Fossil SCM

Mark some TH1 inputs that can be controlled by the user as tainted.

drh 2025-04-19 19:08 th1-taint
Commit 2742682720c692ca916c034da28baf694d239ed05f2f5e49af183e9b0b62e249
Parent d1bb87bcfdd4ad3…
7 files changed +2 -2 +1 -1 +1 -1 +3 -2 +17 -1 +1 -1 +6 -6
~ src/browse.c ~ src/doc.c ~ src/info.c ~ src/style.c ~ src/th_main.c ~ src/timeline.c ~ src/tkt.c
M src/browse.c
+2 -2
--- src/browse.c
+++ src/browse.c
@@ -205,11 +205,11 @@
205205
 linkTip = rid != symbolic_name_to_rid("tip", "ci");
206206
 zUuid = db_text(0, "SELECT uuid FROM blob WHERE rid=%d", rid);
207207
 isSymbolicCI = (sqlite3_strnicmp(zUuid, zCI, strlen(zCI))!=0);
208208
 isBranchCI = branch_includes_uuid(zCI, zUuid);
209209
 if( bDocDir ) zCI = mprintf("%S", zUuid);
210
- Th_Store("current_checkin", zCI);
210
+ Th_StoreUnsafe("current_checkin", zCI);
211211
 }else{
212212
 zCI = 0;
213213
 }
214214
 }
215215
@@ -771,11 +771,11 @@
771771
 rNow = db_double(0.0, "SELECT mtime FROM event WHERE objid=%d", rid);
772772
 zNow = db_text("", "SELECT datetime(mtime,toLocal())"
773773
 " FROM event WHERE objid=%d", rid);
774774
 isSymbolicCI = (sqlite3_strnicmp(zUuid, zCI, strlen(zCI)) != 0);
775775
 isBranchCI = branch_includes_uuid(zCI, zUuid);
776
- Th_Store("current_checkin", zCI);
776
+ Th_StoreUnsafe("current_checkin", zCI);
777777
 }else{
778778
 zCI = 0;
779779
 }
780780
 }
781781
 if( zCI==0 ){
782782
--- src/browse.c
+++ src/browse.c
@@ -205,11 +205,11 @@
205 linkTip = rid != symbolic_name_to_rid("tip", "ci");
206 zUuid = db_text(0, "SELECT uuid FROM blob WHERE rid=%d", rid);
207 isSymbolicCI = (sqlite3_strnicmp(zUuid, zCI, strlen(zCI))!=0);
208 isBranchCI = branch_includes_uuid(zCI, zUuid);
209 if( bDocDir ) zCI = mprintf("%S", zUuid);
210 Th_Store("current_checkin", zCI);
211 }else{
212 zCI = 0;
213 }
214 }
215
@@ -771,11 +771,11 @@
771 rNow = db_double(0.0, "SELECT mtime FROM event WHERE objid=%d", rid);
772 zNow = db_text("", "SELECT datetime(mtime,toLocal())"
773 " FROM event WHERE objid=%d", rid);
774 isSymbolicCI = (sqlite3_strnicmp(zUuid, zCI, strlen(zCI)) != 0);
775 isBranchCI = branch_includes_uuid(zCI, zUuid);
776 Th_Store("current_checkin", zCI);
777 }else{
778 zCI = 0;
779 }
780 }
781 if( zCI==0 ){
782
--- src/browse.c
+++ src/browse.c
@@ -205,11 +205,11 @@
205 linkTip = rid != symbolic_name_to_rid("tip", "ci");
206 zUuid = db_text(0, "SELECT uuid FROM blob WHERE rid=%d", rid);
207 isSymbolicCI = (sqlite3_strnicmp(zUuid, zCI, strlen(zCI))!=0);
208 isBranchCI = branch_includes_uuid(zCI, zUuid);
209 if( bDocDir ) zCI = mprintf("%S", zUuid);
210 Th_StoreUnsafe("current_checkin", zCI);
211 }else{
212 zCI = 0;
213 }
214 }
215
@@ -771,11 +771,11 @@
771 rNow = db_double(0.0, "SELECT mtime FROM event WHERE objid=%d", rid);
772 zNow = db_text("", "SELECT datetime(mtime,toLocal())"
773 " FROM event WHERE objid=%d", rid);
774 isSymbolicCI = (sqlite3_strnicmp(zUuid, zCI, strlen(zCI)) != 0);
775 isBranchCI = branch_includes_uuid(zCI, zUuid);
