Fossil SCM
Add calls to cgi_check_for_malice() on many more web pages. Log all 418 responses to the error log.
Commit
40266bf9b2917bfc5e7fd1c702611da1d8a10ba6e75ceda25604b7bd2699ba76
Parent
5a8063a8cbe8be9…
23 files changed
+2
+3
+9
-6
+1
+1
+1
+1
+2
-1
+2
+1
+1
+2
+10
+1
+1
+1
+2
+1
+1
+1
+2
+5
+1
~
src/branch.c
~
src/browse.c
~
src/cgi.c
~
src/clone.c
~
src/descendants.c
~
src/diff.c
~
src/diffcmd.c
~
src/dispatch.c
~
src/doc.c
~
src/event.c
~
src/finfo.c
~
src/forum.c
~
src/info.c
~
src/login.c
~
src/name.c
~
src/search.c
~
src/stat.c
~
src/statrep.c
~
src/tag.c
~
src/timeline.c
~
src/unversioned.c
~
src/wiki.c
~
src/xfer.c
+2
| --- src/branch.c | ||
| +++ src/branch.c | ||
| @@ -858,10 +858,11 @@ | ||
| 858 | 858 | new_brlist_page(); |
| 859 | 859 | return; |
| 860 | 860 | } |
| 861 | 861 | login_check_credentials(); |
| 862 | 862 | if( !g.perm.Read ){ login_needed(g.anon.Read); return; } |
| 863 | + cgi_check_for_malice(); | |
| 863 | 864 | if( colorTest ){ |
| 864 | 865 | showClosed = 0; |
| 865 | 866 | showAll = 1; |
| 866 | 867 | } |
| 867 | 868 | if( showAll ) brFlags = BRL_BOTH; |
| @@ -986,10 +987,11 @@ | ||
| 986 | 987 | style_set_current_feature("branch"); |
| 987 | 988 | style_header("Branches"); |
| 988 | 989 | style_submenu_element("List", "brlist"); |
| 989 | 990 | login_anonymous_available(); |
| 990 | 991 | timeline_ss_submenu(); |
| 992 | + cgi_check_for_malice(); | |
| 991 | 993 | @ <h2>The initial check-in for each branch:</h2> |
| 992 | 994 | blob_append(&sql, timeline_query_for_www(), -1); |
| 993 | 995 | blob_append_sql(&sql, |
| 994 | 996 | "AND blob.rid IN (SELECT rid FROM tagxref" |
| 995 | 997 | " WHERE tagtype>0 AND tagid=%d AND srcid!=0)", TAG_BRANCH); |
| 996 | 998 |
| --- src/branch.c | |
| +++ src/branch.c | |
| @@ -858,10 +858,11 @@ | |
| 858 | new_brlist_page(); |
| 859 | return; |
| 860 | } |
| 861 | login_check_credentials(); |
| 862 | if( !g.perm.Read ){ login_needed(g.anon.Read); return; } |
| 863 | if( colorTest ){ |
| 864 | showClosed = 0; |
| 865 | showAll = 1; |
| 866 | } |
| 867 | if( showAll ) brFlags = BRL_BOTH; |
| @@ -986,10 +987,11 @@ | |
| 986 | style_set_current_feature("branch"); |
| 987 | style_header("Branches"); |
| 988 | style_submenu_element("List", "brlist"); |
| 989 | login_anonymous_available(); |
| 990 | timeline_ss_submenu(); |
| 991 | @ <h2>The initial check-in for each branch:</h2> |
| 992 | blob_append(&sql, timeline_query_for_www(), -1); |
| 993 | blob_append_sql(&sql, |
| 994 | "AND blob.rid IN (SELECT rid FROM tagxref" |
| 995 | " WHERE tagtype>0 AND tagid=%d AND srcid!=0)", TAG_BRANCH); |
| 996 |
| --- src/branch.c | |
| +++ src/branch.c | |
| @@ -858,10 +858,11 @@ | |
| 858 | new_brlist_page(); |
| 859 | return; |
| 860 | } |
| 861 | login_check_credentials(); |
| 862 | if( !g.perm.Read ){ login_needed(g.anon.Read); return; } |
| 863 | cgi_check_for_malice(); |
| 864 | if( colorTest ){ |
| 865 | showClosed = 0; |
| 866 | showAll = 1; |
| 867 | } |
| 868 | if( showAll ) brFlags = BRL_BOTH; |
| @@ -986,10 +987,11 @@ | |
| 987 | style_set_current_feature("branch"); |
| 988 | style_header("Branches"); |
| 989 | style_submenu_element("List", "brlist"); |
| 990 | login_anonymous_available(); |
| 991 | timeline_ss_submenu(); |
| 992 | cgi_check_for_malice(); |
| 993 | @ <h2>The initial check-in for each branch:</h2> |
| 994 | blob_append(&sql, timeline_query_for_www(), -1); |
| 995 | blob_append_sql(&sql, |
| 996 | "AND blob.rid IN (SELECT rid FROM tagxref" |
| 997 | " WHERE tagtype>0 AND tagid=%d AND srcid!=0)", TAG_BRANCH); |
| 998 |
+3
| --- src/browse.c | ||
| +++ src/browse.c | ||
| @@ -209,10 +209,11 @@ | ||
| 209 | 209 | fossil_free(zHeader); |
| 210 | 210 | style_adunit_config(ADUNIT_RIGHT_OK); |
| 211 | 211 | sqlite3_create_function(g.db, "pathelement", 2, SQLITE_UTF8, 0, |
| 212 | 212 | pathelementFunc, 0, 0); |
| 213 | 213 | url_initialize(&sURI, "dir"); |
| 214 | + cgi_check_for_malice(); | |
| 214 | 215 | cgi_query_parameters_to_url(&sURI); |
| 215 | 216 | |
| 216 | 217 | /* Compute the title of the page */ |
| 217 | 218 | if( zD ){ |
| 218 | 219 | Blob dirname; |
| @@ -705,10 +706,11 @@ | ||
| 705 | 706 | zRE = P("re"); |
| 706 | 707 | if( zRE ){ |
| 707 | 708 | re_compile(&pRE, zRE, 0); |
| 708 | 709 | zREx = mprintf("&re=%T", zRE); |
| 709 | 710 | } |
| 711 | + cgi_check_for_malice(); | |
| 710 | 712 | |
| 711 | 713 | /* If the name= parameter is an empty string, make it a NULL pointer */ |
| 712 | 714 | if( zD && strlen(zD)==0 ){ zD = 0; } |
| 713 | 715 | |
| 714 | 716 | /* If a specific check-in is requested, fetch and parse it. If the |
| @@ -1109,10 +1111,11 @@ | ||
| 1109 | 1111 | zNow = db_text("", "SELECT datetime(mtime,toLocal()) FROM event" |
| 1110 | 1112 | " WHERE objid=%d", rid); |
| 1111 | 1113 | style_submenu_element("Tree-View", "%R/tree?ci=%T&mtime=1&type=tree", zName); |
| 1112 | 1114 | style_header("File Ages"); |
| 1113 | 1115 | zGlob = P("glob"); |
| 1116 | + cgi_check_for_malice(); | |
| 1114 | 1117 | compute_fileage(rid,zGlob); |
| 1115 | 1118 | db_multi_exec("CREATE INDEX fileage_ix1 ON fileage(mid,pathname);"); |
| 1116 | 1119 | |
| 1117 | 1120 | if( fossil_strcmp(zName,"tip")==0 ){ |
| 1118 | 1121 | @ <h1>Files in the %z(href("%R/info?name=tip"))latest check-in</a> |
| 1119 | 1122 |
| --- src/browse.c | |
| +++ src/browse.c | |
| @@ -209,10 +209,11 @@ | |
| 209 | fossil_free(zHeader); |
| 210 | style_adunit_config(ADUNIT_RIGHT_OK); |
| 211 | sqlite3_create_function(g.db, "pathelement", 2, SQLITE_UTF8, 0, |
| 212 | pathelementFunc, 0, 0); |
| 213 | url_initialize(&sURI, "dir"); |
| 214 | cgi_query_parameters_to_url(&sURI); |
| 215 | |
| 216 | /* Compute the title of the page */ |
| 217 | if( zD ){ |
| 218 | Blob dirname; |
| @@ -705,10 +706,11 @@ | |
| 705 | zRE = P("re"); |
| 706 | if( zRE ){ |
| 707 | re_compile(&pRE, zRE, 0); |
| 708 | zREx = mprintf("&re=%T", zRE); |
| 709 | } |
| 710 | |
| 711 | /* If the name= parameter is an empty string, make it a NULL pointer */ |
| 712 | if( zD && strlen(zD)==0 ){ zD = 0; } |
| 713 | |
| 714 | /* If a specific check-in is requested, fetch and parse it. If the |
| @@ -1109,10 +1111,11 @@ | |
| 1109 | zNow = db_text("", "SELECT datetime(mtime,toLocal()) FROM event" |
| 1110 | " WHERE objid=%d", rid); |
| 1111 | style_submenu_element("Tree-View", "%R/tree?ci=%T&mtime=1&type=tree", zName); |
| 1112 | style_header("File Ages"); |
| 1113 | zGlob = P("glob"); |
| 1114 | compute_fileage(rid,zGlob); |
| 1115 | db_multi_exec("CREATE INDEX fileage_ix1 ON fileage(mid,pathname);"); |
| 1116 | |
| 1117 | if( fossil_strcmp(zName,"tip")==0 ){ |
| 1118 | @ <h1>Files in the %z(href("%R/info?name=tip"))latest check-in</a> |
| 1119 |
| --- src/browse.c | |
| +++ src/browse.c | |
| @@ -209,10 +209,11 @@ | |
| 209 | fossil_free(zHeader); |
| 210 | style_adunit_config(ADUNIT_RIGHT_OK); |
| 211 | sqlite3_create_function(g.db, "pathelement", 2, SQLITE_UTF8, 0, |
| 212 | pathelementFunc, 0, 0); |
| 213 | url_initialize(&sURI, "dir"); |
| 214 | cgi_check_for_malice(); |
| 215 | cgi_query_parameters_to_url(&sURI); |
| 216 | |
| 217 | /* Compute the title of the page */ |
| 218 | if( zD ){ |
| 219 | Blob dirname; |
| @@ -705,10 +706,11 @@ | |
| 706 | zRE = P("re"); |
| 707 | if( zRE ){ |
| 708 | re_compile(&pRE, zRE, 0); |
| 709 | zREx = mprintf("&re=%T", zRE); |
| 710 | } |
| 711 | cgi_check_for_malice(); |
| 712 | |
| 713 | /* If the name= parameter is an empty string, make it a NULL pointer */ |
| 714 | if( zD && strlen(zD)==0 ){ zD = 0; } |
| 715 | |
| 716 | /* If a specific check-in is requested, fetch and parse it. If the |
| @@ -1109,10 +1111,11 @@ | |
| 1111 | zNow = db_text("", "SELECT datetime(mtime,toLocal()) FROM event" |
| 1112 | " WHERE objid=%d", rid); |
| 1113 | style_submenu_element("Tree-View", "%R/tree?ci=%T&mtime=1&type=tree", zName); |
| 1114 | style_header("File Ages"); |
| 1115 | zGlob = P("glob"); |
| 1116 | cgi_check_for_malice(); |
| 1117 | compute_fileage(rid,zGlob); |
| 1118 | db_multi_exec("CREATE INDEX fileage_ix1 ON fileage(mid,pathname);"); |
| 1119 | |
| 1120 | if( fossil_strcmp(zName,"tip")==0 ){ |
| 1121 | @ <h1>Files in the %z(href("%R/info?name=tip"))latest check-in</a> |
| 1122 |
+9
-6
| --- src/cgi.c | ||
| +++ src/cgi.c | ||
| @@ -1535,22 +1535,25 @@ | ||
| 1535 | 1535 | /* |
| 1536 | 1536 | ** Renders the "begone, spider" page and exits. |
| 1537 | 1537 | */ |
| 1538 | 1538 | static void cgi_begone_spider(void){ |
| 1539 | 1539 | Blob content = empty_blob; |
| 1540 | - | |
