}
if (!paths[0]) {
paths[0] = "";
match_baselen = -1;
- print_dir(commit->tree->object.sha1, "", "");
+ print_dir(commit->tree->object.sha1, "", 0, "");
}
else
match_baselen = basedir_len(paths[0]);
read_tree_recursive(commit->tree, "", 0, 0, paths, walk_tree, NULL);
if (!match)
html_status(404, "Not found", 0);
else if (match == 2)
print_dir_tail();
}