776 Th_StoreUnsafe("current_checkin", zCI);
777 }else{
778 zCI = 0;
779 }
780 }
781 if( zCI==0 ){
782
M src/doc.c
+1 -1
--- src/doc.c
+++ src/doc.c
@@ -1052,11 +1052,11 @@
10521052
 */
10531053
 zMime = nMiss==0 ? P("mimetype") : 0;
10541054
 if( zMime==0 ){
10551055
 zMime = mimetype_from_name(zName);
10561056
 }
1057
- Th_Store("doc_name", zName);
1057
+ Th_StoreUnsafe("doc_name", zName);
10581058
 if( vid ){
10591059
 Th_Store("doc_version", db_text(0, "SELECT '[' || substr(uuid,1,10) || ']'"
10601060
 " FROM blob WHERE rid=%d", vid));
10611061
 Th_Store("doc_date", db_text(0, "SELECT datetime(mtime) FROM event"
10621062
 " WHERE objid=%d AND type='ci'", vid));
10631063
--- src/doc.c
+++ src/doc.c
@@ -1052,11 +1052,11 @@
1052 */
1053 zMime = nMiss==0 ? P("mimetype") : 0;
1054 if( zMime==0 ){
1055 zMime = mimetype_from_name(zName);
1056 }
1057 Th_Store("doc_name", zName);
1058 if( vid ){
1059 Th_Store("doc_version", db_text(0, "SELECT '[' || substr(uuid,1,10) || ']'"
1060 " FROM blob WHERE rid=%d", vid));
1061 Th_Store("doc_date", db_text(0, "SELECT datetime(mtime) FROM event"
1062 " WHERE objid=%d AND type='ci'", vid));
1063
--- src/doc.c
+++ src/doc.c
@@ -1052,11 +1052,11 @@
1052 */
1053 zMime = nMiss==0 ? P("mimetype") : 0;
1054 if( zMime==0 ){
1055 zMime = mimetype_from_name(zName);
1056 }
1057 Th_StoreUnsafe("doc_name", zName);
1058 if( vid ){
1059 Th_Store("doc_version", db_text(0, "SELECT '[' || substr(uuid,1,10) || ']'"
1060 " FROM blob WHERE rid=%d", vid));
1061 Th_Store("doc_date", db_text(0, "SELECT datetime(mtime) FROM event"
1062 " WHERE objid=%d AND type='ci'", vid));
1063
M src/info.c
+1 -1
--- src/info.c
+++ src/info.c
@@ -951,11 +951,11 @@
951951
 const char *zOrigDate;
952952
 int okWiki = 0;
953953
 Blob wiki_read_links = BLOB_INITIALIZER;
954954
 Blob wiki_add_links = BLOB_INITIALIZER;
955955
956
- Th_Store("current_checkin", zName);
956
+ Th_StoreUnsafe("current_checkin", zName);
957957
 style_header("Check-in [%S]", zUuid);
958958
 login_anonymous_available();
959959
 zEUser = db_text(0,
960960
 "SELECT value FROM tagxref"
961961
 " WHERE tagid=%d AND rid=%d AND tagtype>0",
962962
--- src/info.c
+++ src/info.c
@@ -951,11 +951,11 @@
951 const char *zOrigDate;
952 int okWiki = 0;
953 Blob wiki_read_links = BLOB_INITIALIZER;
954 Blob wiki_add_links = BLOB_INITIALIZER;
955
956 Th_Store("current_checkin", zName);
957 style_header("Check-in [%S]", zUuid);
958 login_anonymous_available();
959 zEUser = db_text(0,
960 "SELECT value FROM tagxref"
961 " WHERE tagid=%d AND rid=%d AND tagtype>0",
962
--- src/info.c
+++ src/info.c
@@ -951,11 +951,11 @@
951 const char *zOrigDate;
952 int okWiki = 0;
953 Blob wiki_read_links = BLOB_INITIALIZER;
954 Blob wiki_add_links = BLOB_INITIALIZER;
955
956 Th_StoreUnsafe("current_checkin", zName);
957 style_header("Check-in [%S]", zUuid);
958 login_anonymous_available();
959 zEUser = db_text(0,
960 "SELECT value FROM tagxref"