| 1541 | 1540 | cgi_set_content(&content); |
| 1542 | 1541 | style_set_current_feature("test"); |
| 1542 | + style_submenu_enable(0); | |
| 1543 | 1543 | style_header("Malicious Query Detected"); |
| 1544 | - @ <h2>Begone, Fiend!</h2> | |
| 1545 | - @ <p>This page was generated because Fossil believes it has | |
| 1546 | - @ detected an SQL injection attack. If you believe you are seeing | |
| 1547 | - @ this in error, contact the developers on the Fossil-SCM Forum. Type | |
| 1544 | + @ <h2>Begone, Knave!</h2> | |
| 1545 | + @ <p>This page was generated because Fossil detected an (unsuccessful) | |
| 1546 | + @ SQL injection attack or other nefarious content in your HTTP request. | |
| 1547 | + @ | |
| 1548 | + @ <p>If you believe you are innocent and have reached this page in error, | |
| 1549 | + @ contact the Fossil developers on the Fossil-SCM Forum. Type | |
| 1548 | 1550 | @ "fossil-scm forum" into any search engine to locate the Fossil-SCM Forum. |
| 1549 | 1551 | style_finish_page(); |
| 1550 | - cgi_set_status(418,"Robot Attack Detected"); | |
| 1552 | + cgi_set_status(418,"I'm a teapotgrep "); | |
| 1551 | 1553 | cgi_reply(); |
| 1554 | + fossil_errorlog("possible hack attempt - 418 response"); | |
| 1552 | 1555 | exit(0); |
| 1553 | 1556 | } |
| 1554 | 1557 | |
| 1555 | 1558 | /* |
| 1556 | 1559 | ** If looks_like_sql_injection() returns true for the given string, calls |
| 1557 | 1560 |
| --- src/cgi.c | |
| +++ src/cgi.c | |
| @@ -1535,22 +1535,25 @@ | |
| 1535 | /* |
| 1536 | ** Renders the "begone, spider" page and exits. |
| 1537 | */ |
| 1538 | static void cgi_begone_spider(void){ |
| 1539 | Blob content = empty_blob; |
| 1540 | |
| 1541 | cgi_set_content(&content); |
| 1542 | style_set_current_feature("test"); |
| 1543 | style_header("Malicious Query Detected"); |
| 1544 | @ <h2>Begone, Fiend!</h2> |
| 1545 | @ <p>This page was generated because Fossil believes it has |
| 1546 | @ detected an SQL injection attack. If you believe you are seeing |
| 1547 | @ this in error, contact the developers on the Fossil-SCM Forum. Type |
| 1548 | @ "fossil-scm forum" into any search engine to locate the Fossil-SCM Forum. |
| 1549 | style_finish_page(); |
| 1550 | cgi_set_status(418,"Robot Attack Detected"); |
| 1551 | cgi_reply(); |
| 1552 | exit(0); |
| 1553 | } |
| 1554 | |
| 1555 | /* |
| 1556 | ** If looks_like_sql_injection() returns true for the given string, calls |
| 1557 |
| --- src/cgi.c | |
| +++ src/cgi.c | |
| @@ -1535,22 +1535,25 @@ | |
| 1535 | /* |
| 1536 | ** Renders the "begone, spider" page and exits. |
| 1537 | */ |
| 1538 | static void cgi_begone_spider(void){ |
| 1539 | Blob content = empty_blob; |
| 1540 | cgi_set_content(&content); |
| 1541 | style_set_current_feature("test"); |
| 1542 | style_submenu_enable(0); |
| 1543 | style_header("Malicious Query Detected"); |
| 1544 | @ <h2>Begone, Knave!</h2> |
| 1545 | @ <p>This page was generated because Fossil detected an (unsuccessful) |
| 1546 | @ SQL injection attack or other nefarious content in your HTTP request. |
| 1547 | @ |
| 1548 | @ <p>If you believe you are innocent and have reached this page in error, |
| 1549 | @ contact the Fossil developers on the Fossil-SCM Forum. Type |
| 1550 | @ "fossil-scm forum" into any search engine to locate the Fossil-SCM Forum. |
| 1551 | style_finish_page(); |
| 1552 | cgi_set_status(418,"I'm a teapotgrep "); |
| 1553 | cgi_reply(); |
| 1554 | fossil_errorlog("possible hack attempt - 418 response"); |
| 1555 | exit(0); |
| 1556 | } |
| 1557 | |
| 1558 | /* |
| 1559 | ** If looks_like_sql_injection() returns true for the given string, calls |
| 1560 |
+1
| --- src/clone.c | ||
| +++ src/clone.c | ||
| @@ -398,10 +398,11 @@ | ||
| 398 | 398 | ** Provide a simple page that enables newbies to download the latest tarball or |
| 399 | 399 | ** ZIP archive, and provides instructions on how to clone. |
| 400 | 400 | */ |
| 401 | 401 | void download_page(void){ |
| 402 | 402 | login_check_credentials(); |
| 403 | + cgi_check_for_malice(); | |
| 403 | 404 | style_header("Download Page"); |
| 404 | 405 | if( !g.perm.Zip ){ |
| 405 | 406 | @ <p>Bummer. You do not have permission to download. |
| 406 | 407 | if( g.zLogin==0 || g.zLogin[0]==0 ){ |
| 407 | 408 | @ Maybe it would work better if you |
| 408 | 409 |
| --- src/clone.c | |
| +++ src/clone.c | |
| @@ -398,10 +398,11 @@ | |
| 398 | ** Provide a simple page that enables newbies to download the latest tarball or |
| 399 | ** ZIP archive, and provides instructions on how to clone. |
| 400 | */ |
| 401 | void download_page(void){ |
| 402 | login_check_credentials(); |
| 403 | style_header("Download Page"); |
| 404 | if( !g.perm.Zip ){ |
| 405 | @ <p>Bummer. You do not have permission to download. |
| 406 | if( g.zLogin==0 || g.zLogin[0]==0 ){ |
| 407 | @ Maybe it would work better if you |
| 408 |
| --- src/clone.c | |
| +++ src/clone.c | |
| @@ -398,10 +398,11 @@ | |
| 398 | ** Provide a simple page that enables newbies to download the latest tarball or |
| 399 | ** ZIP archive, and provides instructions on how to clone. |
| 400 | */ |
| 401 | void download_page(void){ |
| 402 | login_check_credentials(); |
| 403 | cgi_check_for_malice(); |
| 404 | style_header("Download Page"); |
| 405 | if( !g.perm.Zip ){ |
| 406 | @ <p>Bummer. You do not have permission to download. |
| 407 | if( g.zLogin==0 || g.zLogin[0]==0 ){ |
| 408 | @ Maybe it would work better if you |
| 409 |
+1
| --- src/descendants.c | ||
| +++ src/descendants.c | ||
| @@ -576,10 +576,11 @@ | ||
| 576 | 576 | } |
| 577 | 577 | if( showClosed || showAll ){ |
| 578 | 578 | style_submenu_element("Open", "%s", url_render(&url, 0, 0, 0, 0)); |
| 579 | 579 | } |
| 580 | 580 | url_reset(&url); |
| 581 | + cgi_check_for_malice(); | |
| 581 | 582 | style_set_current_feature("leaves"); |
| 582 | 583 | style_header("Leaves"); |
| 583 | 584 | login_anonymous_available(); |
| 584 | 585 | timeline_ss_submenu(); |
| 585 | 586 | #if 0 |
| 586 | 587 |
| --- src/descendants.c | |
| +++ src/descendants.c | |
| @@ -576,10 +576,11 @@ | |
| 576 | } |
| 577 | if( showClosed || showAll ){ |
| 578 | style_submenu_element("Open", "%s", url_render(&url, 0, 0, 0, 0)); |
| 579 | } |
| 580 | url_reset(&url); |
| 581 | style_set_current_feature("leaves"); |
| 582 | style_header("Leaves"); |
| 583 | login_anonymous_available(); |
| 584 | timeline_ss_submenu(); |
| 585 | #if 0 |
| 586 |
| --- src/descendants.c | |
| +++ src/descendants.c | |
| @@ -576,10 +576,11 @@ | |
| 576 | } |
| 577 | if( showClosed || showAll ){ |
| 578 | style_submenu_element("Open", "%s", url_render(&url, 0, 0, 0, 0)); |
| 579 | } |
| 580 | url_reset(&url); |
| 581 | cgi_check_for_malice(); |
| 582 | style_set_current_feature("leaves"); |
| 583 | style_header("Leaves"); |
| 584 | login_anonymous_available(); |
| 585 | timeline_ss_submenu(); |
| 586 | #if 0 |
| 587 |
+1
| --- src/diff.c | ||
| +++ src/diff.c | ||
| @@ -3581,10 +3581,11 @@ | ||
| 3581 | 3581 | zLimit = P("limit"); |
| 3582 | 3582 | showLog = PB("log"); |
| 3583 | 3583 | fileVers = PB("filevers"); |
| 3584 | 3584 | ignoreWs = PB("w"); |
| 3585 | 3585 | if( ignoreWs ) annFlags |= DIFF_IGNORE_ALLWS; |
| 3586 | + cgi_check_for_malice(); | |
| 3586 | 3587 | |
| 3587 | 3588 | /* compute the annotation */ |
| 3588 | 3589 | annotate_file(&ann, zFilename, zRevision, zLimit, zOrigin, annFlags); |
| 3589 | 3590 | zCI = ann.aVers[0].zMUuid; |
| 3590 | 3591 | |
| 3591 | 3592 |
| --- src/diff.c | |
| +++ src/diff.c | |
| @@ -3581,10 +3581,11 @@ | |
| 3581 | zLimit = P("limit"); |
| 3582 | showLog = PB("log"); |
| 3583 | fileVers = PB("filevers"); |
| 3584 | ignoreWs = PB("w"); |
| 3585 | if( ignoreWs ) annFlags |= DIFF_IGNORE_ALLWS; |
| 3586 | |
| 3587 | /* compute the annotation */ |
| 3588 | annotate_file(&ann, zFilename, zRevision, zLimit, zOrigin, annFlags); |
| 3589 | zCI = ann.aVers[0].zMUuid; |
| 3590 | |
| 3591 |
| --- src/diff.c | |
| +++ src/diff.c | |
| @@ -3581,10 +3581,11 @@ | |
| 3581 | zLimit = P("limit"); |
| 3582 | showLog = PB("log"); |
| 3583 | fileVers = PB("filevers"); |
| 3584 | ignoreWs = PB("w"); |
| 3585 | if( ignoreWs ) annFlags |= DIFF_IGNORE_ALLWS; |
| 3586 | cgi_check_for_malice(); |
| 3587 | |
| 3588 | /* compute the annotation */ |
| 3589 | annotate_file(&ann, zFilename, zRevision, zLimit, zOrigin, annFlags); |
| 3590 | zCI = ann.aVers[0].zMUuid; |
| 3591 | |
| 3592 |
+1
| --- src/diffcmd.c | ||
| +++ src/diffcmd.c | ||
| @@ -1221,10 +1221,11 @@ | ||
| 1221 | 1221 | */ |
| 1222 | 1222 | void vpatch_page(void){ |
