Fossil SCM

Enforce well-formedness constraints on wiki pagenames.

drh 2007-10-06 17:10 trunk

Commit 488afb97461a34ae63ac2a1f5e8b018e68466686

Parent 3cdb768fca1e7bf…

3 files changed +3 +47 -2 +5 -2

~ src/manifest.c ~ src/wiki.c ~ src/wikiformat.c

M src/manifest.c

		--- src/manifest.c
		+++ src/manifest.c
		@@ -370,10 +370,13 @@
370	370	if( p->zWikiTitle!=0 ) goto manifest_syntax_error;
371	371	if( blob_token(&line, &a1)==0 ) goto manifest_syntax_error;
372	372	if( blob_token(&line, &a2)!=0 ) goto manifest_syntax_error;
373	373	p->zWikiTitle = blob_terminate(&a1);
374	374	defossilize(p->zWikiTitle);
	375	+ if( !wiki_name_is_wellformed(p->zWikiTitle) ){
	376	+ goto manifest_syntax_error;
	377	+ }
375	378	break;
376	379	}
377	380
378	381	/*
379	382	** M <uuid>
380	383

	--- src/manifest.c
	+++ src/manifest.c
	@@ -370,10 +370,13 @@
370	if( p->zWikiTitle!=0 ) goto manifest_syntax_error;
371	if( blob_token(&line, &a1)==0 ) goto manifest_syntax_error;
372	if( blob_token(&line, &a2)!=0 ) goto manifest_syntax_error;
373	p->zWikiTitle = blob_terminate(&a1);
374	defossilize(p->zWikiTitle);



375	break;
376	}
377
378	/*
379	** M <uuid>
380

	--- src/manifest.c
	+++ src/manifest.c
	@@ -370,10 +370,13 @@
370	if( p->zWikiTitle!=0 ) goto manifest_syntax_error;
371	if( blob_token(&line, &a1)==0 ) goto manifest_syntax_error;
372	if( blob_token(&line, &a2)!=0 ) goto manifest_syntax_error;
373	p->zWikiTitle = blob_terminate(&a1);
374	defossilize(p->zWikiTitle);
375	if( !wiki_name_is_wellformed(p->zWikiTitle) ){
376	goto manifest_syntax_error;
377	}
378	break;
379	}
380
381	/*
382	** M <uuid>
383

