Fossil SCM
Fix the cgi_same_origin() routine so that it is able to deal with HTTP-encoded REFERER strings in the request header. Probable fix for the problem reported at [forum:/forumpost/dc5baee6085eb590|forum post dc5baee6085].
Commit
3046c5e9609b5a8810d067b2a795572d66442ab4f362ef42fa5ac8bfc5120063
Parent
45da184c1b7d6b6…
1 file changed
+16
-3
+16
-3
| --- src/cgi.c | ||
| +++ src/cgi.c | ||
| @@ -691,18 +691,31 @@ | ||
| 691 | 691 | /* |
| 692 | 692 | ** Return true if the current request is coming from the same origin. |
| 693 | 693 | */ |
| 694 | 694 | int cgi_same_origin(void){ |
| 695 | 695 | const char *zRef; |
| 696 | + char *zToFree = 0; | |
| 696 | 697 | int nBase; |
| 698 | + int rc; | |
| 697 | 699 | if( g.zBaseURL==0 ) return 0; |
| 698 | 700 | zRef = P("HTTP_REFERER"); |
| 699 | 701 | if( zRef==0 ) return 0; |
| 702 | + if( strchr(zRef,'%')!=0 ){ | |
| 703 | + zToFree = strdup(zRef); | |
| 704 | + dehttpize(zToFree); | |
| 705 | + zRef = zToFree; | |
| 706 | + } | |
| 700 | 707 | nBase = (int)strlen(g.zBaseURL); |
| 701 | - if( fossil_strncmp(g.zBaseURL,zRef,nBase)!=0 ) return 0; | |
| 702 | - if( zRef[nBase]!=0 && zRef[nBase]!='/' ) return 0; | |
| 703 | - return 1; | |
| 708 | + if( fossil_strncmp(g.zBaseURL,zRef,nBase)!=0 ){ | |
| 709 | + rc = 0; | |
| 710 | + }else if( zRef[nBase]!=0 && zRef[nBase]!='/' ){ | |
| 711 | + rc = 0; | |
| 712 | + }else{ | |
| 713 | + rc = 1; | |
| 714 | + } | |
| 715 | + fossil_free(zToFree); | |
| 716 | + return rc; | |
| 704 | 717 | } |
| 705 | 718 | |
| 706 | 719 | /* |
| 707 | 720 | ** Return true if the current CGI request is a POST request |
| 708 | 721 | */ |
| 709 | 722 |
| --- src/cgi.c | |
| +++ src/cgi.c | |
| @@ -691,18 +691,31 @@ | |
| 691 | /* |
| 692 | ** Return true if the current request is coming from the same origin. |
| 693 | */ |
| 694 | int cgi_same_origin(void){ |
| 695 | const char *zRef; |
| 696 | int nBase; |
| 697 | if( g.zBaseURL==0 ) return 0; |
| 698 | zRef = P("HTTP_REFERER"); |
| 699 | if( zRef==0 ) return 0; |
| 700 | nBase = (int)strlen(g.zBaseURL); |
| 701 | if( fossil_strncmp(g.zBaseURL,zRef,nBase)!=0 ) return 0; |
| 702 | if( zRef[nBase]!=0 && zRef[nBase]!='/' ) return 0; |
| 703 | return 1; |
| 704 | } |
| 705 | |
| 706 | /* |
| 707 | ** Return true if the current CGI request is a POST request |
| 708 | */ |
| 709 |
| --- src/cgi.c | |
| +++ src/cgi.c | |
| @@ -691,18 +691,31 @@ | |
| 691 | /* |
| 692 | ** Return true if the current request is coming from the same origin. |
| 693 | */ |
| 694 | int cgi_same_origin(void){ |
| 695 | const char *zRef; |
| 696 | char *zToFree = 0; |
| 697 | int nBase; |
| 698 | int rc; |
| 699 | if( g.zBaseURL==0 ) return 0; |
| 700 | zRef = P("HTTP_REFERER"); |
| 701 | if( zRef==0 ) return 0; |
| 702 | if( strchr(zRef,'%')!=0 ){ |
| 703 | zToFree = strdup(zRef); |
| 704 | dehttpize(zToFree); |
| 705 | zRef = zToFree; |
| 706 | } |
| 707 | nBase = (int)strlen(g.zBaseURL); |
| 708 | if( fossil_strncmp(g.zBaseURL,zRef,nBase)!=0 ){ |
| 709 | rc = 0; |
| 710 | }else if( zRef[nBase]!=0 && zRef[nBase]!='/' ){ |
| 711 | rc = 0; |
| 712 | }else{ |
| 713 | rc = 1; |
| 714 | } |
| 715 | fossil_free(zToFree); |
| 716 | return rc; |
| 717 | } |
| 718 | |
| 719 | /* |
| 720 | ** Return true if the current CGI request is a POST request |
| 721 | */ |
| 722 |