| 1223 | 1223 | const char *zFrom = P("from"); |
| 1224 | 1224 | const char *zTo = P("to"); |
| 1225 | 1225 | DiffConfig DCfg; |
| 1226 | + cgi_check_for_malice(); | |
| 1226 | 1227 | login_check_credentials(); |
| 1227 | 1228 | if( !g.perm.Read ){ login_needed(g.anon.Read); return; } |
| 1228 | 1229 | if( zFrom==0 || zTo==0 ) fossil_redirect_home(); |
| 1229 | 1230 | |
| 1230 | 1231 | fossil_nice_default(); |
| 1231 | 1232 |
| --- src/diffcmd.c | |
| +++ src/diffcmd.c | |
| @@ -1221,10 +1221,11 @@ | |
| 1221 | */ |
| 1222 | void vpatch_page(void){ |
| 1223 | const char *zFrom = P("from"); |
| 1224 | const char *zTo = P("to"); |
| 1225 | DiffConfig DCfg; |
| 1226 | login_check_credentials(); |
| 1227 | if( !g.perm.Read ){ login_needed(g.anon.Read); return; } |
| 1228 | if( zFrom==0 || zTo==0 ) fossil_redirect_home(); |
| 1229 | |
| 1230 | fossil_nice_default(); |
| 1231 |
| --- src/diffcmd.c | |
| +++ src/diffcmd.c | |
| @@ -1221,10 +1221,11 @@ | |
| 1221 | */ |
| 1222 | void vpatch_page(void){ |
| 1223 | const char *zFrom = P("from"); |
| 1224 | const char *zTo = P("to"); |
| 1225 | DiffConfig DCfg; |
| 1226 | cgi_check_for_malice(); |
| 1227 | login_check_credentials(); |
| 1228 | if( !g.perm.Read ){ login_needed(g.anon.Read); return; } |
| 1229 | if( zFrom==0 || zTo==0 ) fossil_redirect_home(); |
| 1230 | |
| 1231 | fossil_nice_default(); |
| 1232 |
+2
-1
| --- src/dispatch.c | ||
| +++ src/dispatch.c | ||
| @@ -813,15 +813,16 @@ | ||
| 813 | 813 | */ |
| 814 | 814 | void help_page(void){ |
| 815 | 815 | const char *zCmd = P("cmd"); |
| 816 | 816 | |
| 817 | 817 | if( zCmd==0 ) zCmd = P("name"); |
| 818 | + cgi_check_for_malice(); | |
| 818 | 819 | if( zCmd && *zCmd ){ |
| 819 | 820 | int rc; |
| 820 | 821 | const CmdOrPage *pCmd = 0; |
| 821 | 822 | |
| 822 | - style_set_current_feature("tkt"); | |
| 823 | + style_set_current_feature("tkt"); | |
| 823 | 824 | style_header("Help: %s", zCmd); |
| 824 | 825 | |
| 825 | 826 | style_submenu_element("Command-List", "%R/help"); |
| 826 | 827 | rc = dispatch_name_search(zCmd, CMDFLAG_ANY|CMDFLAG_PREFIX, &pCmd); |
| 827 | 828 | if( *zCmd=='/' ){ |
| 828 | 829 |
| --- src/dispatch.c | |
| +++ src/dispatch.c | |
| @@ -813,15 +813,16 @@ | |
| 813 | */ |
| 814 | void help_page(void){ |
| 815 | const char *zCmd = P("cmd"); |
| 816 | |
| 817 | if( zCmd==0 ) zCmd = P("name"); |
| 818 | if( zCmd && *zCmd ){ |
| 819 | int rc; |
| 820 | const CmdOrPage *pCmd = 0; |
| 821 | |
| 822 | style_set_current_feature("tkt"); |
| 823 | style_header("Help: %s", zCmd); |
| 824 | |
| 825 | style_submenu_element("Command-List", "%R/help"); |
| 826 | rc = dispatch_name_search(zCmd, CMDFLAG_ANY|CMDFLAG_PREFIX, &pCmd); |
| 827 | if( *zCmd=='/' ){ |
| 828 |
| --- src/dispatch.c | |
| +++ src/dispatch.c | |
| @@ -813,15 +813,16 @@ | |
| 813 | */ |
| 814 | void help_page(void){ |
| 815 | const char *zCmd = P("cmd"); |
| 816 | |
| 817 | if( zCmd==0 ) zCmd = P("name"); |
| 818 | cgi_check_for_malice(); |
| 819 | if( zCmd && *zCmd ){ |
| 820 | int rc; |
| 821 | const CmdOrPage *pCmd = 0; |
| 822 | |
| 823 | style_set_current_feature("tkt"); |
| 824 | style_header("Help: %s", zCmd); |
| 825 | |
| 826 | style_submenu_element("Command-List", "%R/help"); |
| 827 | rc = dispatch_name_search(zCmd, CMDFLAG_ANY|CMDFLAG_PREFIX, &pCmd); |
| 828 | if( *zCmd=='/' ){ |
| 829 |
+2
| --- src/doc.c | ||
| +++ src/doc.c | ||
| @@ -1051,10 +1051,11 @@ | ||
| 1051 | 1051 | Th_Store("doc_version", db_text(0, "SELECT '[' || substr(uuid,1,10) || ']'" |
| 1052 | 1052 | " FROM blob WHERE rid=%d", vid)); |
| 1053 | 1053 | Th_Store("doc_date", db_text(0, "SELECT datetime(mtime) FROM event" |
| 1054 | 1054 | " WHERE objid=%d AND type='ci'", vid)); |
| 1055 | 1055 | } |
| 1056 | + cgi_check_for_malice(); | |
| 1056 | 1057 | document_render(&filebody, zMime, zDfltTitle, zName); |
| 1057 | 1058 | if( nMiss>=count(azSuffix) ) cgi_set_status(404, "Not Found"); |
| 1058 | 1059 | db_end_transaction(0); |
| 1059 | 1060 | return; |
| 1060 | 1061 | |
| @@ -1242,8 +1243,9 @@ | ||
| 1242 | 1243 | */ |
| 1243 | 1244 | void doc_search_page(void){ |
| 1244 | 1245 | const int isSearch = P("s")!=0; |
| 1245 | 1246 | login_check_credentials(); |
| 1246 | 1247 | style_header("Document Search%s", isSearch ? " Results" : ""); |
| 1248 | + cgi_check_for_malice(); | |
| 1247 | 1249 | search_screen(SRCH_DOC, 0); |
| 1248 | 1250 | style_finish_page(); |
| 1249 | 1251 | } |
| 1250 | 1252 |
| --- src/doc.c | |
| +++ src/doc.c | |
| @@ -1051,10 +1051,11 @@ | |
| 1051 | Th_Store("doc_version", db_text(0, "SELECT '[' || substr(uuid,1,10) || ']'" |
| 1052 | " FROM blob WHERE rid=%d", vid)); |
| 1053 | Th_Store("doc_date", db_text(0, "SELECT datetime(mtime) FROM event" |
| 1054 | " WHERE objid=%d AND type='ci'", vid)); |
| 1055 | } |
| 1056 | document_render(&filebody, zMime, zDfltTitle, zName); |
| 1057 | if( nMiss>=count(azSuffix) ) cgi_set_status(404, "Not Found"); |
| 1058 | db_end_transaction(0); |
| 1059 | return; |
| 1060 | |
| @@ -1242,8 +1243,9 @@ | |
| 1242 | */ |
| 1243 | void doc_search_page(void){ |
| 1244 | const int isSearch = P("s")!=0; |
| 1245 | login_check_credentials(); |
| 1246 | style_header("Document Search%s", isSearch ? " Results" : ""); |
| 1247 | search_screen(SRCH_DOC, 0); |
| 1248 | style_finish_page(); |
| 1249 | } |
| 1250 |
| --- src/doc.c | |
| +++ src/doc.c | |
| @@ -1051,10 +1051,11 @@ | |
| 1051 | Th_Store("doc_version", db_text(0, "SELECT '[' || substr(uuid,1,10) || ']'" |
| 1052 | " FROM blob WHERE rid=%d", vid)); |
| 1053 | Th_Store("doc_date", db_text(0, "SELECT datetime(mtime) FROM event" |
| 1054 | " WHERE objid=%d AND type='ci'", vid)); |
| 1055 | } |
| 1056 | cgi_check_for_malice(); |
| 1057 | document_render(&filebody, zMime, zDfltTitle, zName); |
| 1058 | if( nMiss>=count(azSuffix) ) cgi_set_status(404, "Not Found"); |
| 1059 | db_end_transaction(0); |
| 1060 | return; |
| 1061 | |
| @@ -1242,8 +1243,9 @@ | |
| 1243 | */ |
| 1244 | void doc_search_page(void){ |
| 1245 | const int isSearch = P("s")!=0; |
| 1246 | login_check_credentials(); |
| 1247 | style_header("Document Search%s", isSearch ? " Results" : ""); |
| 1248 | cgi_check_for_malice(); |
| 1249 | search_screen(SRCH_DOC, 0); |
| 1250 | style_finish_page(); |
| 1251 | } |
| 1252 |
+1
| --- src/event.c | ||
| +++ src/event.c | ||
| @@ -129,10 +129,11 @@ | ||
| 129 | 129 | } |
| 130 | 130 | verboseFlag = (zVerbose!=0) && !is_false(zVerbose); |
| 131 | 131 | |
| 132 | 132 | /* Extract the event content. |
| 133 | 133 | */ |
| 134 | + cgi_check_for_malice(); | |
| 134 | 135 | pTNote = manifest_get(rid, CFTYPE_EVENT, 0); |
| 135 | 136 | if( pTNote==0 ){ |
| 136 | 137 | fossil_fatal("Object #%d is not a tech-note", rid); |
| 137 | 138 | } |
| 138 | 139 | zMimetype = wiki_filter_mimetypes(PD("mimetype",pTNote->zMimetype)); |
| 139 | 140 |
| --- src/event.c | |
| +++ src/event.c | |
| @@ -129,10 +129,11 @@ | |
| 129 | } |
| 130 | verboseFlag = (zVerbose!=0) && !is_false(zVerbose); |
| 131 | |
| 132 | /* Extract the event content. |
| 133 | */ |
| 134 | pTNote = manifest_get(rid, CFTYPE_EVENT, 0); |
| 135 | if( pTNote==0 ){ |
| 136 | fossil_fatal("Object #%d is not a tech-note", rid); |
| 137 | } |
| 138 | zMimetype = wiki_filter_mimetypes(PD("mimetype",pTNote->zMimetype)); |
| 139 |
| --- src/event.c | |
| +++ src/event.c | |
| @@ -129,10 +129,11 @@ | |
| 129 | } |
| 130 | verboseFlag = (zVerbose!=0) && !is_false(zVerbose); |
| 131 | |
| 132 | /* Extract the event content. |
| 133 | */ |
| 134 | cgi_check_for_malice(); |
| 135 | pTNote = manifest_get(rid, CFTYPE_EVENT, 0); |
| 136 | if( pTNote==0 ){ |
| 137 | fossil_fatal("Object #%d is not a tech-note", rid); |
| 138 | } |
| 139 | zMimetype = wiki_filter_mimetypes(PD("mimetype",pTNote->zMimetype)); |
| 140 |
+1
| --- src/finfo.c | ||
| +++ src/finfo.c | ||
| @@ -423,10 +423,11 @@ | ||
| 423 | 423 | }else{ |
| 424 | 424 | compute_direct_ancestors(ridFrom); |
| 425 | 425 | } |
| 426 | 426 | } |
| 427 | 427 | url_add_parameter(&url, "name", zFilename); |
| 428 | + cgi_check_for_malice(); | |
| 428 | 429 | blob_zero(&sql); |
| 429 | 430 | if( ridCi ){ |
| 430 | 431 | /* If we will be tracking changes across renames, some extra temp |
| 431 | 432 | ** tables (implemented as CTEs) are required */ |
| 432 | 433 | blob_append_sql(&sql, |
| 433 | 434 |
| --- src/finfo.c | |
| +++ src/finfo.c | |
| @@ -423,10 +423,11 @@ | |
| 423 | }else{ |
| 424 | compute_direct_ancestors(ridFrom); |
| 425 | } |
| 426 | } |
| 427 | url_add_parameter(&url, "name", zFilename); |