961 " WHERE tagid=%d AND rid=%d AND tagtype>0",
962
M src/style.c
+3 -2
--- src/style.c
+++ src/style.c
@@ -744,12 +744,13 @@
744744
 ** is evaluated before the header is rendered).
745745
 */
746746
 Th_MaybeStore("default_csp", zDfltCsp);
747747
 fossil_free(zDfltCsp);
748748
 Th_Store("nonce", zNonce);
749
- Th_Store("project_name", db_get("project-name","Unnamed Fossil Project"));
750
- Th_Store("project_description", db_get("project-description",""));
749
+ Th_StoreUnsafe("project_name",
750
+ db_get("project-name","Unnamed Fossil Project"));
751
+ Th_StoreUnsafe("project_description", db_get("project-description",""));
751752
 if( zTitle ) Th_Store("title", html_lookalike(zTitle,-1));
752753
 Th_Store("baseurl", g.zBaseURL);
753754
 Th_Store("secureurl", fossil_wants_https(1)? g.zHttpsURL: g.zBaseURL);
754755
 Th_Store("home", g.zTop);
755756
 Th_Store("index_page", db_get("index-page","/home"));
756757
--- src/style.c
+++ src/style.c
@@ -744,12 +744,13 @@
744 ** is evaluated before the header is rendered).
745 */
746 Th_MaybeStore("default_csp", zDfltCsp);
747 fossil_free(zDfltCsp);
748 Th_Store("nonce", zNonce);
749 Th_Store("project_name", db_get("project-name","Unnamed Fossil Project"));
750 Th_Store("project_description", db_get("project-description",""));
 
751 if( zTitle ) Th_Store("title", html_lookalike(zTitle,-1));
752 Th_Store("baseurl", g.zBaseURL);
753 Th_Store("secureurl", fossil_wants_https(1)? g.zHttpsURL: g.zBaseURL);
754 Th_Store("home", g.zTop);
755 Th_Store("index_page", db_get("index-page","/home"));
756
--- src/style.c
+++ src/style.c
@@ -744,12 +744,13 @@
744 ** is evaluated before the header is rendered).
745 */
746 Th_MaybeStore("default_csp", zDfltCsp);
747 fossil_free(zDfltCsp);
748 Th_Store("nonce", zNonce);
749 Th_StoreUnsafe("project_name",
750 db_get("project-name","Unnamed Fossil Project"));
751 Th_StoreUnsafe("project_description", db_get("project-description",""));
752 if( zTitle ) Th_Store("title", html_lookalike(zTitle,-1));
753 Th_Store("baseurl", g.zBaseURL);
754 Th_Store("secureurl", fossil_wants_https(1)? g.zHttpsURL: g.zBaseURL);
755 Th_Store("home", g.zTop);
756 Th_Store("index_page", db_get("index-page","/home"));
757
M src/th_main.c
+17 -1
--- src/th_main.c
+++ src/th_main.c
@@ -2028,11 +2028,11 @@
20282028
 int szVar = zVar ? th_strlen(zVar) : 0;
20292029
 if( szVar>1 && zVar[0]=='$'
20302030
 && Th_GetVar(interp, zVar+1, szVar-1)==TH_OK ){
20312031
 int nVal;
20322032
 const char *zVal = Th_GetResult(interp, &nVal);
2033
- sqlite3_bind_text(pStmt, i, zVal, nVal, SQLITE_TRANSIENT);
2033
+ sqlite3_bind_text(pStmt, i, zVal, TH1_LEN(nVal), SQLITE_TRANSIENT);
20342034
 }
20352035
 }
20362036
 while( res==TH_OK && ignore_errors_step(pStmt)==SQLITE_ROW ){
20372037
 int nCol = sqlite3_column_count(pStmt);
20382038
 for(i=0; i<nCol; i++){
@@ -2560,10 +2560,26 @@
25602560
 Th_Trace("set %h {%h}<br>\n", zName, zValue);
25612561
 }
25622562
 Th_SetVar(g.interp, zName, -1, zValue, strlen(zValue));
25632563
 }
25642564
 }
2565
+
2566
+/*
2567
+** Store a string value in a variable in the interpreter
2568
+** with the "taint" marking, so that TH1 knows that this
2569
+** variable contains content under the control of the remote
2570
+** user and presents a risk of XSS or SQL-injection attacks.