M src/wiki.c

+47 -2

		--- src/wiki.c
		+++ src/wiki.c
		@@ -25,10 +25,53 @@
25	25	*/
26	26	#include <assert.h>
27	27	#include "config.h"
28	28	#include "wiki.h"
29	29
	30	+/*
	31	+** Return true if the input string is a well-formed wiki page name.
	32	+**
	33	+** Well-formed wiki page names do not begin or end with whitespace,
	34	+** and do not contain tabs or other control characters and do not
	35	+** contain more than a single space character in a row. Well-formed
	36	+** names must be between 3 and 100 chracters in length, inclusive.
	37	+*/
	38	+int wiki_name_is_wellformed(const char *z){
	39	+ int i;
	40	+ if( z[0]<=0x20 ){
	41	+ return 0;
	42	+ }
	43	+ for(i=1; z[i]; i++){
	44	+ if( z[i]<0x20 ) return 0;
	45	+ if( z[i]==0x20 && z[i-1]==0x20 ) return 0;
	46	+ }
	47	+ if( z[i-1]==' ' ) return 0;
	48	+ if( i<3 \|\| i>100 ) return 0;
	49	+ return 1;
	50	+}
	51	+
	52	+/*
	53	+** Check a wiki name. If it is not well-formed, then issue an error
	54	+** and return true. If it is well-formed, return false.
	55	+*/
	56	+static int check_name(const char *z){
	57	+ if( !wiki_name_is_wellformed(z) ){
	58	+ style_header("Wiki Page Name Error");
	59	+ @ The wiki name "<b>%h(z)</b>" is not well-formed. Rules for
	60	+ @ wiki page names:
	61	+ @ <ul>
	62	+ @ <li> Must not begin or end with a space.
	63	+ @ <li> Must not contain any control characters, including tab or
	64	+ @ newline.
	65	+ @ <li> Must not have two or more spaces in a row internally.
	66	+ @ <li> Must be between 3 and 100 characters in length.
	67	+ @ </ul>
	68	+ style_footer();
	69	+ return 1;
	70	+ }
	71	+ return 0;
	72	+}
30	73
31	74	/*
32	75	** WEBPAGE: wiki
33	76	** URL: /wiki/PAGENAME
34	77	*/
		@@ -43,10 +86,11 @@
43	86
44	87	login_check_credentials();
45	88	if( !g.okRdWiki ){ login_needed(); return; }
46	89	zPageName = mprintf("%s", g.zExtra);
47	90	dehttpize(zPageName);
	91	+ if( check_name(zPageName) ) return;
48	92	zTag = mprintf("wiki-%s", zPageName);
49	93	rid = db_int(0,
50	94	"SELECT rid FROM tagxref"
51	95	" WHERE tagid=(SELECT tagid FROM tag WHERE tagname=%Q)"
52	96	" ORDER BY mtime DESC", zTag
		@@ -66,11 +110,11 @@
66	110	style_header(zHtmlPageName);
67	111	blob_init(&wiki, zBody, -1);
68	112	wiki_convert(&wiki, 0);
69	113	blob_reset(&wiki);
70	114	manifest_clear(&m);
71		- if( zPageName[0] && ((rid && g.okWrWiki) \|\| (!rid && g.okNewWiki)) ){
	115	+ if( (rid && g.okWrWiki) \|\| (!rid && g.okNewWiki) ){
72	116	@ <hr>
73	117	@ [<a href="%s(g.zBaseURL)/wikiedit/%s(g.zExtra)">Edit</a>]
74	118	}
75	119	style_footer();
76	120	}
		@@ -94,10 +138,11 @@
94	138	zBody = mprintf("%s", zBody);
95	139	}
96	140	login_check_credentials();
97	141	zPageName = mprintf("%s", g.zExtra);
98	142	dehttpize(zPageName);
	143	+ if( check_name(zPageName) ) return;
99	144	zTag = mprintf("wiki-%s", zPageName);
100	145	rid = db_int(0,
101	146	"SELECT rid FROM tagxref"
102	147	" WHERE tagid=(SELECT tagid FROM tag WHERE tagname=%Q)"
103	148	" ORDER BY mtime DESC", zTag
		@@ -146,11 +191,11 @@
146	191	blob_reset(&wiki);
147	192	content_deltify(rid, nrid, 0);
148	193	db_end_transaction(0);
149	194	cgi_redirect(mprintf("wiki/%s", g.zExtra));
150	195	}
151		- if( P("cancel")!=0 \|\| zPageName[0]==0 ){
	196	+ if( P("cancel")!=0 ){
152	197	cgi_redirect(mprintf("wiki/%s", g.zExtra));
153	198	return;
154	199	}
155	200	if( zBody==0 ){
156	201	zBody = mprintf("<i>Empty Page</i>");
157	202

	--- src/wiki.c
	+++ src/wiki.c
	@@ -25,10 +25,53 @@
25	*/
26	#include <assert.h>
27	#include "config.h"
28	#include "wiki.h"
29











































30
31	/*
32	** WEBPAGE: wiki
33	** URL: /wiki/PAGENAME
34	*/
	@@ -43,10 +86,11 @@
43
44	login_check_credentials();
45	if( !g.okRdWiki ){ login_needed(); return; }
46	zPageName = mprintf("%s", g.zExtra);
47	dehttpize(zPageName);

48	zTag = mprintf("wiki-%s", zPageName);
49	rid = db_int(0,
50	"SELECT rid FROM tagxref"
51	" WHERE tagid=(SELECT tagid FROM tag WHERE tagname=%Q)"
52	" ORDER BY mtime DESC", zTag
	@@ -66,11 +110,11 @@
66	style_header(zHtmlPageName);
67	blob_init(&wiki, zBody, -1);
68	wiki_convert(&wiki, 0);
69	blob_reset(&wiki);
70	manifest_clear(&m);
71	if( zPageName[0] && ((rid && g.okWrWiki) \|\| (!rid && g.okNewWiki)) ){
72	@ <hr>
73	@ [<a href="%s(g.zBaseURL)/wikiedit/%s(g.zExtra)">Edit</a>]
74	}
75	style_footer();
76	}
	@@ -94,10 +138,11 @@
94	zBody = mprintf("%s", zBody);
95	}
96	login_check_credentials();
97	zPageName = mprintf("%s", g.zExtra);
98	dehttpize(zPageName);

