author | Lars Hjemli <hjemli@gmail.com> | 2011-06-12 20:49:35 (UTC) |
---|---|---|
committer | Lars Hjemli <hjemli@gmail.com> | 2011-06-12 21:21:30 (UTC) |
commit | 7f88d20823ad9d375900657334bc27793860f6ee (patch) (side-by-side diff) | |
tree | c9f9a0048cae2d94e97138e9ea82e2a103b215ad | |
parent | 2a8f553163d642e60092ced20631e1020581273b (diff) | |
download | cgit-7f88d20823ad9d375900657334bc27793860f6ee.zip cgit-7f88d20823ad9d375900657334bc27793860f6ee.tar.gz cgit-7f88d20823ad9d375900657334bc27793860f6ee.tar.bz2 |
ui-plain.c: fix html and links generated by print_dir() and print_dir_entry()
This patch fixes the following issues:
* the base argument usually isn't zero-terminated, so printing base
without considering baselen will usually generate random garbage
* when the current url represents a directory but doesn't end in a slash,
relative urls would be incorrect
* using unescaped paths allows XSS
Signed-off-by: Lars Hjemli <hjemli@gmail.com>
-rw-r--r-- | ui-plain.c | 65 |
1 files changed, 46 insertions, 19 deletions
@@ -7,140 +7,167 @@ */ #include "cgit.h" #include "html.h" #include "ui-shared.h" int match_baselen; int match; static void print_object(const unsigned char *sha1, const char *path) { enum object_type type; char *buf, *ext; unsigned long size; struct string_list_item *mime; type = sha1_object_info(sha1, &size); if (type == OBJ_BAD) { html_status(404, "Not found", 0); return; } buf = read_sha1_file(sha1, &type, &size); if (!buf) { html_status(404, "Not found", 0); return; } ctx.page.mimetype = NULL; ext = strrchr(path, '.'); if (ext && *(++ext)) { mime = string_list_lookup(&ctx.cfg.mimetypes, ext); if (mime) ctx.page.mimetype = (char *)mime->util; } if (!ctx.page.mimetype) { if (buffer_is_binary(buf, size)) ctx.page.mimetype = "application/octet-stream"; else ctx.page.mimetype = "text/plain"; } ctx.page.filename = fmt("%s", path); ctx.page.size = size; ctx.page.etag = sha1_to_hex(sha1); cgit_print_http_headers(&ctx); html_raw(buf, size); match = 1; } -static void print_dir(const unsigned char *sha1, const char *path, - const char *base) +static char *buildpath(const char *base, int baselen, const char *path) { - char *fullpath; - if (path[0] || base[0]) - fullpath = fmt("/%s%s/", base, path); + if (path[0]) + return fmt("%.*s%s/", baselen, base, path); else - fullpath = "/"; + return fmt("%.*s/", baselen, base); +} + +static void print_dir(const unsigned char *sha1, const char *base, + int baselen, const char *path) +{ + char *fullpath, *slash; + size_t len; + + fullpath = buildpath(base, baselen, path); + slash = (fullpath[0] == '/' ? "" : "/"); ctx.page.etag = sha1_to_hex(sha1); cgit_print_http_headers(&ctx); - htmlf("<html><head><title>%s</title></head>\n<body>\n" - " <h2>%s</h2>\n <ul>\n", fullpath, fullpath); - if (path[0] || base[0]) - html(" <li><a href=\"../\">../</a></li>\n"); + htmlf("<html><head><title>%s", slash); + html_txt(fullpath); + htmlf("</title></head>\n<body>\n<h2>%s", slash); + html_txt(fullpath); + html("</h2>\n<ul>\n"); + len = strlen(fullpath); + if (len > 1) { + fullpath[len - 1] = 0; + slash = strrchr(fullpath, '/'); + if (slash) + *(slash + 1) = 0; + else + fullpath = NULL; + html("<li>"); + cgit_plain_link("../", NULL, NULL, ctx.qry.head, ctx.qry.sha1, + fullpath); + html("</li>\n"); + } match = 2; } -static void print_dir_entry(const unsigned char *sha1, const char *path, - unsigned mode) +static void print_dir_entry(const unsigned char *sha1, const char *base, + int baselen, const char *path, unsigned mode) { - const char *sep = ""; - if (S_ISDIR(mode)) - sep = "/"; - htmlf(" <li><a href=\"%s%s\">%s%s</a></li>\n", path, sep, path, sep); + char *fullpath; + + fullpath = buildpath(base, baselen, path); + if (!S_ISDIR(mode)) + fullpath[strlen(fullpath) - 1] = 0; + html(" <li>"); + cgit_plain_link(path, NULL, NULL, ctx.qry.head, ctx.qry.sha1, + fullpath); + html("</li>\n"); match = 2; } static void print_dir_tail(void) { html(" </ul>\n</body></html>\n"); } static int walk_tree(const unsigned char *sha1, const char *base, int baselen, const char *pathname, unsigned mode, int stage, void *cbdata) { if (baselen == match_baselen) { if (S_ISREG(mode)) print_object(sha1, pathname); else if (S_ISDIR(mode)) { - print_dir(sha1, pathname, base); + print_dir(sha1, base, baselen, pathname); return READ_TREE_RECURSIVE; } } else if (baselen > match_baselen) - print_dir_entry(sha1, pathname, mode); + print_dir_entry(sha1, base, baselen, pathname, mode); else if (S_ISDIR(mode)) return READ_TREE_RECURSIVE; return 0; } static int basedir_len(const char *path) { char *p = strrchr(path, '/'); if (p) return p - path + 1; return 0; } void cgit_print_plain(struct cgit_context *ctx) { const char *rev = ctx->qry.sha1; unsigned char sha1[20]; struct commit *commit; const char *paths[] = {ctx->qry.path, NULL}; if (!rev) rev = ctx->qry.head; if (get_sha1(rev, sha1)) { html_status(404, "Not found", 0); return; } commit = lookup_commit_reference(sha1); if (!commit || parse_commit(commit)) { html_status(404, "Not found", 0); return; } if (!paths[0]) { paths[0] = ""; match_baselen = -1; - print_dir(commit->tree->object.sha1, "", ""); + print_dir(commit->tree->object.sha1, "", 0, ""); } else match_baselen = basedir_len(paths[0]); read_tree_recursive(commit->tree, "", 0, 0, paths, walk_tree, NULL); if (!match) html_status(404, "Not found", 0); else if (match == 2) print_dir_tail(); } |