2571
+*/
2572
+void Th_StoreUnsafe(const char *zName, const char *zValue){
2573
+ Th_FossilInit(TH_INIT_DEFAULT);
2574
+ if( zValue ){
2575
+ if( g.thTrace ){
2576
+ Th_Trace("set %h [taint {%h}]<br>\n", zName, zValue);
2577
+ }
2578
+ Th_SetVar(g.interp, zName, -1, zValue, TH1_ADD_TAINT(strlen(zValue)));
2579
+ }
2580
+}
25652581
25662582
 /*
25672583
 ** Appends an element to a TH1 list value. This function is called by the
25682584
 ** transfer subsystem; therefore, it must be very careful to avoid doing
25692585
 ** any unnecessary work. To that end, the TH1 subsystem will not be called
25702586
--- src/th_main.c
+++ src/th_main.c
@@ -2028,11 +2028,11 @@
2028 int szVar = zVar ? th_strlen(zVar) : 0;
2029 if( szVar>1 && zVar[0]=='$'
2030 && Th_GetVar(interp, zVar+1, szVar-1)==TH_OK ){
2031 int nVal;
2032 const char *zVal = Th_GetResult(interp, &nVal);
2033 sqlite3_bind_text(pStmt, i, zVal, nVal, SQLITE_TRANSIENT);
2034 }
2035 }
2036 while( res==TH_OK && ignore_errors_step(pStmt)==SQLITE_ROW ){
2037 int nCol = sqlite3_column_count(pStmt);
2038 for(i=0; i<nCol; i++){
@@ -2560,10 +2560,26 @@
2560 Th_Trace("set %h {%h}<br>\n", zName, zValue);
2561 }
2562 Th_SetVar(g.interp, zName, -1, zValue, strlen(zValue));
2563 }
2564 }
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
2565
2566 /*
2567 ** Appends an element to a TH1 list value. This function is called by the
2568 ** transfer subsystem; therefore, it must be very careful to avoid doing
2569 ** any unnecessary work. To that end, the TH1 subsystem will not be called
2570
--- src/th_main.c
+++ src/th_main.c
@@ -2028,11 +2028,11 @@
2028 int szVar = zVar ? th_strlen(zVar) : 0;
2029 if( szVar>1 && zVar[0]=='$'
2030 && Th_GetVar(interp, zVar+1, szVar-1)==TH_OK ){
2031 int nVal;
2032 const char *zVal = Th_GetResult(interp, &nVal);
2033 sqlite3_bind_text(pStmt, i, zVal, TH1_LEN(nVal), SQLITE_TRANSIENT);
2034 }
2035 }
2036 while( res==TH_OK && ignore_errors_step(pStmt)==SQLITE_ROW ){
2037 int nCol = sqlite3_column_count(pStmt);
2038 for(i=0; i<nCol; i++){
@@ -2560,10 +2560,26 @@
2560 Th_Trace("set %h {%h}<br>\n", zName, zValue);
2561 }
2562 Th_SetVar(g.interp, zName, -1, zValue, strlen(zValue));
2563 }
2564 }
2565
2566 /*
2567 ** Store a string value in a variable in the interpreter
2568 ** with the "taint" marking, so that TH1 knows that this
2569 ** variable contains content under the control of the remote
2570 ** user and presents a risk of XSS or SQL-injection attacks.