99	zTag = mprintf("wiki-%s", zPageName);
100	rid = db_int(0,
101	"SELECT rid FROM tagxref"
102	" WHERE tagid=(SELECT tagid FROM tag WHERE tagname=%Q)"
103	" ORDER BY mtime DESC", zTag
	@@ -146,11 +191,11 @@
146	blob_reset(&wiki);
147	content_deltify(rid, nrid, 0);
148	db_end_transaction(0);
149	cgi_redirect(mprintf("wiki/%s", g.zExtra));
150	}
151	if( P("cancel")!=0 \|\| zPageName[0]==0 ){
152	cgi_redirect(mprintf("wiki/%s", g.zExtra));
153	return;
154	}
155	if( zBody==0 ){
156	zBody = mprintf("<i>Empty Page</i>");
157

	--- src/wiki.c
	+++ src/wiki.c
	@@ -25,10 +25,53 @@
25	*/
26	#include <assert.h>
27	#include "config.h"
28	#include "wiki.h"
29
30	/*
31	** Return true if the input string is a well-formed wiki page name.
32	**
33	** Well-formed wiki page names do not begin or end with whitespace,
34	** and do not contain tabs or other control characters and do not
35	** contain more than a single space character in a row. Well-formed
36	** names must be between 3 and 100 chracters in length, inclusive.
37	*/
38	int wiki_name_is_wellformed(const char *z){
39	int i;
40	if( z[0]<=0x20 ){
41	return 0;
42	}
43	for(i=1; z[i]; i++){
44	if( z[i]<0x20 ) return 0;
45	if( z[i]==0x20 && z[i-1]==0x20 ) return 0;
46	}
47	if( z[i-1]==' ' ) return 0;
48	if( i<3 \|\| i>100 ) return 0;
49	return 1;
50	}
51
52	/*
53	** Check a wiki name. If it is not well-formed, then issue an error
54	** and return true. If it is well-formed, return false.
55	*/
56	static int check_name(const char *z){
57	if( !wiki_name_is_wellformed(z) ){
58	style_header("Wiki Page Name Error");
59	@ The wiki name "<b>%h(z)</b>" is not well-formed. Rules for
60	@ wiki page names:
61	@ <ul>
62	@ <li> Must not begin or end with a space.
63	@ <li> Must not contain any control characters, including tab or
64	@ newline.
65	@ <li> Must not have two or more spaces in a row internally.
66	@ <li> Must be between 3 and 100 characters in length.
67	@ </ul>
68	style_footer();
69	return 1;
70	}
71	return 0;
72	}
73
74	/*
75	** WEBPAGE: wiki
76	** URL: /wiki/PAGENAME
77	*/
	@@ -43,10 +86,11 @@
86
87	login_check_credentials();
88	if( !g.okRdWiki ){ login_needed(); return; }
89	zPageName = mprintf("%s", g.zExtra);
90	dehttpize(zPageName);
91	if( check_name(zPageName) ) return;
92	zTag = mprintf("wiki-%s", zPageName);
93	rid = db_int(0,
94	"SELECT rid FROM tagxref"
95	" WHERE tagid=(SELECT tagid FROM tag WHERE tagname=%Q)"
96	" ORDER BY mtime DESC", zTag
	@@ -66,11 +110,11 @@
110	style_header(zHtmlPageName);
111	blob_init(&wiki, zBody, -1);
112	wiki_convert(&wiki, 0);
113	blob_reset(&wiki);
114	manifest_clear(&m);
115	if( (rid && g.okWrWiki) \|\| (!rid && g.okNewWiki) ){
116	@ <hr>
117	@ [<a href="%s(g.zBaseURL)/wikiedit/%s(g.zExtra)">Edit</a>]
118	}
119	style_footer();
120	}
	@@ -94,10 +138,11 @@
138	zBody = mprintf("%s", zBody);
139	}
140	login_check_credentials();
141	zPageName = mprintf("%s", g.zExtra);
142	dehttpize(zPageName);
143	if( check_name(zPageName) ) return;
144	zTag = mprintf("wiki-%s", zPageName);
145	rid = db_int(0,
146	"SELECT rid FROM tagxref"
147	" WHERE tagid=(SELECT tagid FROM tag WHERE tagname=%Q)"
148	" ORDER BY mtime DESC", zTag
	@@ -146,11 +191,11 @@
191	blob_reset(&wiki);
192	content_deltify(rid, nrid, 0);
193	db_end_transaction(0);
194	cgi_redirect(mprintf("wiki/%s", g.zExtra));
195	}
196	if( P("cancel")!=0 ){
197	cgi_redirect(mprintf("wiki/%s", g.zExtra));
198	return;
199	}
200	if( zBody==0 ){
201	zBody = mprintf("<i>Empty Page</i>");
202