| 428 | blob_zero(&sql); |
| 429 | if( ridCi ){ |
| 430 | /* If we will be tracking changes across renames, some extra temp |
| 431 | ** tables (implemented as CTEs) are required */ |
| 432 | blob_append_sql(&sql, |
| 433 |
| --- src/finfo.c | |
| +++ src/finfo.c | |
| @@ -423,10 +423,11 @@ | |
| 423 | }else{ |
| 424 | compute_direct_ancestors(ridFrom); |
| 425 | } |
| 426 | } |
| 427 | url_add_parameter(&url, "name", zFilename); |
| 428 | cgi_check_for_malice(); |
| 429 | blob_zero(&sql); |
| 430 | if( ridCi ){ |
| 431 | /* If we will be tracking changes across renames, some extra temp |
| 432 | ** tables (implemented as CTEs) are required */ |
| 433 | blob_append_sql(&sql, |
| 434 |
+2
| --- src/forum.c | ||
| +++ src/forum.c | ||
| @@ -1155,10 +1155,11 @@ | ||
| 1155 | 1155 | return; |
| 1156 | 1156 | } |
| 1157 | 1157 | if( zName==0 ){ |
| 1158 | 1158 | webpage_error("Missing \"name=\" query parameter"); |
| 1159 | 1159 | } |
| 1160 | + cgi_check_for_malice(); | |
| 1160 | 1161 | fpid = symbolic_name_to_rid(zName, "f"); |
| 1161 | 1162 | if( fpid<=0 ){ |
| 1162 | 1163 | if( fpid==0 ){ |
| 1163 | 1164 | webpage_notfound_error("Unknown forum id: \"%s\"", zName); |
| 1164 | 1165 | }else{ |
| @@ -1902,10 +1903,11 @@ | ||
| 1902 | 1903 | srchFlags = search_restrict(SRCH_FORUM); |
| 1903 | 1904 | if( !g.perm.RdForum ){ |
| 1904 | 1905 | login_needed(g.anon.RdForum); |
| 1905 | 1906 | return; |
| 1906 | 1907 | } |
| 1908 | + cgi_check_for_malice(); | |
| 1907 | 1909 | style_set_current_feature("forum"); |
| 1908 | 1910 | style_header( "%s", isSearch ? "Forum Search Results" : "Forum" ); |
| 1909 | 1911 | style_submenu_element("Timeline", "%R/timeline?ss=v&y=f&vfx"); |
| 1910 | 1912 | if( g.perm.WrForum ){ |
| 1911 | 1913 | style_submenu_element("New Thread","%R/forumnew"); |
| 1912 | 1914 |
| --- src/forum.c | |
| +++ src/forum.c | |
| @@ -1155,10 +1155,11 @@ | |
| 1155 | return; |
| 1156 | } |
| 1157 | if( zName==0 ){ |
| 1158 | webpage_error("Missing \"name=\" query parameter"); |
| 1159 | } |
| 1160 | fpid = symbolic_name_to_rid(zName, "f"); |
| 1161 | if( fpid<=0 ){ |
| 1162 | if( fpid==0 ){ |
| 1163 | webpage_notfound_error("Unknown forum id: \"%s\"", zName); |
| 1164 | }else{ |
| @@ -1902,10 +1903,11 @@ | |
| 1902 | srchFlags = search_restrict(SRCH_FORUM); |
| 1903 | if( !g.perm.RdForum ){ |
| 1904 | login_needed(g.anon.RdForum); |
| 1905 | return; |
| 1906 | } |
| 1907 | style_set_current_feature("forum"); |
| 1908 | style_header( "%s", isSearch ? "Forum Search Results" : "Forum" ); |
| 1909 | style_submenu_element("Timeline", "%R/timeline?ss=v&y=f&vfx"); |
| 1910 | if( g.perm.WrForum ){ |
| 1911 | style_submenu_element("New Thread","%R/forumnew"); |
| 1912 |
| --- src/forum.c | |
| +++ src/forum.c | |
| @@ -1155,10 +1155,11 @@ | |
| 1155 | return; |
| 1156 | } |
| 1157 | if( zName==0 ){ |
| 1158 | webpage_error("Missing \"name=\" query parameter"); |
| 1159 | } |
| 1160 | cgi_check_for_malice(); |
| 1161 | fpid = symbolic_name_to_rid(zName, "f"); |
| 1162 | if( fpid<=0 ){ |
| 1163 | if( fpid==0 ){ |
| 1164 | webpage_notfound_error("Unknown forum id: \"%s\"", zName); |
| 1165 | }else{ |
| @@ -1902,10 +1903,11 @@ | |
| 1903 | srchFlags = search_restrict(SRCH_FORUM); |
| 1904 | if( !g.perm.RdForum ){ |
| 1905 | login_needed(g.anon.RdForum); |
| 1906 | return; |
| 1907 | } |
| 1908 | cgi_check_for_malice(); |
| 1909 | style_set_current_feature("forum"); |
| 1910 | style_header( "%s", isSearch ? "Forum Search Results" : "Forum" ); |
| 1911 | style_submenu_element("Timeline", "%R/timeline?ss=v&y=f&vfx"); |
| 1912 | if( g.perm.WrForum ){ |
| 1913 | style_submenu_element("New Thread","%R/forumnew"); |
| 1914 |
+10
| --- src/info.c | ||
| +++ src/info.c | ||
| @@ -506,10 +506,11 @@ | ||
| 506 | 506 | style_header("Check-in Information Error"); |
| 507 | 507 | @ No such object: %h(PD("name","")) |
| 508 | 508 | style_finish_page(); |
| 509 | 509 | return; |
| 510 | 510 | } |
| 511 | + cgi_check_for_malice(); | |
| 511 | 512 | zHash = db_text(0, "SELECT uuid FROM blob WHERE rid=%d", rid); |
| 512 | 513 | style_header("Tags and Properties"); |
| 513 | 514 | zType = whatis_rid_type_label(rid); |
| 514 | 515 | if(!zType) zType = "Artifact"; |
| 515 | 516 | @ <h1>Tags and Properties for %s(zType) \ |
| @@ -1002,10 +1003,11 @@ | ||
| 1002 | 1003 | } |
| 1003 | 1004 | if( strcmp(zModAction,"approve")==0 ){ |
| 1004 | 1005 | moderation_approve('w', rid); |
| 1005 | 1006 | } |
| 1006 | 1007 | } |
| 1008 | + cgi_check_for_malice(); | |
| 1007 | 1009 | style_header("Update of \"%h\"", pWiki->zWikiTitle); |
| 1008 | 1010 | zUuid = db_text(0, "SELECT uuid FROM blob WHERE rid=%d", rid); |
| 1009 | 1011 | zDate = db_text(0, "SELECT datetime(%.17g,toLocal())", pWiki->rDate); |
| 1010 | 1012 | style_submenu_element("Raw", "%R/artifact/%s", zUuid); |
| 1011 | 1013 | style_submenu_element("History", "%R/whistory?name=%t", pWiki->zWikiTitle); |
| @@ -1780,10 +1782,11 @@ | ||
| 1780 | 1782 | } |
| 1781 | 1783 | db_finalize(&q); |
| 1782 | 1784 | } |
| 1783 | 1785 | if( v1==0 || v2==0 ) fossil_redirect_home(); |
| 1784 | 1786 | zRe = P("regex"); |
| 1787 | + cgi_check_for_malice(); | |
| 1785 | 1788 | if( zRe ) re_compile(&pRe, zRe, 0); |
| 1786 | 1789 | if( verbose ) objdescFlags |= OBJDESC_DETAIL; |
| 1787 | 1790 | if( isPatch ){ |
| 1788 | 1791 | Blob c1, c2, *pOut; |
| 1789 | 1792 | DiffConfig DCfg; |
| @@ -1863,10 +1866,11 @@ | ||
| 1863 | 1866 | if( rid==0 ){ |
| 1864 | 1867 | rid = name_to_rid_www("name"); |
| 1865 | 1868 | } |
| 1866 | 1869 | login_check_credentials(); |
| 1867 | 1870 | if( !g.perm.Read ){ login_needed(g.anon.Read); return; } |
| 1871 | + cgi_check_for_malice(); | |
| 1868 | 1872 | if( rid==0 ) fossil_redirect_home(); |
| 1869 | 1873 | zUuid = db_text(0, "SELECT uuid FROM blob WHERE rid=%d", rid); |
| 1870 | 1874 | etag_check(ETAG_HASH, zUuid); |
| 1871 | 1875 | if( fossil_strcmp(P("name"), zUuid)==0 && login_is_nobody() ){ |
| 1872 | 1876 | g.isConst = 1; |
| @@ -1887,10 +1891,11 @@ | ||
| 1887 | 1891 | */ |
| 1888 | 1892 | void secure_rawartifact_page(void){ |
| 1889 | 1893 | int rid = 0; |
| 1890 | 1894 | const char *zName = PD("name", ""); |
| 1891 | 1895 | |
| 1896 | + cgi_check_for_malice(); | |
| 1892 | 1897 | login_check_credentials(); |
| 1893 | 1898 | if( !g.perm.Read ){ login_needed(g.anon.Read); return; } |
| 1894 | 1899 | rid = db_int(0, "SELECT rid FROM blob WHERE uuid=%Q", zName); |
| 1895 | 1900 | if( rid==0 ){ |
| 1896 | 1901 | cgi_set_status(404, "Not Found"); |
| @@ -1936,10 +1941,11 @@ | ||
| 1936 | 1941 | ajax_route_error(400, "Just testing client-side error handling."); |
| 1937 | 1942 | return; |
| 1938 | 1943 | } |
| 1939 | 1944 | |
| 1940 | 1945 | login_check_credentials(); |
| 1946 | + cgi_check_for_malice(); | |
| 1941 | 1947 | if( !g.perm.Read ){ |
| 1942 | 1948 | ajax_route_error(403, "Access requires Read permissions."); |
| 1943 | 1949 | return; |
| 1944 | 1950 | } |
| 1945 | 1951 | #if 1 |
| @@ -2117,10 +2123,11 @@ | ||
| 2117 | 2123 | |
| 2118 | 2124 | rid = name_to_rid_www("name"); |
| 2119 | 2125 | login_check_credentials(); |
| 2120 | 2126 | if( !g.perm.Read ){ login_needed(g.anon.Read); return; } |
| 2121 | 2127 | if( rid==0 ) fossil_redirect_home(); |
| 2128 | + cgi_check_for_malice(); | |
| 2122 | 2129 | if( g.perm.Admin ){ |
| 2123 | 2130 | const char *zUuid = db_text("", "SELECT uuid FROM blob WHERE rid=%d", rid); |
| 2124 | 2131 | if( db_exists("SELECT 1 FROM shun WHERE uuid=%Q", zUuid) ){ |
| 2125 | 2132 | style_submenu_element("Unshun", "%R/shun?accept=%s&sub=1#delshun", zUuid); |
| 2126 | 2133 | }else{ |
| @@ -2423,10 +2430,11 @@ | ||
| 2423 | 2430 | int isBranchCI = 0; /* ci= refers to a branch name */ |
| 2424 | 2431 | char *zHeader = 0; |
| 2425 | 2432 | |
| 2426 | 2433 | login_check_credentials(); |
| 2427 | 2434 | if( !g.perm.Read ){ login_needed(g.anon.Read); return; } |
| 2435 | + cgi_check_for_malice(); | |
| 2428 | 2436 | style_set_current_feature("artifact"); |
| 2429 | 2437 | |
| 2430 | 2438 | /* Capture and normalize the name= and ci= query parameters */ |
| 2431 | 2439 | if( zName==0 ){ |
| 2432 | 2440 | zName = P("filename"); |
| @@ -2754,10 +2762,11 @@ | ||
| 2754 | 2762 | char *zTktTitle; |
| 2755 | 2763 | login_check_credentials(); |
| 2756 | 2764 | if( !g.perm.RdTkt ){ login_needed(g.anon.RdTkt); return; } |
| 2757 | 2765 | rid = name_to_rid_www("name"); |
| 2758 | 2766 | if( rid==0 ){ fossil_redirect_home(); } |
| 2767 | + cgi_check_for_malice(); | |