2571 */
2572 void Th_StoreUnsafe(const char *zName, const char *zValue){
2573 Th_FossilInit(TH_INIT_DEFAULT);
2574 if( zValue ){
2575 if( g.thTrace ){
2576 Th_Trace("set %h [taint {%h}]<br>\n", zName, zValue);
2577 }
2578 Th_SetVar(g.interp, zName, -1, zValue, TH1_ADD_TAINT(strlen(zValue)));
2579 }
2580 }
2581
2582 /*
2583 ** Appends an element to a TH1 list value. This function is called by the
2584 ** transfer subsystem; therefore, it must be very careful to avoid doing
2585 ** any unnecessary work. To that end, the TH1 subsystem will not be called
2586
M src/timeline.c
+1 -1
--- src/timeline.c
+++ src/timeline.c
@@ -1888,11 +1888,11 @@
18881888
 if( zTagName ){
18891889
 zType = "ci";
18901890
 if( matchStyle==MS_EXACT ){
18911891
 /* For exact maching, inhibit links to the selected tag. */
18921892
 zThisTag = zTagName;
1893
- Th_Store("current_checkin", zTagName);
1893
+ Th_StoreUnsafe("current_checkin", zTagName);
18941894
 }
18951895
18961896
 /* Display a checkbox to enable/disable display of related check-ins. */
18971897
 if( advancedMenu ){
18981898
 style_submenu_checkbox("rel", "Related", 0, 0);
18991899
--- src/timeline.c
+++ src/timeline.c
@@ -1888,11 +1888,11 @@
1888 if( zTagName ){
1889 zType = "ci";
1890 if( matchStyle==MS_EXACT ){
1891 /* For exact maching, inhibit links to the selected tag. */
1892 zThisTag = zTagName;
1893 Th_Store("current_checkin", zTagName);
1894 }
1895
1896 /* Display a checkbox to enable/disable display of related check-ins. */
1897 if( advancedMenu ){
1898 style_submenu_checkbox("rel", "Related", 0, 0);
1899
--- src/timeline.c
+++ src/timeline.c
@@ -1888,11 +1888,11 @@
1888 if( zTagName ){
1889 zType = "ci";
1890 if( matchStyle==MS_EXACT ){
1891 /* For exact maching, inhibit links to the selected tag. */
1892 zThisTag = zTagName;
1893 Th_StoreUnsafe("current_checkin", zTagName);
1894 }
1895
1896 /* Display a checkbox to enable/disable display of related check-ins. */
1897 if( advancedMenu ){
1898 style_submenu_checkbox("rel", "Related", 0, 0);
1899
M src/tkt.c
+6 -6
--- src/tkt.c
+++ src/tkt.c
@@ -210,21 +210,21 @@
210210
 zVal = zRevealed = db_reveal(zVal);
211211
 }
212212
 if( (j = fieldId(zName))>=0 ){
213213
 aField[j].zValue = mprintf("%s", zVal);
214214
 }else if( memcmp(zName, "tkt_", 4)==0 && Th_Fetch(zName, &size)==0 ){
215
- Th_Store(zName, zVal);
215
+ Th_StoreUnsafe(zName, zVal);
216216
 }
217217
 free(zRevealed);
218218
 }
219219
 Th_Store("tkt_mage", human_readable_age(db_column_double(&q, 2)));
220220
 Th_Store("tkt_cage", human_readable_age(db_column_double(&q, 3)));
221221
 }
222222
 db_finalize(&q);
223223
 for(i=0; i<nField; i++){
224224
 if( Th_Fetch(aField[i].zName, &size)==0 ){
225
- Th_Store(aField[i].zName, aField[i].zValue);
225
+ Th_StoreUnsafe(aField[i].zName, aField[i].zValue);
226226
 }
227227
 }
228228
 }
229229
230230
 /*
@@ -233,11 +233,11 @@
233233
 static void initializeVariablesFromCGI(void){
234234
 int i;
235235
 const char *z;
236236
237237