M src/wikiformat.c

+5 -2

		--- src/wikiformat.c
		+++ src/wikiformat.c
		@@ -760,12 +760,14 @@
760	760	\|\| strncmp(zTarget, "https:", 6)==0
761	761	\|\| strncmp(zTarget, "ftp:", 4)==0
762	762	\|\| strncmp(zTarget, "mailto:", 7)==0
763	763	){
764	764	blob_appendf(p->pOut, zTarget);
765		- }else{
	765	+ }else if( wiki_name_is_wellformed(zTarget) ){
766	766	blob_appendf(p->pOut, "%s/wiki/%T", g.zBaseURL, zTarget);
	767	+ }else{
	768	+ blob_appendf(p->pOut, "error");
767	769	}
768	770	}
769	771
770	772	/*
771	773	** Check to see if the given parsed markup is the correct
		@@ -862,18 +864,19 @@
862	864	break;
863	865	}
864	866	case TOKEN_LINK: {
865	867	char *zTarget;
866	868	char *zDisplay = 0;
867		- int i;
	869	+ int i, j;
868	870	int savedState;
869	871	addMissingMarkup(p);
870	872	zTarget = &z[1];
871	873	for(i=1; z[i] && z[i]!=']'; i++){
872	874	if( z[i]=='\|' && zDisplay==0 ){
873	875	zDisplay = &z[i+1];
874	876	z[i] = 0;
	877	+ for(j=i-1; j>0 && isspace(z[j]); j--){ z[j] = 0; }
875	878	}
876	879	}
877	880	z[i] = 0;
878	881	if( zDisplay==0 ){
879	882	zDisplay = zTarget;
880	883

	--- src/wikiformat.c
	+++ src/wikiformat.c
	@@ -760,12 +760,14 @@
760	\|\| strncmp(zTarget, "https:", 6)==0
761	\|\| strncmp(zTarget, "ftp:", 4)==0
762	\|\| strncmp(zTarget, "mailto:", 7)==0
763	){
764	blob_appendf(p->pOut, zTarget);
765	}else{
766	blob_appendf(p->pOut, "%s/wiki/%T", g.zBaseURL, zTarget);


767	}
768	}
769
770	/*
771	** Check to see if the given parsed markup is the correct
	@@ -862,18 +864,19 @@
862	break;
863	}
864	case TOKEN_LINK: {
865	char *zTarget;
866	char *zDisplay = 0;
867	int i;
868	int savedState;
869	addMissingMarkup(p);
870	zTarget = &z[1];
871	for(i=1; z[i] && z[i]!=']'; i++){
872	if( z[i]=='\|' && zDisplay==0 ){
873	zDisplay = &z[i+1];
874	z[i] = 0;

875	}
876	}
877	z[i] = 0;
878	if( zDisplay==0 ){
879	zDisplay = zTarget;
880

	--- src/wikiformat.c
	+++ src/wikiformat.c
	@@ -760,12 +760,14 @@
760	\|\| strncmp(zTarget, "https:", 6)==0
761	\|\| strncmp(zTarget, "ftp:", 4)==0
762	\|\| strncmp(zTarget, "mailto:", 7)==0
763	){
764	blob_appendf(p->pOut, zTarget);
765	}else if( wiki_name_is_wellformed(zTarget) ){
766	blob_appendf(p->pOut, "%s/wiki/%T", g.zBaseURL, zTarget);
767	}else{
768	blob_appendf(p->pOut, "error");
769	}
770	}
771
772	/*
773	** Check to see if the given parsed markup is the correct
	@@ -862,18 +864,19 @@
864	break;
865	}
866	case TOKEN_LINK: {
867	char *zTarget;
868	char *zDisplay = 0;
869	int i, j;
870	int savedState;
871	addMissingMarkup(p);
872	zTarget = &z[1];
873	for(i=1; z[i] && z[i]!=']'; i++){
874	if( z[i]=='\|' && zDisplay==0 ){
875	zDisplay = &z[i+1];
876	z[i] = 0;
877	for(j=i-1; j>0 && isspace(z[j]); j--){ z[j] = 0; }
878	}
879	}
880	z[i] = 0;
881	if( zDisplay==0 ){
882	zDisplay = zTarget;
883

Fossil SCM

Keyboard Shortcuts