| 2759 | 2768 | zUuid = db_text("", "SELECT uuid FROM blob WHERE rid=%d", rid); |
| 2760 | 2769 | if( g.perm.Admin ){ |
| 2761 | 2770 | if( db_exists("SELECT 1 FROM shun WHERE uuid=%Q", zUuid) ){ |
| 2762 | 2771 | style_submenu_element("Unshun", "%R/shun?accept=%s&sub=1#accshun", zUuid); |
| 2763 | 2772 | }else{ |
| @@ -2864,10 +2873,11 @@ | ||
| 2864 | 2873 | int rc; |
| 2865 | 2874 | int nLen; |
| 2866 | 2875 | |
| 2867 | 2876 | zName = P("name"); |
| 2868 | 2877 | if( zName==0 ) fossil_redirect_home(); |
| 2878 | + cgi_check_for_malice(); | |
| 2869 | 2879 | nLen = strlen(zName); |
| 2870 | 2880 | blob_set(&uuid, zName); |
| 2871 | 2881 | if( name_collisions(zName) ){ |
| 2872 | 2882 | cgi_set_parameter("src","info"); |
| 2873 | 2883 | ambiguous_page(); |
| 2874 | 2884 |
| --- src/info.c | |
| +++ src/info.c | |
| @@ -506,10 +506,11 @@ | |
| 506 | style_header("Check-in Information Error"); |
| 507 | @ No such object: %h(PD("name","")) |
| 508 | style_finish_page(); |
| 509 | return; |
| 510 | } |
| 511 | zHash = db_text(0, "SELECT uuid FROM blob WHERE rid=%d", rid); |
| 512 | style_header("Tags and Properties"); |
| 513 | zType = whatis_rid_type_label(rid); |
| 514 | if(!zType) zType = "Artifact"; |
| 515 | @ <h1>Tags and Properties for %s(zType) \ |
| @@ -1002,10 +1003,11 @@ | |
| 1002 | } |
| 1003 | if( strcmp(zModAction,"approve")==0 ){ |
| 1004 | moderation_approve('w', rid); |
| 1005 | } |
| 1006 | } |
| 1007 | style_header("Update of \"%h\"", pWiki->zWikiTitle); |
| 1008 | zUuid = db_text(0, "SELECT uuid FROM blob WHERE rid=%d", rid); |
| 1009 | zDate = db_text(0, "SELECT datetime(%.17g,toLocal())", pWiki->rDate); |
| 1010 | style_submenu_element("Raw", "%R/artifact/%s", zUuid); |
| 1011 | style_submenu_element("History", "%R/whistory?name=%t", pWiki->zWikiTitle); |
| @@ -1780,10 +1782,11 @@ | |
| 1780 | } |
| 1781 | db_finalize(&q); |
| 1782 | } |
| 1783 | if( v1==0 || v2==0 ) fossil_redirect_home(); |
| 1784 | zRe = P("regex"); |
| 1785 | if( zRe ) re_compile(&pRe, zRe, 0); |
| 1786 | if( verbose ) objdescFlags |= OBJDESC_DETAIL; |
| 1787 | if( isPatch ){ |
| 1788 | Blob c1, c2, *pOut; |
| 1789 | DiffConfig DCfg; |
| @@ -1863,10 +1866,11 @@ | |
| 1863 | if( rid==0 ){ |
| 1864 | rid = name_to_rid_www("name"); |
| 1865 | } |
| 1866 | login_check_credentials(); |
| 1867 | if( !g.perm.Read ){ login_needed(g.anon.Read); return; } |
| 1868 | if( rid==0 ) fossil_redirect_home(); |
| 1869 | zUuid = db_text(0, "SELECT uuid FROM blob WHERE rid=%d", rid); |
| 1870 | etag_check(ETAG_HASH, zUuid); |
| 1871 | if( fossil_strcmp(P("name"), zUuid)==0 && login_is_nobody() ){ |
| 1872 | g.isConst = 1; |
| @@ -1887,10 +1891,11 @@ | |
| 1887 | */ |
| 1888 | void secure_rawartifact_page(void){ |
| 1889 | int rid = 0; |
| 1890 | const char *zName = PD("name", ""); |
| 1891 | |
| 1892 | login_check_credentials(); |
| 1893 | if( !g.perm.Read ){ login_needed(g.anon.Read); return; } |
| 1894 | rid = db_int(0, "SELECT rid FROM blob WHERE uuid=%Q", zName); |
| 1895 | if( rid==0 ){ |
| 1896 | cgi_set_status(404, "Not Found"); |
| @@ -1936,10 +1941,11 @@ | |
| 1936 | ajax_route_error(400, "Just testing client-side error handling."); |
| 1937 | return; |
| 1938 | } |
| 1939 | |
| 1940 | login_check_credentials(); |
| 1941 | if( !g.perm.Read ){ |
| 1942 | ajax_route_error(403, "Access requires Read permissions."); |
| 1943 | return; |
| 1944 | } |
| 1945 | #if 1 |
| @@ -2117,10 +2123,11 @@ | |
| 2117 | |
| 2118 | rid = name_to_rid_www("name"); |
| 2119 | login_check_credentials(); |
| 2120 | if( !g.perm.Read ){ login_needed(g.anon.Read); return; } |
| 2121 | if( rid==0 ) fossil_redirect_home(); |
| 2122 | if( g.perm.Admin ){ |
| 2123 | const char *zUuid = db_text("", "SELECT uuid FROM blob WHERE rid=%d", rid); |
| 2124 | if( db_exists("SELECT 1 FROM shun WHERE uuid=%Q", zUuid) ){ |
| 2125 | style_submenu_element("Unshun", "%R/shun?accept=%s&sub=1#delshun", zUuid); |
| 2126 | }else{ |
| @@ -2423,10 +2430,11 @@ | |
| 2423 | int isBranchCI = 0; /* ci= refers to a branch name */ |
| 2424 | char *zHeader = 0; |
| 2425 | |
| 2426 | login_check_credentials(); |
| 2427 | if( !g.perm.Read ){ login_needed(g.anon.Read); return; } |
| 2428 | style_set_current_feature("artifact"); |
| 2429 | |
| 2430 | /* Capture and normalize the name= and ci= query parameters */ |
| 2431 | if( zName==0 ){ |
| 2432 | zName = P("filename"); |
| @@ -2754,10 +2762,11 @@ | |
| 2754 | char *zTktTitle; |
| 2755 | login_check_credentials(); |
| 2756 | if( !g.perm.RdTkt ){ login_needed(g.anon.RdTkt); return; } |
| 2757 | rid = name_to_rid_www("name"); |
| 2758 | if( rid==0 ){ fossil_redirect_home(); } |
| 2759 | zUuid = db_text("", "SELECT uuid FROM blob WHERE rid=%d", rid); |
| 2760 | if( g.perm.Admin ){ |
| 2761 | if( db_exists("SELECT 1 FROM shun WHERE uuid=%Q", zUuid) ){ |
| 2762 | style_submenu_element("Unshun", "%R/shun?accept=%s&sub=1#accshun", zUuid); |
| 2763 | }else{ |
| @@ -2864,10 +2873,11 @@ | |
| 2864 | int rc; |
| 2865 | int nLen; |
| 2866 | |
| 2867 | zName = P("name"); |
| 2868 | if( zName==0 ) fossil_redirect_home(); |
| 2869 | nLen = strlen(zName); |
| 2870 | blob_set(&uuid, zName); |
| 2871 | if( name_collisions(zName) ){ |
| 2872 | cgi_set_parameter("src","info"); |
| 2873 | ambiguous_page(); |
| 2874 |
| --- src/info.c | |
| +++ src/info.c | |
| @@ -506,10 +506,11 @@ | |
| 506 | style_header("Check-in Information Error"); |
| 507 | @ No such object: %h(PD("name","")) |
| 508 | style_finish_page(); |
| 509 | return; |
| 510 | } |
| 511 | cgi_check_for_malice(); |
| 512 | zHash = db_text(0, "SELECT uuid FROM blob WHERE rid=%d", rid); |
| 513 | style_header("Tags and Properties"); |
| 514 | zType = whatis_rid_type_label(rid); |
| 515 | if(!zType) zType = "Artifact"; |
| 516 | @ <h1>Tags and Properties for %s(zType) \ |
| @@ -1002,10 +1003,11 @@ | |
| 1003 | } |
| 1004 | if( strcmp(zModAction,"approve")==0 ){ |
| 1005 | moderation_approve('w', rid); |
| 1006 | } |
| 1007 | } |
| 1008 | cgi_check_for_malice(); |
| 1009 | style_header("Update of \"%h\"", pWiki->zWikiTitle); |
| 1010 | zUuid = db_text(0, "SELECT uuid FROM blob WHERE rid=%d", rid); |
| 1011 | zDate = db_text(0, "SELECT datetime(%.17g,toLocal())", pWiki->rDate); |
| 1012 | style_submenu_element("Raw", "%R/artifact/%s", zUuid); |
| 1013 | style_submenu_element("History", "%R/whistory?name=%t", pWiki->zWikiTitle); |
| @@ -1780,10 +1782,11 @@ | |
| 1782 | } |
| 1783 | db_finalize(&q); |
| 1784 | } |
| 1785 | if( v1==0 || v2==0 ) fossil_redirect_home(); |
| 1786 | zRe = P("regex"); |
| 1787 | cgi_check_for_malice(); |
| 1788 | if( zRe ) re_compile(&pRe, zRe, 0); |
| 1789 | if( verbose ) objdescFlags |= OBJDESC_DETAIL; |
| 1790 | if( isPatch ){ |
| 1791 | Blob c1, c2, *pOut; |
| 1792 | DiffConfig DCfg; |
| @@ -1863,10 +1866,11 @@ | |
| 1866 | if( rid==0 ){ |
| 1867 | rid = name_to_rid_www("name"); |
| 1868 | } |
| 1869 | login_check_credentials(); |
| 1870 | if( !g.perm.Read ){ login_needed(g.anon.Read); return; } |
| 1871 | cgi_check_for_malice(); |
| 1872 | if( rid==0 ) fossil_redirect_home(); |
| 1873 | zUuid = db_text(0, "SELECT uuid FROM blob WHERE rid=%d", rid); |
| 1874 | etag_check(ETAG_HASH, zUuid); |
| 1875 | if( fossil_strcmp(P("name"), zUuid)==0 && login_is_nobody() ){ |
| 1876 | g.isConst = 1; |
| @@ -1887,10 +1891,11 @@ | |
| 1891 | */ |
| 1892 | void secure_rawartifact_page(void){ |
| 1893 | int rid = 0; |
| 1894 | const char *zName = PD("name", ""); |
| 1895 | |
| 1896 | cgi_check_for_malice(); |
| 1897 | login_check_credentials(); |
| 1898 | if( !g.perm.Read ){ login_needed(g.anon.Read); return; } |
| 1899 | rid = db_int(0, "SELECT rid FROM blob WHERE uuid=%Q", zName); |
| 1900 | if( rid==0 ){ |
| 1901 | cgi_set_status(404, "Not Found"); |
| @@ -1936,10 +1941,11 @@ | |
| 1941 | ajax_route_error(400, "Just testing client-side error handling."); |
| 1942 | return; |
| 1943 | } |
| 1944 | |
| 1945 | login_check_credentials(); |
| 1946 | cgi_check_for_malice(); |
| 1947 | if( !g.perm.Read ){ |
| 1948 | ajax_route_error(403, "Access requires Read permissions."); |
| 1949 | return; |
| 1950 | } |
| 1951 | #if 1 |
| @@ -2117,10 +2123,11 @@ | |
| 2123 | |
| 2124 | rid = name_to_rid_www("name"); |
| 2125 | login_check_credentials(); |
| 2126 | if( !g.perm.Read ){ login_needed(g.anon.Read); return; } |
| 2127 | if( rid==0 ) fossil_redirect_home(); |
| 2128 | cgi_check_for_malice(); |
| 2129 | if( g.perm.Admin ){ |
| 2130 | const char *zUuid = db_text("", "SELECT uuid FROM blob WHERE rid=%d", rid); |
| 2131 | if( db_exists("SELECT 1 FROM shun WHERE uuid=%Q", zUuid) ){ |
