Fossil SCM
Fix misplaced / missing db_unprotect() calls in the 'waliassetup' and 'setup_logo' pages.
Commit
f273832a730808261859ff2ee3ee1805d4f6e47171ee542deabecb927c807434
Parent
95e735165e8cb2d…
1 file changed
+9
-7
+9
-7
| --- src/setup.c | ||
| +++ src/setup.c | ||
| @@ -1272,17 +1272,17 @@ | ||
| 1272 | 1272 | if( !g.perm.Admin ){ |
| 1273 | 1273 | login_needed(0); |
| 1274 | 1274 | return; |
| 1275 | 1275 | } |
| 1276 | 1276 | db_begin_transaction(); |
| 1277 | - db_unprotect(PROTECT_CONFIG); | |
| 1278 | 1277 | if( !cgi_csrf_safe(1) ){ |
| 1279 | 1278 | /* Allow no state changes if not safe from CSRF */ |
| 1280 | 1279 | }else if( P("setlogo")!=0 && zLogoMime && zLogoMime[0] && szLogoImg>0 ){ |
| 1281 | 1280 | Blob img; |
| 1282 | 1281 | Stmt ins; |
| 1283 | 1282 | blob_init(&img, aLogoImg, szLogoImg); |
| 1283 | + db_unprotect(PROTECT_CONFIG); | |
| 1284 | 1284 | db_prepare(&ins, |
| 1285 | 1285 | "REPLACE INTO config(name,value,mtime)" |
| 1286 | 1286 | " VALUES('logo-image',:bytes,now())" |
| 1287 | 1287 | ); |
| 1288 | 1288 | db_bind_blob(&ins, ":bytes", &img); |
| @@ -1290,17 +1290,20 @@ | ||
| 1290 | 1290 | db_finalize(&ins); |
| 1291 | 1291 | db_multi_exec( |
| 1292 | 1292 | "REPLACE INTO config(name,value,mtime) VALUES('logo-mimetype',%Q,now())", |
| 1293 | 1293 | zLogoMime |
| 1294 | 1294 | ); |
| 1295 | + db_protect_pop(); | |
| 1295 | 1296 | db_end_transaction(0); |
| 1296 | 1297 | cgi_redirect("setup_logo"); |
| 1297 | 1298 | }else if( P("clrlogo")!=0 ){ |
| 1299 | + db_unprotect(PROTECT_CONFIG); | |
| 1298 | 1300 | db_multi_exec( |
| 1299 | 1301 | "DELETE FROM config WHERE name IN " |
| 1300 | 1302 | "('logo-image','logo-mimetype')" |
| 1301 | 1303 | ); |
| 1304 | + db_protect_pop(); | |
| 1302 | 1305 | db_end_transaction(0); |
| 1303 | 1306 | cgi_redirect("setup_logo"); |
| 1304 | 1307 | }else if( P("setbg")!=0 && zBgMime && zBgMime[0] && szBgImg>0 ){ |
| 1305 | 1308 | Blob img; |
| 1306 | 1309 | Stmt ins; |
| @@ -1325,10 +1328,11 @@ | ||
| 1325 | 1328 | db_unprotect(PROTECT_CONFIG); |
| 1326 | 1329 | db_multi_exec( |
| 1327 | 1330 | "DELETE FROM config WHERE name IN " |
| 1328 | 1331 | "('background-image','background-mimetype')" |
| 1329 | 1332 | ); |
| 1333 | + db_protect_pop(); | |
| 1330 | 1334 | db_end_transaction(0); |
| 1331 | 1335 | cgi_redirect("setup_logo"); |
| 1332 | 1336 | }else if( P("seticon")!=0 && zIconMime && zIconMime[0] && szIconImg>0 ){ |
| 1333 | 1337 | Blob img; |
| 1334 | 1338 | Stmt ins; |
| @@ -1348,14 +1352,16 @@ | ||
| 1348 | 1352 | ); |
| 1349 | 1353 | db_protect_pop(); |
| 1350 | 1354 | db_end_transaction(0); |
| 1351 | 1355 | cgi_redirect("setup_logo"); |