 for(i=0; (z = cgi_parameter_name(i))!=0; i++){
238
- Th_Store(z, P(z));
238
+ Th_StoreUnsafe(z, P(z));
239239
 }
240240
 }
241241
242242
 /*
243243
 ** Information about a single J-card
@@ -1040,16 +1040,16 @@
10401040
 if( uid ){
10411041
 char * zEmail =
10421042
 db_text(0, "SELECT find_emailaddr(info) FROM user WHERE uid=%d",
10431043
 uid);
10441044
 if( zEmail ){
1045
- Th_Store("private_contact", zEmail);
1045
+ Th_StoreUnsafe("private_contact", zEmail);
10461046
 fossil_free(zEmail);
10471047
 }
10481048
 }
10491049
 }
1050
- Th_Store("login", login_name());
1050
+ Th_StoreUnsafe("login", login_name());
10511051
 Th_Store("date", db_text(0, "SELECT datetime('now')"));
10521052
 Th_CreateCommand(g.interp, "submit_ticket", submitTicketCmd,
10531053
 (void*)&zNewUuid, 0);
10541054
 if( g.thTrace ) Th_Trace("BEGIN_TKTNEW_SCRIPT<br>\n", -1);
10551055
 if( Th_Render(zScript)==TH_RETURN && !g.thTrace && zNewUuid ){
@@ -1120,11 +1120,11 @@
11201120
 initializeVariablesFromDb();
11211121
 if( g.zPath[0]=='d' ) showAllFields();
11221122
 form_begin(0, "%R/%s", g.zPath);
11231123
 @ <input type="hidden" name="name" value="%s(zName)">
11241124
 zScript = ticket_editpage_code();
1125
- Th_Store("login", login_name());
1125
+ Th_StoreUnsafe("login", login_name());
11261126
 Th_Store("date", db_text(0, "SELECT datetime('now')"));
11271127
 Th_CreateCommand(g.interp, "append_field", appendRemarkCmd, 0, 0);
11281128
 Th_CreateCommand(g.interp, "submit_ticket", submitTicketCmd, (void*)&zName,0);
11291129
 if( g.thTrace ) Th_Trace("BEGIN_TKTEDIT_SCRIPT<br>\n", -1);
11301130
 if( Th_Render(zScript)==TH_RETURN && !g.thTrace && zName ){
11311131
--- src/tkt.c
+++ src/tkt.c
@@ -210,21 +210,21 @@
210 zVal = zRevealed = db_reveal(zVal);
211 }
212 if( (j = fieldId(zName))>=0 ){
213 aField[j].zValue = mprintf("%s", zVal);
214 }else if( memcmp(zName, "tkt_", 4)==0 && Th_Fetch(zName, &size)==0 ){
215 Th_Store(zName, zVal);
216 }
217 free(zRevealed);
218 }
219 Th_Store("tkt_mage", human_readable_age(db_column_double(&q, 2)));
220 Th_Store("tkt_cage", human_readable_age(db_column_double(&q, 3)));
221 }
222 db_finalize(&q);
223 for(i=0; i<nField; i++){
224 if( Th_Fetch(aField[i].zName, &size)==0 ){
225 Th_Store(aField[i].zName, aField[i].zValue);
226 }
227 }
228 }
229
230 /*
@@ -233,11 +233,11 @@
233 static void initializeVariablesFromCGI(void){
234 int i;
235 const char *z;
236
237 for(i=0; (z = cgi_parameter_name(i))!=0; i++){
238 Th_Store(z, P(z));
239 }
240 }
241
242 /*
243 ** Information about a single J-card
@@ -1040,16 +1040,16 @@
1040 if( uid ){
1041 char * zEmail =
1042 db_text(0, "SELECT find_emailaddr(info) FROM user WHERE uid=%d",
1043 uid);
1044 if( zEmail ){
1045 Th_Store("private_contact", zEmail);
1046 fossil_free(zEmail);
1047 }
1048 }
1049 }
1050 Th_Store("login", login_name());
1051 Th_Store("date", db_text(0, "SELECT datetime('now')"));
1052 Th_CreateCommand(g.interp, "submit_ticket", submitTicketCmd,
1053 (void*)&zNewUuid, 0);
1054 if( g.thTrace ) Th_Trace("BEGIN_TKTNEW_SCRIPT<br>\n", -1);
