Fossil SCM
(cherry-pick): Fix an XSS issue with the /help webpage. Change a few %s format letters into %h
Commit
f1a7360e621c3014faff530f914ed02f721adaca869a3a0d1a88bac119d12156
Parent
cd24cf19dc618e9…
6 files changed
+5
-5
+1
-1
+1
-1
+1
-1
+1
-1
+1
-1
+5
-5
| --- src/dispatch.c | ||
| +++ src/dispatch.c | ||
| @@ -243,22 +243,22 @@ | ||
| 243 | 243 | |
| 244 | 244 | style_submenu_element("Command-List", "%s/help", g.zTop); |
| 245 | 245 | if( *zCmd=='/' ){ |
| 246 | 246 | /* Some of the webpages require query parameters in order to work. |
| 247 | 247 | ** @ <h1>The "<a href='%R%s(zCmd)'>%s(zCmd)</a>" page:</h1> */ |
| 248 | - @ <h1>The "%s(zCmd)" page:</h1> | |
| 248 | + @ <h1>The "%h(zCmd)" page:</h1> | |
| 249 | 249 | }else{ |
| 250 | - @ <h1>The "%s(zCmd)" command:</h1> | |
| 250 | + @ <h1>The "%h(zCmd)" command:</h1> | |
| 251 | 251 | } |
| 252 | 252 | rc = dispatch_name_search(zCmd, CMDFLAG_ANY, &pCmd); |
| 253 | 253 | if( rc==1 ){ |
| 254 | - @ unknown command: %s(zCmd) | |
| 254 | + @ unknown command: %h(zCmd) | |
| 255 | 255 | }else if( rc==2 ){ |
| 256 | - @ ambiguous command prefix: %s(zCmd) | |
| 256 | + @ ambiguous command prefix: %h(zCmd) | |
| 257 | 257 | }else{ |
| 258 | 258 | if( pCmd->zHelp[0]==0 ){ |
| 259 | - @ no help available for the %s(pCmd->zName) command | |
| 259 | + @ no help available for the %h(pCmd->zName) command | |
| 260 | 260 | }else{ |
| 261 | 261 | @ <blockquote> |
| 262 | 262 | help_to_html(pCmd->zHelp, cgi_output_blob()); |
| 263 | 263 | @ </blockquote> |
| 264 | 264 | } |
| 265 | 265 |
| --- src/dispatch.c | |
| +++ src/dispatch.c | |
| @@ -243,22 +243,22 @@ | |
| 243 | |
| 244 | style_submenu_element("Command-List", "%s/help", g.zTop); |
| 245 | if( *zCmd=='/' ){ |
| 246 | /* Some of the webpages require query parameters in order to work. |
| 247 | ** @ <h1>The "<a href='%R%s(zCmd)'>%s(zCmd)</a>" page:</h1> */ |
| 248 | @ <h1>The "%s(zCmd)" page:</h1> |
| 249 | }else{ |
| 250 | @ <h1>The "%s(zCmd)" command:</h1> |
| 251 | } |
| 252 | rc = dispatch_name_search(zCmd, CMDFLAG_ANY, &pCmd); |
| 253 | if( rc==1 ){ |
| 254 | @ unknown command: %s(zCmd) |
| 255 | }else if( rc==2 ){ |
| 256 | @ ambiguous command prefix: %s(zCmd) |
| 257 | }else{ |
| 258 | if( pCmd->zHelp[0]==0 ){ |
| 259 | @ no help available for the %s(pCmd->zName) command |
| 260 | }else{ |
| 261 | @ <blockquote> |
| 262 | help_to_html(pCmd->zHelp, cgi_output_blob()); |
| 263 | @ </blockquote> |
| 264 | } |
| 265 |
| --- src/dispatch.c | |
| +++ src/dispatch.c | |
| @@ -243,22 +243,22 @@ | |
| 243 | |
| 244 | style_submenu_element("Command-List", "%s/help", g.zTop); |
| 245 | if( *zCmd=='/' ){ |
| 246 | /* Some of the webpages require query parameters in order to work. |
| 247 | ** @ <h1>The "<a href='%R%s(zCmd)'>%s(zCmd)</a>" page:</h1> */ |