| 1352 | 1356 | }else if( P("clricon")!=0 ){ |
| 1357 | + db_unprotect(PROTECT_CONFIG); | |
| 1353 | 1358 | db_multi_exec( |
| 1354 | 1359 | "DELETE FROM config WHERE name IN " |
| 1355 | 1360 | "('icon-image','icon-mimetype')" |
| 1356 | 1361 | ); |
| 1362 | + db_protect_pop(); | |
| 1357 | 1363 | db_end_transaction(0); |
| 1358 | 1364 | cgi_redirect("setup_logo"); |
| 1359 | 1365 | } |
| 1360 | 1366 | style_header("Edit Project Logo And Background"); |
| 1361 | 1367 | @ <p>The current project logo has a MIME-Type of <b>%h(zLogoMime)</b> |
| @@ -1804,27 +1810,22 @@ | ||
| 1804 | 1810 | const char *zValue |
| 1805 | 1811 | ){ |
| 1806 | 1812 | if( !cgi_csrf_safe(1) ) return; |
| 1807 | 1813 | if( zNewName[0]==0 || zValue[0]==0 ){ |
| 1808 | 1814 | if( zOldName[0] ){ |
| 1809 | - db_unprotect(PROTECT_CONFIG); | |
| 1810 | 1815 | blob_append_sql(pSql, |
| 1811 | 1816 | "DELETE FROM config WHERE name='walias:%q';\n", |
| 1812 | 1817 | zOldName); |
| 1813 | - db_protect_pop(); | |
| 1814 | 1818 | } |
| 1815 | 1819 | return; |
| 1816 | 1820 | } |
| 1817 | 1821 | if( zOldName[0]==0 ){ |
| 1818 | - db_unprotect(PROTECT_CONFIG); | |
| 1819 | 1822 | blob_append_sql(pSql, |
| 1820 | 1823 | "INSERT INTO config(name,value,mtime) VALUES('walias:%q',%Q,now());\n", |
| 1821 | 1824 | zNewName, zValue); |
| 1822 | - db_protect_pop(); | |
| 1823 | 1825 | return; |
| 1824 | 1826 | } |
| 1825 | - db_unprotect(PROTECT_CONFIG); | |
| 1826 | 1827 | if( strcmp(zOldName, zNewName)!=0 ){ |
| 1827 | 1828 | blob_append_sql(pSql, |
| 1828 | 1829 | "UPDATE config SET name='walias:%q', value=%Q, mtime=now()" |
| 1829 | 1830 | " WHERE name='walias:%q';\n", |
| 1830 | 1831 | zNewName, zValue, zOldName); |
| @@ -1832,11 +1833,10 @@ | ||
| 1832 | 1833 | blob_append_sql(pSql, |
| 1833 | 1834 | "UPDATE config SET value=%Q, mtime=now()" |
| 1834 | 1835 | " WHERE name='walias:%q' AND value<>%Q;\n", |
| 1835 | 1836 | zValue, zOldName, zValue); |
| 1836 | 1837 | } |
| 1837 | - db_protect_pop(); | |
| 1838 | 1838 | } |
| 1839 | 1839 | |
| 1840 | 1840 | /* |
| 1841 | 1841 | ** WEBPAGE: waliassetup |
| 1842 | 1842 | ** |
| @@ -1874,11 +1874,13 @@ | ||
| 1874 | 1874 | sqlite3_snprintf(sizeof(zCnt), zCnt, "n%d", cnt); |
| 1875 | 1875 | zNewName = PD(zCnt,""); |
| 1876 | 1876 | sqlite3_snprintf(sizeof(zCnt), zCnt, "v%d", cnt); |
| 1877 | 1877 | zValue = PD(zCnt,""); |
| 1878 | 1878 | setup_update_url_alias(&sql, "", zNewName, zValue); |
| 1879 | + db_unprotect(PROTECT_CONFIG); | |
| 1879 | 1880 | db_multi_exec("%s", blob_sql_text(&sql)); |
| 1881 | + db_protect_pop(); | |
| 1880 | 1882 | blob_reset(&sql); |
| 1881 | 1883 | blob_reset(&namelist); |
