Fossil SCM

Apply the spider SQL check to the diff URL argument of the /vdiff page. Improve some related docs.

stephan 2023-02-07 16:24 spider-sql-detection

Commit 936c122ff9398443f57a322ce460ff5e5841f7bd179867868bee07bc93f99bbe

Parent 61a608a2df267d2…

2 files changed +2 -2 +2 -2

M src/cgi.c

+2 -2

		--- src/cgi.c
		+++ src/cgi.c
		@@ -1540,12 +1540,12 @@
1540	1540	}
1541	1541	}
1542	1542
1543	1543	/*
1544	1544	** A variant of cgi_parameter() with the same semantics except that if
1545		-** the fetched value fails the might_be_sql() test then it calls
1546		-** cgi_begone_spider() and does not return.
	1545	+** cgi_parameter(zName,zDefault) returns a value other than zDefault
	1546	+** then it passes that value to cgi_value_spider_check().
1547	1547	*/
1548	1548	const char cgi_parameter_nosql(const char zName, const char *zDefault){
1549	1549	const char *zTxt = cgi_parameter(zName, zDefault);
1550	1550
1551	1551	if( zTxt!=zDefault ){
1552	1552

	--- src/cgi.c
	+++ src/cgi.c
	@@ -1540,12 +1540,12 @@
1540	}
1541	}
1542
1543	/*
1544	** A variant of cgi_parameter() with the same semantics except that if
1545	** the fetched value fails the might_be_sql() test then it calls
1546	** cgi_begone_spider() and does not return.
1547	*/
1548	const char cgi_parameter_nosql(const char zName, const char *zDefault){
1549	const char *zTxt = cgi_parameter(zName, zDefault);
1550
1551	if( zTxt!=zDefault ){
1552

	--- src/cgi.c
	+++ src/cgi.c
	@@ -1540,12 +1540,12 @@
1540	}
1541	}
1542
1543	/*
1544	** A variant of cgi_parameter() with the same semantics except that if
1545	** cgi_parameter(zName,zDefault) returns a value other than zDefault
1546	** then it passes that value to cgi_value_spider_check().
1547	*/
1548	const char cgi_parameter_nosql(const char zName, const char *zDefault){
1549	const char *zTxt = cgi_parameter(zName, zDefault);
1550
1551	if( zTxt!=zDefault ){
1552

M src/info.c

+2 -2

		--- src/info.c
		+++ src/info.c
		@@ -648,11 +648,11 @@
648	648	" WHERE blob.rid=%d"
649	649	" AND event.objid=%d",
650	650	rid, rid
651	651	);
652	652	zBrName = branch_of_rid(rid);
653		-
	653	+
654	654	diffType = preferred_diff_type();
655	655	if( db_step(&q1)==SQLITE_ROW ){
656	656	const char *zUuid = db_column_text(&q1, 0);
657	657	int nUuid = db_column_bytes(&q1, 0);
658	658	char zEUser, zEComment;
		@@ -1686,11 +1686,11 @@
1686	1686	dflt = db_get_int("preferred-diff-type",-99);
1687	1687	if( dflt<=0 ) dflt = user_agent_is_likely_mobile() ? 1 : 2;
1688	1688	zDflt[0] = dflt + '0';
1689	1689	zDflt[1] = 0;
1690	1690	cookie_link_parameter("diff","diff", zDflt);
1691		- return atoi(PD("diff",zDflt));
	1691	+ return atoi(PD_NoSQL("diff",zDflt));
1692	1692	}
1693	1693
1694	1694
1695	1695	/*
1696	1696	** WEBPAGE: fdiff
1697	1697

	--- src/info.c
	+++ src/info.c
	@@ -648,11 +648,11 @@
648	" WHERE blob.rid=%d"
649	" AND event.objid=%d",
650	rid, rid
651	);
652	zBrName = branch_of_rid(rid);
653
654	diffType = preferred_diff_type();
655	if( db_step(&q1)==SQLITE_ROW ){
656	const char *zUuid = db_column_text(&q1, 0);
657	int nUuid = db_column_bytes(&q1, 0);
658	char zEUser, zEComment;
	@@ -1686,11 +1686,11 @@
1686	dflt = db_get_int("preferred-diff-type",-99);
1687	if( dflt<=0 ) dflt = user_agent_is_likely_mobile() ? 1 : 2;
1688	zDflt[0] = dflt + '0';
1689	zDflt[1] = 0;
1690	cookie_link_parameter("diff","diff", zDflt);
1691	return atoi(PD("diff",zDflt));
1692	}
1693
1694
1695	/*
1696	** WEBPAGE: fdiff
1697

	--- src/info.c
	+++ src/info.c
	@@ -648,11 +648,11 @@
648	" WHERE blob.rid=%d"
649	" AND event.objid=%d",
650	rid, rid
651	);
652	zBrName = branch_of_rid(rid);
653
654	diffType = preferred_diff_type();
655	if( db_step(&q1)==SQLITE_ROW ){
656	const char *zUuid = db_column_text(&q1, 0);
657	int nUuid = db_column_bytes(&q1, 0);
658	char zEUser, zEComment;
	@@ -1686,11 +1686,11 @@
1686	dflt = db_get_int("preferred-diff-type",-99);
1687	if( dflt<=0 ) dflt = user_agent_is_likely_mobile() ? 1 : 2;
1688	zDflt[0] = dflt + '0';
1689	zDflt[1] = 0;
1690	cookie_link_parameter("diff","diff", zDflt);
1691	return atoi(PD_NoSQL("diff",zDflt));
1692	}
1693
1694
1695	/*
1696	** WEBPAGE: fdiff
1697