1055 if( Th_Render(zScript)==TH_RETURN && !g.thTrace && zNewUuid ){
@@ -1120,11 +1120,11 @@
1120 initializeVariablesFromDb();
1121 if( g.zPath[0]=='d' ) showAllFields();
1122 form_begin(0, "%R/%s", g.zPath);
1123 @ <input type="hidden" name="name" value="%s(zName)">
1124 zScript = ticket_editpage_code();
1125 Th_Store("login", login_name());
1126 Th_Store("date", db_text(0, "SELECT datetime('now')"));
1127 Th_CreateCommand(g.interp, "append_field", appendRemarkCmd, 0, 0);
1128 Th_CreateCommand(g.interp, "submit_ticket", submitTicketCmd, (void*)&zName,0);
1129 if( g.thTrace ) Th_Trace("BEGIN_TKTEDIT_SCRIPT<br>\n", -1);
1130 if( Th_Render(zScript)==TH_RETURN && !g.thTrace && zName ){
1131
--- src/tkt.c
+++ src/tkt.c
@@ -210,21 +210,21 @@
210 zVal = zRevealed = db_reveal(zVal);
211 }
212 if( (j = fieldId(zName))>=0 ){
213 aField[j].zValue = mprintf("%s", zVal);
214 }else if( memcmp(zName, "tkt_", 4)==0 && Th_Fetch(zName, &size)==0 ){
215 Th_StoreUnsafe(zName, zVal);
216 }
217 free(zRevealed);
218 }
219 Th_Store("tkt_mage", human_readable_age(db_column_double(&q, 2)));
220 Th_Store("tkt_cage", human_readable_age(db_column_double(&q, 3)));
221 }
222 db_finalize(&q);
223 for(i=0; i<nField; i++){
224 if( Th_Fetch(aField[i].zName, &size)==0 ){
225 Th_StoreUnsafe(aField[i].zName, aField[i].zValue);
226 }
227 }
228 }
229
230 /*
@@ -233,11 +233,11 @@
233 static void initializeVariablesFromCGI(void){
234 int i;
235 const char *z;
236
237 for(i=0; (z = cgi_parameter_name(i))!=0; i++){
238 Th_StoreUnsafe(z, P(z));
239 }
240 }
241
242 /*
243 ** Information about a single J-card
@@ -1040,16 +1040,16 @@
1040 if( uid ){
1041 char * zEmail =
1042 db_text(0, "SELECT find_emailaddr(info) FROM user WHERE uid=%d",
1043 uid);
1044 if( zEmail ){
1045 Th_StoreUnsafe("private_contact", zEmail);
1046 fossil_free(zEmail);
1047 }
1048 }
1049 }
1050 Th_StoreUnsafe("login", login_name());
1051 Th_Store("date", db_text(0, "SELECT datetime('now')"));
1052 Th_CreateCommand(g.interp, "submit_ticket", submitTicketCmd,
1053 (void*)&zNewUuid, 0);
1054 if( g.thTrace ) Th_Trace("BEGIN_TKTNEW_SCRIPT<br>\n", -1);
1055 if( Th_Render(zScript)==TH_RETURN && !g.thTrace && zNewUuid ){
@@ -1120,11 +1120,11 @@
1120 initializeVariablesFromDb();
1121 if( g.zPath[0]=='d' ) showAllFields();
1122 form_begin(0, "%R/%s", g.zPath);
1123 @ <input type="hidden" name="name" value="%s(zName)">
1124 zScript = ticket_editpage_code();
1125 Th_StoreUnsafe("login", login_name());
1126 Th_Store("date", db_text(0, "SELECT datetime('now')"));
1127 Th_CreateCommand(g.interp, "append_field", appendRemarkCmd, 0, 0);
1128 Th_CreateCommand(g.interp, "submit_ticket", submitTicketCmd, (void*)&zName,0);
1129 if( g.thTrace ) Th_Trace("BEGIN_TKTEDIT_SCRIPT<br>\n", -1);
1130 if( Th_Render(zScript)==TH_RETURN && !g.thTrace && zName ){
1131

Keyboard Shortcuts

Open search /
Next entry (timeline) j
Previous entry (timeline) k
Open focused entry Enter
Show this help ?
Toggle theme Top nav button