| 2132 | style_submenu_element("Unshun", "%R/shun?accept=%s&sub=1#delshun", zUuid); |
| 2133 | }else{ |
| @@ -2423,10 +2430,11 @@ | |
| 2430 | int isBranchCI = 0; /* ci= refers to a branch name */ |
| 2431 | char *zHeader = 0; |
| 2432 | |
| 2433 | login_check_credentials(); |
| 2434 | if( !g.perm.Read ){ login_needed(g.anon.Read); return; } |
| 2435 | cgi_check_for_malice(); |
| 2436 | style_set_current_feature("artifact"); |
| 2437 | |
| 2438 | /* Capture and normalize the name= and ci= query parameters */ |
| 2439 | if( zName==0 ){ |
| 2440 | zName = P("filename"); |
| @@ -2754,10 +2762,11 @@ | |
| 2762 | char *zTktTitle; |
| 2763 | login_check_credentials(); |
| 2764 | if( !g.perm.RdTkt ){ login_needed(g.anon.RdTkt); return; } |
| 2765 | rid = name_to_rid_www("name"); |
| 2766 | if( rid==0 ){ fossil_redirect_home(); } |
| 2767 | cgi_check_for_malice(); |
| 2768 | zUuid = db_text("", "SELECT uuid FROM blob WHERE rid=%d", rid); |
| 2769 | if( g.perm.Admin ){ |
| 2770 | if( db_exists("SELECT 1 FROM shun WHERE uuid=%Q", zUuid) ){ |
| 2771 | style_submenu_element("Unshun", "%R/shun?accept=%s&sub=1#accshun", zUuid); |
| 2772 | }else{ |
| @@ -2864,10 +2873,11 @@ | |
| 2873 | int rc; |
| 2874 | int nLen; |
| 2875 | |
| 2876 | zName = P("name"); |
| 2877 | if( zName==0 ) fossil_redirect_home(); |
| 2878 | cgi_check_for_malice(); |
| 2879 | nLen = strlen(zName); |
| 2880 | blob_set(&uuid, zName); |
| 2881 | if( name_collisions(zName) ){ |
| 2882 | cgi_set_parameter("src","info"); |
| 2883 | ambiguous_page(); |
| 2884 |
+1
| --- src/login.c | ||
| +++ src/login.c | ||
| @@ -575,10 +575,11 @@ | ||
| 575 | 575 | /* If the "Reset Password" button in the form was pressed, render |
| 576 | 576 | ** the Request Password Reset page in place of this one. */ |
| 577 | 577 | login_reqpwreset_page(); |
| 578 | 578 | return; |
| 579 | 579 | } |
| 580 | + cgi_check_for_malice(); | |
| 580 | 581 | login_check_credentials(); |
| 581 | 582 | fossil_redirect_to_https_if_needed(1); |
| 582 | 583 | sqlite3_create_function(g.db, "constant_time_cmp", 2, SQLITE_UTF8, 0, |
| 583 | 584 | constant_time_cmp_function, 0, 0); |
| 584 | 585 | zUsername = P("u"); |
| 585 | 586 |
| --- src/login.c | |
| +++ src/login.c | |
| @@ -575,10 +575,11 @@ | |
| 575 | /* If the "Reset Password" button in the form was pressed, render |
| 576 | ** the Request Password Reset page in place of this one. */ |
| 577 | login_reqpwreset_page(); |
| 578 | return; |
| 579 | } |
| 580 | login_check_credentials(); |
| 581 | fossil_redirect_to_https_if_needed(1); |
| 582 | sqlite3_create_function(g.db, "constant_time_cmp", 2, SQLITE_UTF8, 0, |
| 583 | constant_time_cmp_function, 0, 0); |
| 584 | zUsername = P("u"); |
| 585 |
| --- src/login.c | |
| +++ src/login.c | |
| @@ -575,10 +575,11 @@ | |
| 575 | /* If the "Reset Password" button in the form was pressed, render |
| 576 | ** the Request Password Reset page in place of this one. */ |
| 577 | login_reqpwreset_page(); |
| 578 | return; |
| 579 | } |
| 580 | cgi_check_for_malice(); |
| 581 | login_check_credentials(); |
| 582 | fossil_redirect_to_https_if_needed(1); |
| 583 | sqlite3_create_function(g.db, "constant_time_cmp", 2, SQLITE_UTF8, 0, |
| 584 | constant_time_cmp_function, 0, 0); |
| 585 | zUsername = P("u"); |
| 586 |
+1
| --- src/name.c | ||
| +++ src/name.c | ||
| @@ -1651,10 +1651,11 @@ | ||
| 1651 | 1651 | char *zSha1Bg; |
| 1652 | 1652 | char *zSha3Bg; |
| 1653 | 1653 | |
| 1654 | 1654 | login_check_credentials(); |
| 1655 | 1655 | if( !g.perm.Read ){ login_needed(g.anon.Read); return; } |
| 1656 | + cgi_check_for_malice(); | |
| 1656 | 1657 | style_header("List Of Artifacts"); |
| 1657 | 1658 | style_submenu_element("250 Largest", "bigbloblist"); |
| 1658 | 1659 | if( g.perm.Admin ){ |
| 1659 | 1660 | style_submenu_element("Artifact Log", "rcvfromlist"); |
| 1660 | 1661 | } |
| 1661 | 1662 |
| --- src/name.c | |
| +++ src/name.c | |
| @@ -1651,10 +1651,11 @@ | |
| 1651 | char *zSha1Bg; |
| 1652 | char *zSha3Bg; |
| 1653 | |
| 1654 | login_check_credentials(); |
| 1655 | if( !g.perm.Read ){ login_needed(g.anon.Read); return; } |
| 1656 | style_header("List Of Artifacts"); |
| 1657 | style_submenu_element("250 Largest", "bigbloblist"); |
| 1658 | if( g.perm.Admin ){ |
| 1659 | style_submenu_element("Artifact Log", "rcvfromlist"); |
| 1660 | } |
| 1661 |
| --- src/name.c | |
| +++ src/name.c | |
| @@ -1651,10 +1651,11 @@ | |
| 1651 | char *zSha1Bg; |
| 1652 | char *zSha3Bg; |
| 1653 | |
| 1654 | login_check_credentials(); |
| 1655 | if( !g.perm.Read ){ login_needed(g.anon.Read); return; } |
| 1656 | cgi_check_for_malice(); |
| 1657 | style_header("List Of Artifacts"); |
| 1658 | style_submenu_element("250 Largest", "bigbloblist"); |
| 1659 | if( g.perm.Admin ){ |
| 1660 | style_submenu_element("Artifact Log", "rcvfromlist"); |
| 1661 | } |
| 1662 |
+1
| --- src/search.c | ||
| +++ src/search.c | ||
| @@ -1219,10 +1219,11 @@ | ||
| 1219 | 1219 | */ |
| 1220 | 1220 | void search_page(void){ |
| 1221 | 1221 | const int isSearch = P("s")!=0; |
| 1222 | 1222 | login_check_credentials(); |
| 1223 | 1223 | style_header("Search%s", isSearch ? " Results" : ""); |
| 1224 | + cgi_check_for_malice(); | |
| 1224 | 1225 | search_screen(SRCH_ALL, 1); |
| 1225 | 1226 | style_finish_page(); |
| 1226 | 1227 | } |
| 1227 | 1228 | |
| 1228 | 1229 | |
| 1229 | 1230 |
| --- src/search.c | |
| +++ src/search.c | |
| @@ -1219,10 +1219,11 @@ | |
| 1219 | */ |
| 1220 | void search_page(void){ |
| 1221 | const int isSearch = P("s")!=0; |
| 1222 | login_check_credentials(); |
| 1223 | style_header("Search%s", isSearch ? " Results" : ""); |
| 1224 | search_screen(SRCH_ALL, 1); |
| 1225 | style_finish_page(); |
| 1226 | } |
| 1227 | |
| 1228 | |
| 1229 |
| --- src/search.c | |
| +++ src/search.c | |
| @@ -1219,10 +1219,11 @@ | |
| 1219 | */ |
| 1220 | void search_page(void){ |
| 1221 | const int isSearch = P("s")!=0; |
| 1222 | login_check_credentials(); |
| 1223 | style_header("Search%s", isSearch ? " Results" : ""); |
| 1224 | cgi_check_for_malice(); |
| 1225 | search_screen(SRCH_ALL, 1); |
| 1226 | style_finish_page(); |
| 1227 | } |
| 1228 | |
| 1229 | |
| 1230 |
+2
| --- src/stat.c | ||
| +++ src/stat.c | ||
| @@ -807,10 +807,11 @@ | ||
| 807 | 807 | sqlite3_int64 fsize; |
| 808 | 808 | char zBuf[100]; |
| 809 | 809 | |
| 810 | 810 | login_check_credentials(); |
| 811 | 811 | if( !g.perm.Read ){ login_needed(g.anon.Read); return; } |
| 812 | + cgi_check_for_malice(); | |
| 812 | 813 | style_set_current_feature("stat"); |
| 813 | 814 | style_header("Repository Table Sizes"); |
| 814 | 815 | style_adunit_config(ADUNIT_RIGHT_OK); |
| 815 | 816 | style_submenu_element("Stat", "stat"); |
| 816 | 817 | if( g.perm.Admin ){ |
| @@ -983,10 +984,11 @@ | ||
| 983 | 984 | */ |
| 984 | 985 | if( !g.perm.Write && !db_get_boolean("artifact_stats_enable",0) ){ |
| 985 | 986 | login_needed(g.anon.Write); |
| 986 | 987 | return; |
| 987 | 988 | } |
| 989 | + cgi_check_for_malice(); | |
| 988 | 990 | fossil_nice_default(); |
| 989 | 991 | |
| 990 | 992 | style_set_current_feature("stat"); |
| 991 | 993 | style_header("Artifact Statistics"); |
| 992 | 994 | style_submenu_element("Repository Stats", "stat"); |
| 993 | 995 |
| --- src/stat.c | |
| +++ src/stat.c | |
| @@ -807,10 +807,11 @@ | |
| 807 | sqlite3_int64 fsize; |
| 808 | char zBuf[100]; |
| 809 | |
| 810 | login_check_credentials(); |
| 811 | if( !g.perm.Read ){ login_needed(g.anon.Read); return; } |
| 812 | style_set_current_feature("stat"); |
| 813 | style_header("Repository Table Sizes"); |
| 814 | style_adunit_config(ADUNIT_RIGHT_OK); |
| 815 | style_submenu_element("Stat", "stat"); |
| 816 | if( g.perm.Admin ){ |
| @@ -983,10 +984,11 @@ | |
| 983 | */ |
| 984 | if( !g.perm.Write && !db_get_boolean("artifact_stats_enable",0) ){ |
| 985 | login_needed(g.anon.Write); |
| 986 | return; |
| 987 | } |
| 988 | fossil_nice_default(); |
| 989 | |
| 990 | style_set_current_feature("stat"); |
| 991 | style_header("Artifact Statistics"); |
| 992 | style_submenu_element("Repository Stats", "stat"); |
| 993 |
| --- src/stat.c | |
| +++ src/stat.c | |
| @@ -807,10 +807,11 @@ | |
| 807 | sqlite3_int64 fsize; |
| 808 | char zBuf[100]; |
| 809 | |
| 810 | login_check_credentials(); |
| 811 | if( !g.perm.Read ){ login_needed(g.anon.Read); return; } |
| 812 | cgi_check_for_malice(); |
| 813 | style_set_current_feature("stat"); |
| 814 | style_header("Repository Table Sizes"); |
| 815 | style_adunit_config(ADUNIT_RIGHT_OK); |