| 248 | @ <h1>The "%h(zCmd)" page:</h1> |
| 249 | }else{ |
| 250 | @ <h1>The "%h(zCmd)" command:</h1> |
| 251 | } |
| 252 | rc = dispatch_name_search(zCmd, CMDFLAG_ANY, &pCmd); |
| 253 | if( rc==1 ){ |
| 254 | @ unknown command: %h(zCmd) |
| 255 | }else if( rc==2 ){ |
| 256 | @ ambiguous command prefix: %h(zCmd) |
| 257 | }else{ |
| 258 | if( pCmd->zHelp[0]==0 ){ |
| 259 | @ no help available for the %h(pCmd->zName) command |
| 260 | }else{ |
| 261 | @ <blockquote> |
| 262 | help_to_html(pCmd->zHelp, cgi_output_blob()); |
| 263 | @ </blockquote> |
| 264 | } |
| 265 |
+1
-1
| --- src/login.c | ||
| +++ src/login.c | ||
| @@ -1458,11 +1458,11 @@ | ||
| 1458 | 1458 | |
| 1459 | 1459 | if( db_exists("SELECT 1 FROM user WHERE login=%B", &login) ){ |
| 1460 | 1460 | /* Here lies the reason I don't use zErrMsg - it would not substitute |
| 1461 | 1461 | * this %s(zUsername), or at least I don't know how to force it to.*/ |
| 1462 | 1462 | @ <p><span class="loginError"> |
| 1463 | - @ %s(zUsername) already exists. | |
| 1463 | + @ %h(zUsername) already exists. | |
| 1464 | 1464 | @ </span></p> |
| 1465 | 1465 | }else{ |
| 1466 | 1466 | char *zPw = sha1_shared_secret(blob_str(&passwd), blob_str(&login), 0); |
| 1467 | 1467 | int uid; |
| 1468 | 1468 | db_multi_exec( |
| 1469 | 1469 |
| --- src/login.c | |
| +++ src/login.c | |
| @@ -1458,11 +1458,11 @@ | |
| 1458 | |
| 1459 | if( db_exists("SELECT 1 FROM user WHERE login=%B", &login) ){ |
| 1460 | /* Here lies the reason I don't use zErrMsg - it would not substitute |
| 1461 | * this %s(zUsername), or at least I don't know how to force it to.*/ |
| 1462 | @ <p><span class="loginError"> |
| 1463 | @ %s(zUsername) already exists. |
| 1464 | @ </span></p> |
| 1465 | }else{ |
| 1466 | char *zPw = sha1_shared_secret(blob_str(&passwd), blob_str(&login), 0); |
| 1467 | int uid; |
| 1468 | db_multi_exec( |
| 1469 |
| --- src/login.c | |
| +++ src/login.c | |
| @@ -1458,11 +1458,11 @@ | |
| 1458 | |
| 1459 | if( db_exists("SELECT 1 FROM user WHERE login=%B", &login) ){ |
| 1460 | /* Here lies the reason I don't use zErrMsg - it would not substitute |
| 1461 | * this %s(zUsername), or at least I don't know how to force it to.*/ |
| 1462 | @ <p><span class="loginError"> |
| 1463 | @ %h(zUsername) already exists. |
| 1464 | @ </span></p> |
| 1465 | }else{ |
| 1466 | char *zPw = sha1_shared_secret(blob_str(&passwd), blob_str(&login), 0); |
| 1467 | int uid; |
| 1468 | db_multi_exec( |
| 1469 |
+1
-1
| --- src/login.c | ||
| +++ src/login.c | ||
| @@ -1458,11 +1458,11 @@ | ||
| 1458 | 1458 | |
| 1459 | 1459 | if( db_exists("SELECT 1 FROM user WHERE login=%B", &login) ){ |
| 1460 | 1460 | /* Here lies the reason I don't use zErrMsg - it would not substitute |