| 1882 | 1884 | cnt = 0; |
| 1883 | 1885 | } |
| 1884 | 1886 | db_prepare(&q, |
| 1885 | 1887 |
| --- src/setup.c | |
| +++ src/setup.c | |
| @@ -1272,17 +1272,17 @@ | |
| 1272 | if( !g.perm.Admin ){ |
| 1273 | login_needed(0); |
| 1274 | return; |
| 1275 | } |
| 1276 | db_begin_transaction(); |
| 1277 | db_unprotect(PROTECT_CONFIG); |
| 1278 | if( !cgi_csrf_safe(1) ){ |
| 1279 | /* Allow no state changes if not safe from CSRF */ |
| 1280 | }else if( P("setlogo")!=0 && zLogoMime && zLogoMime[0] && szLogoImg>0 ){ |
| 1281 | Blob img; |
| 1282 | Stmt ins; |
| 1283 | blob_init(&img, aLogoImg, szLogoImg); |
| 1284 | db_prepare(&ins, |
| 1285 | "REPLACE INTO config(name,value,mtime)" |
| 1286 | " VALUES('logo-image',:bytes,now())" |
| 1287 | ); |
| 1288 | db_bind_blob(&ins, ":bytes", &img); |
| @@ -1290,17 +1290,20 @@ | |
| 1290 | db_finalize(&ins); |
| 1291 | db_multi_exec( |
| 1292 | "REPLACE INTO config(name,value,mtime) VALUES('logo-mimetype',%Q,now())", |
| 1293 | zLogoMime |
| 1294 | ); |
| 1295 | db_end_transaction(0); |
| 1296 | cgi_redirect("setup_logo"); |
| 1297 | }else if( P("clrlogo")!=0 ){ |
| 1298 | db_multi_exec( |
| 1299 | "DELETE FROM config WHERE name IN " |
| 1300 | "('logo-image','logo-mimetype')" |
| 1301 | ); |
| 1302 | db_end_transaction(0); |
| 1303 | cgi_redirect("setup_logo"); |
| 1304 | }else if( P("setbg")!=0 && zBgMime && zBgMime[0] && szBgImg>0 ){ |
| 1305 | Blob img; |
| 1306 | Stmt ins; |
| @@ -1325,10 +1328,11 @@ | |
| 1325 | db_unprotect(PROTECT_CONFIG); |
| 1326 | db_multi_exec( |
| 1327 | "DELETE FROM config WHERE name IN " |
| 1328 | "('background-image','background-mimetype')" |
| 1329 | ); |
| 1330 | db_end_transaction(0); |
| 1331 | cgi_redirect("setup_logo"); |
| 1332 | }else if( P("seticon")!=0 && zIconMime && zIconMime[0] && szIconImg>0 ){ |
| 1333 | Blob img; |
| 1334 | Stmt ins; |
| @@ -1348,14 +1352,16 @@ | |
| 1348 | ); |
| 1349 | db_protect_pop(); |
| 1350 | db_end_transaction(0); |
| 1351 | cgi_redirect("setup_logo"); |
| 1352 | }else if( P("clricon")!=0 ){ |
| 1353 | db_multi_exec( |
| 1354 | "DELETE FROM config WHERE name IN " |
| 1355 | "('icon-image','icon-mimetype')" |
| 1356 | ); |
| 1357 | db_end_transaction(0); |
| 1358 | cgi_redirect("setup_logo"); |
| 1359 | } |
| 1360 | style_header("Edit Project Logo And Background"); |
| 1361 | @ <p>The current project logo has a MIME-Type of <b>%h(zLogoMime)</b> |
| @@ -1804,27 +1810,22 @@ | |
| 1804 | const char *zValue |
| 1805 | ){ |
| 1806 | if( !cgi_csrf_safe(1) ) return; |
| 1807 | if( zNewName[0]==0 || zValue[0]==0 ){ |
| 1808 | if( zOldName[0] ){ |
| 1809 | db_unprotect(PROTECT_CONFIG); |