| 816 | style_submenu_element("Stat", "stat"); |
| 817 | if( g.perm.Admin ){ |
| @@ -983,10 +984,11 @@ | |
| 984 | */ |
| 985 | if( !g.perm.Write && !db_get_boolean("artifact_stats_enable",0) ){ |
| 986 | login_needed(g.anon.Write); |
| 987 | return; |
| 988 | } |
| 989 | cgi_check_for_malice(); |
| 990 | fossil_nice_default(); |
| 991 | |
| 992 | style_set_current_feature("stat"); |
| 993 | style_header("Artifact Statistics"); |
| 994 | style_submenu_element("Repository Stats", "stat"); |
| 995 |
+1
| --- src/statrep.c | ||
| +++ src/statrep.c | ||
| @@ -912,10 +912,11 @@ | ||
| 912 | 912 | if( fossil_strcmp(zView, aViewType[i].zVal)==0 ){ |
| 913 | 913 | eType = aViewType[i].eType; |
| 914 | 914 | break; |
| 915 | 915 | } |
| 916 | 916 | } |
| 917 | + cgi_check_for_malice(); | |
| 917 | 918 | if( eType!=RPT_NONE ){ |
| 918 | 919 | int nView = 0; /* Slots used in azView[] */ |
| 919 | 920 | for(i=0; i<count(aViewType); i++){ |
| 920 | 921 | azView[nView++] = aViewType[i].zVal; |
| 921 | 922 | azView[nView++] = aViewType[i].zName; |
| 922 | 923 |
| --- src/statrep.c | |
| +++ src/statrep.c | |
| @@ -912,10 +912,11 @@ | |
| 912 | if( fossil_strcmp(zView, aViewType[i].zVal)==0 ){ |
| 913 | eType = aViewType[i].eType; |
| 914 | break; |
| 915 | } |
| 916 | } |
| 917 | if( eType!=RPT_NONE ){ |
| 918 | int nView = 0; /* Slots used in azView[] */ |
| 919 | for(i=0; i<count(aViewType); i++){ |
| 920 | azView[nView++] = aViewType[i].zVal; |
| 921 | azView[nView++] = aViewType[i].zName; |
| 922 |
| --- src/statrep.c | |
| +++ src/statrep.c | |
| @@ -912,10 +912,11 @@ | |
| 912 | if( fossil_strcmp(zView, aViewType[i].zVal)==0 ){ |
| 913 | eType = aViewType[i].eType; |
| 914 | break; |
| 915 | } |
| 916 | } |
| 917 | cgi_check_for_malice(); |
| 918 | if( eType!=RPT_NONE ){ |
| 919 | int nView = 0; /* Slots used in azView[] */ |
| 920 | for(i=0; i<count(aViewType); i++){ |
| 921 | azView[nView++] = aViewType[i].zVal; |
| 922 | azView[nView++] = aViewType[i].zName; |
| 923 |
+1
| --- src/tag.c | ||
| +++ src/tag.c | ||
| @@ -805,10 +805,11 @@ | ||
| 805 | 805 | |
| 806 | 806 | login_check_credentials(); |
| 807 | 807 | if( !g.perm.Read ){ |
| 808 | 808 | login_needed(g.anon.Read); |
| 809 | 809 | } |
| 810 | + cgi_check_for_malice(); | |
| 810 | 811 | login_anonymous_available(); |
| 811 | 812 | style_header("Tags"); |
| 812 | 813 | style_adunit_config(ADUNIT_RIGHT_OK); |
| 813 | 814 | style_submenu_element("Timeline", "tagtimeline"); |
| 814 | 815 | @ <h2>Non-propagating tags:</h2> |
| 815 | 816 |
| --- src/tag.c | |
| +++ src/tag.c | |
| @@ -805,10 +805,11 @@ | |
| 805 | |
| 806 | login_check_credentials(); |
| 807 | if( !g.perm.Read ){ |
| 808 | login_needed(g.anon.Read); |
| 809 | } |
| 810 | login_anonymous_available(); |
| 811 | style_header("Tags"); |
| 812 | style_adunit_config(ADUNIT_RIGHT_OK); |
| 813 | style_submenu_element("Timeline", "tagtimeline"); |
| 814 | @ <h2>Non-propagating tags:</h2> |
| 815 |
| --- src/tag.c | |
| +++ src/tag.c | |
| @@ -805,10 +805,11 @@ | |
| 805 | |
| 806 | login_check_credentials(); |
| 807 | if( !g.perm.Read ){ |
| 808 | login_needed(g.anon.Read); |
| 809 | } |
| 810 | cgi_check_for_malice(); |
| 811 | login_anonymous_available(); |
| 812 | style_header("Tags"); |
| 813 | style_adunit_config(ADUNIT_RIGHT_OK); |
| 814 | style_submenu_element("Timeline", "tagtimeline"); |
| 815 | @ <h2>Non-propagating tags:</h2> |
| 816 |
+1
| --- src/timeline.c | ||
| +++ src/timeline.c | ||
| @@ -2835,10 +2835,11 @@ | ||
| 2835 | 2835 | |
| 2836 | 2836 | if( zNewerButton ){ |
| 2837 | 2837 | @ %z(chref("button","%s",zNewerButton))%h(zNewerButtonLabel)\ |
| 2838 | 2838 | @ ↑</a> |
| 2839 | 2839 | } |
| 2840 | + cgi_check_for_malice(); | |
| 2840 | 2841 | www_print_timeline(&q, tmFlags, zThisUser, zThisTag, zBrName, |
| 2841 | 2842 | selectedRid, secondaryRid, 0); |
| 2842 | 2843 | db_finalize(&q); |
| 2843 | 2844 | if( zOlderButton ){ |
| 2844 | 2845 | @ %z(chref("button","%s",zOlderButton))%h(zOlderButtonLabel)\ |
| 2845 | 2846 |
| --- src/timeline.c | |
| +++ src/timeline.c | |
| @@ -2835,10 +2835,11 @@ | |
| 2835 | |
| 2836 | if( zNewerButton ){ |
| 2837 | @ %z(chref("button","%s",zNewerButton))%h(zNewerButtonLabel)\ |
| 2838 | @ ↑</a> |
| 2839 | } |
| 2840 | www_print_timeline(&q, tmFlags, zThisUser, zThisTag, zBrName, |
| 2841 | selectedRid, secondaryRid, 0); |
| 2842 | db_finalize(&q); |
| 2843 | if( zOlderButton ){ |
| 2844 | @ %z(chref("button","%s",zOlderButton))%h(zOlderButtonLabel)\ |
| 2845 |
| --- src/timeline.c | |
| +++ src/timeline.c | |
| @@ -2835,10 +2835,11 @@ | |
| 2835 | |
| 2836 | if( zNewerButton ){ |
| 2837 | @ %z(chref("button","%s",zNewerButton))%h(zNewerButtonLabel)\ |
| 2838 | @ ↑</a> |
| 2839 | } |
| 2840 | cgi_check_for_malice(); |
| 2841 | www_print_timeline(&q, tmFlags, zThisUser, zThisTag, zBrName, |
| 2842 | selectedRid, secondaryRid, 0); |
| 2843 | db_finalize(&q); |
| 2844 | if( zOlderButton ){ |
| 2845 | @ %z(chref("button","%s",zOlderButton))%h(zOlderButtonLabel)\ |
| 2846 |
+2
| --- src/unversioned.c | ||
| +++ src/unversioned.c | ||
| @@ -542,10 +542,11 @@ | ||
| 542 | 542 | int showDel = 0; |
| 543 | 543 | char zSzName[100]; |
| 544 | 544 | |
| 545 | 545 | login_check_credentials(); |
| 546 | 546 | if( !g.perm.Read ){ login_needed(g.anon.Read); return; } |
| 547 | + cgi_check_for_malice(); | |
| 547 | 548 | etag_check(ETAG_DATA,0); |
| 548 | 549 | style_header("Unversioned Files"); |
| 549 | 550 | if( !db_table_exists("repository","unversioned") ){ |
| 550 | 551 | @ No unversioned files on this server |
| 551 | 552 | style_finish_page(); |
| @@ -654,10 +655,11 @@ | ||
| 654 | 655 | char *zSep = "["; |
| 655 | 656 | Blob json; |
| 656 | 657 | |
| 657 | 658 | login_check_credentials(); |
| 658 | 659 | if( !g.perm.Read ){ login_needed(g.anon.Read); return; } |
| 660 | + cgi_check_for_malice(); | |
| 659 | 661 | cgi_set_content_type("application/json"); |
| 660 | 662 | etag_check(ETAG_DATA,0); |
| 661 | 663 | if( !db_table_exists("repository","unversioned") ){ |
| 662 | 664 | blob_init(&json, "[]", -1); |
| 663 | 665 | cgi_set_content(&json); |
| 664 | 666 |
| --- src/unversioned.c | |
| +++ src/unversioned.c | |
| @@ -542,10 +542,11 @@ | |
| 542 | int showDel = 0; |
| 543 | char zSzName[100]; |
| 544 | |
| 545 | login_check_credentials(); |
| 546 | if( !g.perm.Read ){ login_needed(g.anon.Read); return; } |
| 547 | etag_check(ETAG_DATA,0); |
| 548 | style_header("Unversioned Files"); |
| 549 | if( !db_table_exists("repository","unversioned") ){ |
| 550 | @ No unversioned files on this server |
| 551 | style_finish_page(); |
| @@ -654,10 +655,11 @@ | |
| 654 | char *zSep = "["; |
| 655 | Blob json; |
| 656 | |
| 657 | login_check_credentials(); |
| 658 | if( !g.perm.Read ){ login_needed(g.anon.Read); return; } |
| 659 | cgi_set_content_type("application/json"); |
| 660 | etag_check(ETAG_DATA,0); |
| 661 | if( !db_table_exists("repository","unversioned") ){ |
| 662 | blob_init(&json, "[]", -1); |
| 663 | cgi_set_content(&json); |
| 664 |
| --- src/unversioned.c | |
| +++ src/unversioned.c | |
| @@ -542,10 +542,11 @@ | |
| 542 | int showDel = 0; |
| 543 | char zSzName[100]; |
| 544 | |
| 545 | login_check_credentials(); |
| 546 | if( !g.perm.Read ){ login_needed(g.anon.Read); return; } |
| 547 | cgi_check_for_malice(); |
| 548 | etag_check(ETAG_DATA,0); |
| 549 | style_header("Unversioned Files"); |
| 550 | if( !db_table_exists("repository","unversioned") ){ |
| 551 | @ No unversioned files on this server |
| 552 | style_finish_page(); |
| @@ -654,10 +655,11 @@ | |
| 655 | char *zSep = "["; |
| 656 | Blob json; |
| 657 | |
| 658 | login_check_credentials(); |
| 659 | if( !g.perm.Read ){ login_needed(g.anon.Read); return; } |
| 660 | cgi_check_for_malice(); |
| 661 | cgi_set_content_type("application/json"); |
| 662 | etag_check(ETAG_DATA,0); |
| 663 | if( !db_table_exists("repository","unversioned") ){ |
| 664 | blob_init(&json, "[]", -1); |
| 665 | cgi_set_content(&json); |
| 666 |
+5
| --- src/wiki.c | ||
| +++ src/wiki.c | ||
| @@ -115,10 +115,11 @@ | ||
| 115 | 115 | */ |
| 116 | 116 | void home_page(void){ |
| 117 | 117 | char *zPageName = db_get("project-name",0); |
| 118 | 118 | char *zIndexPage = db_get("index-page",0); |
| 119 | 119 | login_check_credentials(); |
| 120 | + cgi_check_for_malice(); | |
| 120 | 121 | if( zIndexPage ){ |
| 121 | 122 | const char *zPathInfo = P("PATH_INFO"); |
| 122 | 123 | while( zIndexPage[0]=='/' ) zIndexPage++; |
| 123 | 124 | while( zPathInfo[0]=='/' ) zPathInfo++; |