| 1461 | 1461 | * this %s(zUsername), or at least I don't know how to force it to.*/ |
| 1462 | 1462 | @ <p><span class="loginError"> |
| 1463 | - @ %s(zUsername) already exists. | |
| 1463 | + @ %h(zUsername) already exists. | |
| 1464 | 1464 | @ </span></p> |
| 1465 | 1465 | }else{ |
| 1466 | 1466 | char *zPw = sha1_shared_secret(blob_str(&passwd), blob_str(&login), 0); |
| 1467 | 1467 | int uid; |
| 1468 | 1468 | db_multi_exec( |
| 1469 | 1469 |
| --- src/login.c | |
| +++ src/login.c | |
| @@ -1458,11 +1458,11 @@ | |
| 1458 | |
| 1459 | if( db_exists("SELECT 1 FROM user WHERE login=%B", &login) ){ |
| 1460 | /* Here lies the reason I don't use zErrMsg - it would not substitute |
| 1461 | * this %s(zUsername), or at least I don't know how to force it to.*/ |
| 1462 | @ <p><span class="loginError"> |
| 1463 | @ %s(zUsername) already exists. |
| 1464 | @ </span></p> |
| 1465 | }else{ |
| 1466 | char *zPw = sha1_shared_secret(blob_str(&passwd), blob_str(&login), 0); |
| 1467 | int uid; |
| 1468 | db_multi_exec( |
| 1469 |
| --- src/login.c | |
| +++ src/login.c | |
| @@ -1458,11 +1458,11 @@ | |
| 1458 | |
| 1459 | if( db_exists("SELECT 1 FROM user WHERE login=%B", &login) ){ |
| 1460 | /* Here lies the reason I don't use zErrMsg - it would not substitute |
| 1461 | * this %s(zUsername), or at least I don't know how to force it to.*/ |
| 1462 | @ <p><span class="loginError"> |
| 1463 | @ %h(zUsername) already exists. |
| 1464 | @ </span></p> |
| 1465 | }else{ |
| 1466 | char *zPw = sha1_shared_secret(blob_str(&passwd), blob_str(&login), 0); |
| 1467 | int uid; |
| 1468 | db_multi_exec( |
| 1469 |
+1
-1
| --- src/name.c | ||
| +++ src/name.c | ||
| @@ -467,11 +467,11 @@ | ||
| 467 | 467 | @ <li><p><a href="%R/%T(zSrc)/%!S(zUuid)"> |
| 468 | 468 | @ %s(zUuid)</a> - |
| 469 | 469 | @ <ul></ul> |
| 470 | 470 | @ Ticket |
| 471 | 471 | hyperlink_to_uuid(zUuid); |
| 472 | - @ - %s(zTitle). | |
| 472 | + @ - %h(zTitle). | |
| 473 | 473 | @ <ul><li> |
| 474 | 474 | object_description(rid, 0, 0); |
| 475 | 475 | @ </li></ul> |
| 476 | 476 | @ </p></li> |
| 477 | 477 | } |
| 478 | 478 |
| --- src/name.c | |
| +++ src/name.c | |
| @@ -467,11 +467,11 @@ | |
| 467 | @ <li><p><a href="%R/%T(zSrc)/%!S(zUuid)"> |
| 468 | @ %s(zUuid)</a> - |
| 469 | @ <ul></ul> |
| 470 | @ Ticket |
| 471 | hyperlink_to_uuid(zUuid); |
| 472 | @ - %s(zTitle). |
| 473 | @ <ul><li> |
| 474 | object_description(rid, 0, 0); |
| 475 | @ </li></ul> |
| 476 | @ </p></li> |
| 477 | } |
| 478 |
| --- src/name.c | |
| +++ src/name.c | |
| @@ -467,11 +467,11 @@ | |
| 467 | @ <li><p><a href="%R/%T(zSrc)/%!S(zUuid)"> |
| 468 | @ %s(zUuid)</a> - |
| 469 | @ <ul></ul> |
| 470 | @ Ticket |
| 471 | hyperlink_to_uuid(zUuid); |
| 472 | @ - %h(zTitle). |
| 473 | @ <ul><li> |
| 474 | object_description(rid, 0, 0); |