| 1810 | blob_append_sql(pSql, |
| 1811 | "DELETE FROM config WHERE name='walias:%q';\n", |
| 1812 | zOldName); |
| 1813 | db_protect_pop(); |
| 1814 | } |
| 1815 | return; |
| 1816 | } |
| 1817 | if( zOldName[0]==0 ){ |
| 1818 | db_unprotect(PROTECT_CONFIG); |
| 1819 | blob_append_sql(pSql, |
| 1820 | "INSERT INTO config(name,value,mtime) VALUES('walias:%q',%Q,now());\n", |
| 1821 | zNewName, zValue); |
| 1822 | db_protect_pop(); |
| 1823 | return; |
| 1824 | } |
| 1825 | db_unprotect(PROTECT_CONFIG); |
| 1826 | if( strcmp(zOldName, zNewName)!=0 ){ |
| 1827 | blob_append_sql(pSql, |
| 1828 | "UPDATE config SET name='walias:%q', value=%Q, mtime=now()" |
| 1829 | " WHERE name='walias:%q';\n", |
| 1830 | zNewName, zValue, zOldName); |
| @@ -1832,11 +1833,10 @@ | |
| 1832 | blob_append_sql(pSql, |
| 1833 | "UPDATE config SET value=%Q, mtime=now()" |
| 1834 | " WHERE name='walias:%q' AND value<>%Q;\n", |
| 1835 | zValue, zOldName, zValue); |
| 1836 | } |
| 1837 | db_protect_pop(); |
| 1838 | } |
| 1839 | |
| 1840 | /* |
| 1841 | ** WEBPAGE: waliassetup |
| 1842 | ** |
| @@ -1874,11 +1874,13 @@ | |
| 1874 | sqlite3_snprintf(sizeof(zCnt), zCnt, "n%d", cnt); |
| 1875 | zNewName = PD(zCnt,""); |
| 1876 | sqlite3_snprintf(sizeof(zCnt), zCnt, "v%d", cnt); |
| 1877 | zValue = PD(zCnt,""); |
| 1878 | setup_update_url_alias(&sql, "", zNewName, zValue); |
| 1879 | db_multi_exec("%s", blob_sql_text(&sql)); |
| 1880 | blob_reset(&sql); |
| 1881 | blob_reset(&namelist); |
| 1882 | cnt = 0; |
| 1883 | } |
| 1884 | db_prepare(&q, |
| 1885 |
| --- src/setup.c | |
| +++ src/setup.c | |
| @@ -1272,17 +1272,17 @@ | |
| 1272 | if( !g.perm.Admin ){ |
| 1273 | login_needed(0); |
| 1274 | return; |
| 1275 | } |
| 1276 | db_begin_transaction(); |
| 1277 | if( !cgi_csrf_safe(1) ){ |
| 1278 | /* Allow no state changes if not safe from CSRF */ |
| 1279 | }else if( P("setlogo")!=0 && zLogoMime && zLogoMime[0] && szLogoImg>0 ){ |
| 1280 | Blob img; |
| 1281 | Stmt ins; |
| 1282 | blob_init(&img, aLogoImg, szLogoImg); |
| 1283 | db_unprotect(PROTECT_CONFIG); |
| 1284 | db_prepare(&ins, |
| 1285 | "REPLACE INTO config(name,value,mtime)" |
| 1286 | " VALUES('logo-image',:bytes,now())" |
| 1287 | ); |
| 1288 | db_bind_blob(&ins, ":bytes", &img); |
| @@ -1290,17 +1290,20 @@ | |
| 1290 | db_finalize(&ins); |
| 1291 | db_multi_exec( |
| 1292 | "REPLACE INTO config(name,value,mtime) VALUES('logo-mimetype',%Q,now())", |
| 1293 | zLogoMime |
| 1294 | ); |
| 1295 | db_protect_pop(); |
| 1296 | db_end_transaction(0); |
| 1297 | cgi_redirect("setup_logo"); |
| 1298 | }else if( P("clrlogo")!=0 ){ |
| 1299 | db_unprotect(PROTECT_CONFIG); |
| 1300 | db_multi_exec( |