| 124 | 125 | if( fossil_strcmp(zIndexPage, zPathInfo)==0 ) zIndexPage = 0; |
| @@ -550,10 +551,11 @@ | ||
| 550 | 551 | int noSubmenu = P("nsm")!=0 || g.isHome; |
| 551 | 552 | |
| 552 | 553 | login_check_credentials(); |
| 553 | 554 | if( !g.perm.RdWiki ){ login_needed(g.anon.RdWiki); return; } |
| 554 | 555 | zPageName = P("name"); |
| 556 | + cgi_check_for_malice(); | |
| 555 | 557 | if( zPageName==0 ){ |
| 556 | 558 | if( search_restrict(SRCH_WIKI)!=0 ){ |
| 557 | 559 | wiki_srchpage(); |
| 558 | 560 | }else{ |
| 559 | 561 | wiki_helppage(); |
| @@ -1842,10 +1844,11 @@ | ||
| 1842 | 1844 | blob_init(&w1, pW1->zWiki, -1); |
| 1843 | 1845 | zPid = P("pid"); |
| 1844 | 1846 | if( ( zPid==0 || zPid[0] == 0 ) && pW1->nParent ){ |
| 1845 | 1847 | zPid = pW1->azParent[0]; |
| 1846 | 1848 | } |
| 1849 | + cgi_check_for_malice(); | |
| 1847 | 1850 | if( zPid && zPid[0] != 0 ){ |
| 1848 | 1851 | char *zDate; |
| 1849 | 1852 | rid2 = name_to_typed_rid(zPid, "w"); |
| 1850 | 1853 | pW2 = manifest_get(rid2, CFTYPE_WIKI, 0); |
| 1851 | 1854 | blob_init(&w2, pW2->zWiki, -1); |
| @@ -1929,10 +1932,11 @@ | ||
| 1929 | 1932 | if( showAll ){ |
| 1930 | 1933 | style_submenu_element("Active", "%R/wcontent"); |
| 1931 | 1934 | }else{ |
| 1932 | 1935 | style_submenu_element("All", "%R/wcontent?all=1"); |
| 1933 | 1936 | } |
| 1937 | + cgi_check_for_malice(); | |
| 1934 | 1938 | showCkBr = db_exists( |
| 1935 | 1939 | "SELECT tag.tagname AS tn FROM tag JOIN tagxref USING(tagid) " |
| 1936 | 1940 | "WHERE ( tn GLOB 'wiki-checkin/*' OR tn GLOB 'wiki-branch/*' ) " |
| 1937 | 1941 | " AND TYPEOF(tagxref.value+0)='integer'" ); |
| 1938 | 1942 | if( showCkBr ){ |
| @@ -2006,10 +2010,11 @@ | ||
| 2006 | 2010 | Stmt q; |
| 2007 | 2011 | const char *zTitle; |
| 2008 | 2012 | login_check_credentials(); |
| 2009 | 2013 | if( !g.perm.RdWiki ){ login_needed(g.anon.RdWiki); return; } |
| 2010 | 2014 | zTitle = PD("title","*"); |
| 2015 | + cgi_check_for_malice(); | |
| 2011 | 2016 | style_set_current_feature("wiki"); |
| 2012 | 2017 | style_header("Wiki Pages Found"); |
| 2013 | 2018 | @ <ul> |
| 2014 | 2019 | db_prepare(&q, |
| 2015 | 2020 | "SELECT substr(tagname, 6, 1000) FROM tag WHERE tagname like 'wiki-%%%q%%'" |
| 2016 | 2021 |
| --- src/wiki.c | |
| +++ src/wiki.c | |
| @@ -115,10 +115,11 @@ | |
| 115 | */ |
| 116 | void home_page(void){ |
| 117 | char *zPageName = db_get("project-name",0); |
| 118 | char *zIndexPage = db_get("index-page",0); |
| 119 | login_check_credentials(); |
| 120 | if( zIndexPage ){ |
| 121 | const char *zPathInfo = P("PATH_INFO"); |
| 122 | while( zIndexPage[0]=='/' ) zIndexPage++; |
| 123 | while( zPathInfo[0]=='/' ) zPathInfo++; |
| 124 | if( fossil_strcmp(zIndexPage, zPathInfo)==0 ) zIndexPage = 0; |
| @@ -550,10 +551,11 @@ | |
| 550 | int noSubmenu = P("nsm")!=0 || g.isHome; |
| 551 | |
| 552 | login_check_credentials(); |
| 553 | if( !g.perm.RdWiki ){ login_needed(g.anon.RdWiki); return; } |
| 554 | zPageName = P("name"); |
| 555 | if( zPageName==0 ){ |
| 556 | if( search_restrict(SRCH_WIKI)!=0 ){ |
| 557 | wiki_srchpage(); |
| 558 | }else{ |
| 559 | wiki_helppage(); |
| @@ -1842,10 +1844,11 @@ | |
| 1842 | blob_init(&w1, pW1->zWiki, -1); |
| 1843 | zPid = P("pid"); |
| 1844 | if( ( zPid==0 || zPid[0] == 0 ) && pW1->nParent ){ |
| 1845 | zPid = pW1->azParent[0]; |
| 1846 | } |
| 1847 | if( zPid && zPid[0] != 0 ){ |
| 1848 | char *zDate; |
| 1849 | rid2 = name_to_typed_rid(zPid, "w"); |
| 1850 | pW2 = manifest_get(rid2, CFTYPE_WIKI, 0); |
| 1851 | blob_init(&w2, pW2->zWiki, -1); |
| @@ -1929,10 +1932,11 @@ | |
| 1929 | if( showAll ){ |
| 1930 | style_submenu_element("Active", "%R/wcontent"); |
| 1931 | }else{ |
| 1932 | style_submenu_element("All", "%R/wcontent?all=1"); |
| 1933 | } |
| 1934 | showCkBr = db_exists( |
| 1935 | "SELECT tag.tagname AS tn FROM tag JOIN tagxref USING(tagid) " |
| 1936 | "WHERE ( tn GLOB 'wiki-checkin/*' OR tn GLOB 'wiki-branch/*' ) " |
| 1937 | " AND TYPEOF(tagxref.value+0)='integer'" ); |
| 1938 | if( showCkBr ){ |
| @@ -2006,10 +2010,11 @@ | |
| 2006 | Stmt q; |
| 2007 | const char *zTitle; |
| 2008 | login_check_credentials(); |
| 2009 | if( !g.perm.RdWiki ){ login_needed(g.anon.RdWiki); return; } |
| 2010 | zTitle = PD("title","*"); |
| 2011 | style_set_current_feature("wiki"); |
| 2012 | style_header("Wiki Pages Found"); |
| 2013 | @ <ul> |
| 2014 | db_prepare(&q, |
| 2015 | "SELECT substr(tagname, 6, 1000) FROM tag WHERE tagname like 'wiki-%%%q%%'" |
| 2016 |
| --- src/wiki.c | |
| +++ src/wiki.c | |
| @@ -115,10 +115,11 @@ | |
| 115 | */ |
| 116 | void home_page(void){ |
| 117 | char *zPageName = db_get("project-name",0); |
| 118 | char *zIndexPage = db_get("index-page",0); |
| 119 | login_check_credentials(); |
| 120 | cgi_check_for_malice(); |
| 121 | if( zIndexPage ){ |
| 122 | const char *zPathInfo = P("PATH_INFO"); |
| 123 | while( zIndexPage[0]=='/' ) zIndexPage++; |
| 124 | while( zPathInfo[0]=='/' ) zPathInfo++; |
| 125 | if( fossil_strcmp(zIndexPage, zPathInfo)==0 ) zIndexPage = 0; |
| @@ -550,10 +551,11 @@ | |
| 551 | int noSubmenu = P("nsm")!=0 || g.isHome; |
| 552 | |
| 553 | login_check_credentials(); |
| 554 | if( !g.perm.RdWiki ){ login_needed(g.anon.RdWiki); return; } |
| 555 | zPageName = P("name"); |
| 556 | cgi_check_for_malice(); |
| 557 | if( zPageName==0 ){ |
| 558 | if( search_restrict(SRCH_WIKI)!=0 ){ |
| 559 | wiki_srchpage(); |
| 560 | }else{ |
| 561 | wiki_helppage(); |
| @@ -1842,10 +1844,11 @@ | |
| 1844 | blob_init(&w1, pW1->zWiki, -1); |
| 1845 | zPid = P("pid"); |
| 1846 | if( ( zPid==0 || zPid[0] == 0 ) && pW1->nParent ){ |
| 1847 | zPid = pW1->azParent[0]; |
| 1848 | } |
| 1849 | cgi_check_for_malice(); |
| 1850 | if( zPid && zPid[0] != 0 ){ |
| 1851 | char *zDate; |
| 1852 | rid2 = name_to_typed_rid(zPid, "w"); |
| 1853 | pW2 = manifest_get(rid2, CFTYPE_WIKI, 0); |
| 1854 | blob_init(&w2, pW2->zWiki, -1); |
| @@ -1929,10 +1932,11 @@ | |
| 1932 | if( showAll ){ |
| 1933 | style_submenu_element("Active", "%R/wcontent"); |
| 1934 | }else{ |
| 1935 | style_submenu_element("All", "%R/wcontent?all=1"); |
| 1936 | } |
| 1937 | cgi_check_for_malice(); |
| 1938 | showCkBr = db_exists( |
| 1939 | "SELECT tag.tagname AS tn FROM tag JOIN tagxref USING(tagid) " |
| 1940 | "WHERE ( tn GLOB 'wiki-checkin/*' OR tn GLOB 'wiki-branch/*' ) " |
| 1941 | " AND TYPEOF(tagxref.value+0)='integer'" ); |
| 1942 | if( showCkBr ){ |
| @@ -2006,10 +2010,11 @@ | |
| 2010 | Stmt q; |
| 2011 | const char *zTitle; |
| 2012 | login_check_credentials(); |
| 2013 | if( !g.perm.RdWiki ){ login_needed(g.anon.RdWiki); return; } |
| 2014 | zTitle = PD("title","*"); |
| 2015 | cgi_check_for_malice(); |
| 2016 | style_set_current_feature("wiki"); |
| 2017 | style_header("Wiki Pages Found"); |
| 2018 | @ <ul> |
| 2019 | db_prepare(&q, |
| 2020 | "SELECT substr(tagname, 6, 1000) FROM tag WHERE tagname like 'wiki-%%%q%%'" |
| 2021 |
+1
| --- src/xfer.c | ||
| +++ src/xfer.c | ||
| @@ -1220,10 +1220,11 @@ | ||
| 1220 | 1220 | fossil_redirect_home(); |
| 1221 | 1221 | } |
| 1222 | 1222 | g.zLogin = "anonymous"; |
| 1223 | 1223 | login_set_anon_nobody_capabilities(); |
| 1224 | 1224 | login_check_credentials(); |
| 1225 | + cgi_check_for_malice(); | |
| 1225 | 1226 | memset(&xfer, 0, sizeof(xfer)); |
| 1226 | 1227 | blobarray_zero(xfer.aToken, count(xfer.aToken)); |
| 1227 | 1228 | cgi_set_content_type(g.zContentType); |
| 1228 | 1229 | cgi_reset_content(); |
| 1229 | 1230 | if( db_schema_is_outofdate() ){ |
| 1230 | 1231 |
| --- src/xfer.c | |
| +++ src/xfer.c | |
| @@ -1220,10 +1220,11 @@ | |
| 1220 | fossil_redirect_home(); |
| 1221 | } |
| 1222 | g.zLogin = "anonymous"; |
| 1223 | login_set_anon_nobody_capabilities(); |
| 1224 | login_check_credentials(); |
| 1225 | memset(&xfer, 0, sizeof(xfer)); |
| 1226 | blobarray_zero(xfer.aToken, count(xfer.aToken)); |
| 1227 | cgi_set_content_type(g.zContentType); |
| 1228 | cgi_reset_content(); |
| 1229 | if( db_schema_is_outofdate() ){ |
| 1230 |
| --- src/xfer.c | |
| +++ src/xfer.c | |
| @@ -1220,10 +1220,11 @@ | |
| 1220 | fossil_redirect_home(); |
| 1221 | } |
| 1222 | g.zLogin = "anonymous"; |
| 1223 | login_set_anon_nobody_capabilities(); |
| 1224 | login_check_credentials(); |
| 1225 | cgi_check_for_malice(); |
| 1226 | memset(&xfer, 0, sizeof(xfer)); |
| 1227 | blobarray_zero(xfer.aToken, count(xfer.aToken)); |
| 1228 | cgi_set_content_type(g.zContentType); |
| 1229 | cgi_reset_content(); |
| 1230 | if( db_schema_is_outofdate() ){ |
| 1231 |