| 475 | @ </li></ul> |
| 476 | @ </p></li> |
| 477 | } |
| 478 |
+1
-1
| --- src/name.c | ||
| +++ src/name.c | ||
| @@ -467,11 +467,11 @@ | ||
| 467 | 467 | @ <li><p><a href="%R/%T(zSrc)/%!S(zUuid)"> |
| 468 | 468 | @ %s(zUuid)</a> - |
| 469 | 469 | @ <ul></ul> |
| 470 | 470 | @ Ticket |
| 471 | 471 | hyperlink_to_uuid(zUuid); |
| 472 | - @ - %s(zTitle). | |
| 472 | + @ - %h(zTitle). | |
| 473 | 473 | @ <ul><li> |
| 474 | 474 | object_description(rid, 0, 0); |
| 475 | 475 | @ </li></ul> |
| 476 | 476 | @ </p></li> |
| 477 | 477 | } |
| 478 | 478 |
| --- src/name.c | |
| +++ src/name.c | |
| @@ -467,11 +467,11 @@ | |
| 467 | @ <li><p><a href="%R/%T(zSrc)/%!S(zUuid)"> |
| 468 | @ %s(zUuid)</a> - |
| 469 | @ <ul></ul> |
| 470 | @ Ticket |
| 471 | hyperlink_to_uuid(zUuid); |
| 472 | @ - %s(zTitle). |
| 473 | @ <ul><li> |
| 474 | object_description(rid, 0, 0); |
| 475 | @ </li></ul> |
| 476 | @ </p></li> |
| 477 | } |
| 478 |
| --- src/name.c | |
| +++ src/name.c | |
| @@ -467,11 +467,11 @@ | |
| 467 | @ <li><p><a href="%R/%T(zSrc)/%!S(zUuid)"> |
| 468 | @ %s(zUuid)</a> - |
| 469 | @ <ul></ul> |
| 470 | @ Ticket |
| 471 | hyperlink_to_uuid(zUuid); |
| 472 | @ - %h(zTitle). |
| 473 | @ <ul><li> |
| 474 | object_description(rid, 0, 0); |
| 475 | @ </li></ul> |
| 476 | @ </p></li> |
| 477 | } |
| 478 |
+1
-1
| --- src/search.c | ||
| +++ src/search.c | ||
| @@ -597,11 +597,11 @@ | ||
| 597 | 597 | }else{ |
| 598 | 598 | width = -1; |
| 599 | 599 | } |
| 600 | 600 | |
| 601 | 601 | db_find_and_open_repository(0, 0); |
| 602 | - if( g.argc<2 ) return; | |
| 602 | + if( g.argc<3 ) return; | |
| 603 | 603 | blob_init(&pattern, g.argv[2], -1); |
| 604 | 604 | for(i=3; i<g.argc; i++){ |
| 605 | 605 | blob_appendf(&pattern, " %s", g.argv[i]); |
| 606 | 606 | } |
| 607 | 607 | (void)search_init(blob_str(&pattern),"*","*","...",SRCHFLG_STATIC); |
| 608 | 608 |
| --- src/search.c | |
| +++ src/search.c | |
| @@ -597,11 +597,11 @@ | |
| 597 | }else{ |
| 598 | width = -1; |
| 599 | } |
| 600 | |
| 601 | db_find_and_open_repository(0, 0); |
| 602 | if( g.argc<2 ) return; |
| 603 | blob_init(&pattern, g.argv[2], -1); |
| 604 | for(i=3; i<g.argc; i++){ |
| 605 | blob_appendf(&pattern, " %s", g.argv[i]); |
| 606 | } |
| 607 | (void)search_init(blob_str(&pattern),"*","*","...",SRCHFLG_STATIC); |
| 608 |
| --- src/search.c | |
| +++ src/search.c | |
| @@ -597,11 +597,11 @@ | |
| 597 | }else{ |
| 598 | width = -1; |
| 599 | } |
| 600 | |
| 601 | db_find_and_open_repository(0, 0); |
| 602 | if( g.argc<3 ) return; |
| 603 | blob_init(&pattern, g.argv[2], -1); |
| 604 | for(i=3; i<g.argc; i++){ |
| 605 | blob_appendf(&pattern, " %s", g.argv[i]); |
| 606 | } |
| 607 | (void)search_init(blob_str(&pattern),"*","*","...",SRCHFLG_STATIC); |
| 608 |