Fossil SCM
Improvements to the nonce='$NONCE' substitution mechanism.
Commit
1c50073d317c76fdea5ded7a00ef5f08227a5a030ef27e1a129ed17bec5c9938
Parent
0cbdbc725c36744…
1 file changed
+7
-4
+7
-4
| --- src/doc.c | ||
| +++ src/doc.c | ||
| @@ -513,13 +513,15 @@ | ||
| 513 | 513 | ** Transfer content to the output. During the transfer, when text of |
| 514 | 514 | ** the following form is seen: |
| 515 | 515 | ** |
| 516 | 516 | ** href="$ROOT/ |
| 517 | 517 | ** action="$ROOT/ |
| 518 | +** nonce="$NONCE" | |
| 518 | 519 | ** |
| 519 | -** Convert $ROOT to the root URI of the repository. Allow ' in place of " | |
| 520 | -** and any case for href or action. | |
| 520 | +** Convert $ROOT to the root URI of the repository and $NONCE to the | |
| 521 | +** CSP nonce returned by style_nonce(). Allow ' in place of " | |
| 522 | +** and any case for href or action or nonce. | |
| 521 | 523 | */ |
| 522 | 524 | void convert_href_and_output(Blob *pIn){ |
| 523 | 525 | int i, base; |
| 524 | 526 | int n = blob_size(pIn); |
| 525 | 527 | char *z = blob_buffer(pIn); |
| @@ -534,12 +536,13 @@ | ||
| 534 | 536 | ){ |
| 535 | 537 | blob_appendf(cgi_output_blob(), "%R"); |
| 536 | 538 | base = i+5; |
| 537 | 539 | } else if( strncmp(&z[i],"$NONCE", 6)==0 |
| 538 | 540 | && (fossil_strnicmp(&z[i-8]," nonce=", 6)==0) |
| 539 | - && (z[i+6]=='\'' || z[i+6]=='"') ) { | |
| 540 | - blob_append(cgi_output_blob(), style_nonce(), 48); | |
| 541 | + && z[i+6]==z[i-1] | |
| 542 | + ) { | |
| 543 | + blob_append(cgi_output_blob(), style_nonce(), -1); | |
| 541 | 544 | base = i+6; |
| 542 | 545 | } |
| 543 | 546 | } |
| 544 | 547 | } |
| 545 | 548 | blob_append(cgi_output_blob(), &z[base], i-base); |
| 546 | 549 |
| --- src/doc.c | |
| +++ src/doc.c | |
| @@ -513,13 +513,15 @@ | |
| 513 | ** Transfer content to the output. During the transfer, when text of |
| 514 | ** the following form is seen: |
| 515 | ** |
| 516 | ** href="$ROOT/ |
| 517 | ** action="$ROOT/ |
| 518 | ** |
| 519 | ** Convert $ROOT to the root URI of the repository. Allow ' in place of " |
| 520 | ** and any case for href or action. |
| 521 | */ |
| 522 | void convert_href_and_output(Blob *pIn){ |
| 523 | int i, base; |
| 524 | int n = blob_size(pIn); |
| 525 | char *z = blob_buffer(pIn); |
| @@ -534,12 +536,13 @@ | |
| 534 | ){ |
| 535 | blob_appendf(cgi_output_blob(), "%R"); |
| 536 | base = i+5; |
| 537 | } else if( strncmp(&z[i],"$NONCE", 6)==0 |
| 538 | && (fossil_strnicmp(&z[i-8]," nonce=", 6)==0) |
| 539 | && (z[i+6]=='\'' || z[i+6]=='"') ) { |
| 540 | blob_append(cgi_output_blob(), style_nonce(), 48); |
| 541 | base = i+6; |
| 542 | } |
| 543 | } |
| 544 | } |
| 545 | blob_append(cgi_output_blob(), &z[base], i-base); |
| 546 |
| --- src/doc.c | |
| +++ src/doc.c | |
| @@ -513,13 +513,15 @@ | |
| 513 | ** Transfer content to the output. During the transfer, when text of |
| 514 | ** the following form is seen: |
| 515 | ** |
| 516 | ** href="$ROOT/ |
| 517 | ** action="$ROOT/ |
| 518 | ** nonce="$NONCE" |
| 519 | ** |
| 520 | ** Convert $ROOT to the root URI of the repository and $NONCE to the |
| 521 | ** CSP nonce returned by style_nonce(). Allow ' in place of " |
| 522 | ** and any case for href or action or nonce. |
| 523 | */ |
| 524 | void convert_href_and_output(Blob *pIn){ |
| 525 | int i, base; |
| 526 | int n = blob_size(pIn); |
| 527 | char *z = blob_buffer(pIn); |
| @@ -534,12 +536,13 @@ | |
| 536 | ){ |
| 537 | blob_appendf(cgi_output_blob(), "%R"); |
| 538 | base = i+5; |
| 539 | } else if( strncmp(&z[i],"$NONCE", 6)==0 |
| 540 | && (fossil_strnicmp(&z[i-8]," nonce=", 6)==0) |
| 541 | && z[i+6]==z[i-1] |
| 542 | ) { |
| 543 | blob_append(cgi_output_blob(), style_nonce(), -1); |
| 544 | base = i+6; |
| 545 | } |
| 546 | } |
| 547 | } |
| 548 | blob_append(cgi_output_blob(), &z[base], i-base); |
| 549 |