| 1301 | "DELETE FROM config WHERE name IN " |
| 1302 | "('logo-image','logo-mimetype')" |
| 1303 | ); |
| 1304 | db_protect_pop(); |
| 1305 | db_end_transaction(0); |
| 1306 | cgi_redirect("setup_logo"); |
| 1307 | }else if( P("setbg")!=0 && zBgMime && zBgMime[0] && szBgImg>0 ){ |
| 1308 | Blob img; |
| 1309 | Stmt ins; |
| @@ -1325,10 +1328,11 @@ | |
| 1328 | db_unprotect(PROTECT_CONFIG); |
| 1329 | db_multi_exec( |
| 1330 | "DELETE FROM config WHERE name IN " |
| 1331 | "('background-image','background-mimetype')" |
| 1332 | ); |
| 1333 | db_protect_pop(); |
| 1334 | db_end_transaction(0); |
| 1335 | cgi_redirect("setup_logo"); |
| 1336 | }else if( P("seticon")!=0 && zIconMime && zIconMime[0] && szIconImg>0 ){ |
| 1337 | Blob img; |
| 1338 | Stmt ins; |
| @@ -1348,14 +1352,16 @@ | |
| 1352 | ); |
| 1353 | db_protect_pop(); |
| 1354 | db_end_transaction(0); |
| 1355 | cgi_redirect("setup_logo"); |
| 1356 | }else if( P("clricon")!=0 ){ |
| 1357 | db_unprotect(PROTECT_CONFIG); |
| 1358 | db_multi_exec( |
| 1359 | "DELETE FROM config WHERE name IN " |
| 1360 | "('icon-image','icon-mimetype')" |
| 1361 | ); |
| 1362 | db_protect_pop(); |
| 1363 | db_end_transaction(0); |
| 1364 | cgi_redirect("setup_logo"); |
| 1365 | } |
| 1366 | style_header("Edit Project Logo And Background"); |
| 1367 | @ <p>The current project logo has a MIME-Type of <b>%h(zLogoMime)</b> |
| @@ -1804,27 +1810,22 @@ | |
| 1810 | const char *zValue |
| 1811 | ){ |
| 1812 | if( !cgi_csrf_safe(1) ) return; |
| 1813 | if( zNewName[0]==0 || zValue[0]==0 ){ |
| 1814 | if( zOldName[0] ){ |
| 1815 | blob_append_sql(pSql, |
| 1816 | "DELETE FROM config WHERE name='walias:%q';\n", |
| 1817 | zOldName); |
| 1818 | } |
| 1819 | return; |
| 1820 | } |
| 1821 | if( zOldName[0]==0 ){ |
| 1822 | blob_append_sql(pSql, |
| 1823 | "INSERT INTO config(name,value,mtime) VALUES('walias:%q',%Q,now());\n", |
| 1824 | zNewName, zValue); |
| 1825 | return; |
| 1826 | } |
| 1827 | if( strcmp(zOldName, zNewName)!=0 ){ |
| 1828 | blob_append_sql(pSql, |
| 1829 | "UPDATE config SET name='walias:%q', value=%Q, mtime=now()" |
| 1830 | " WHERE name='walias:%q';\n", |
| 1831 | zNewName, zValue, zOldName); |
| @@ -1832,11 +1833,10 @@ | |
| 1833 | blob_append_sql(pSql, |
| 1834 | "UPDATE config SET value=%Q, mtime=now()" |
| 1835 | " WHERE name='walias:%q' AND value<>%Q;\n", |
| 1836 | zValue, zOldName, zValue); |
| 1837 | } |
| 1838 | } |
| 1839 | |
| 1840 | /* |
| 1841 | ** WEBPAGE: waliassetup |
| 1842 | ** |
| @@ -1874,11 +1874,13 @@ | |
| 1874 | sqlite3_snprintf(sizeof(zCnt), zCnt, "n%d", cnt); |
| 1875 | zNewName = PD(zCnt,""); |
| 1876 | sqlite3_snprintf(sizeof(zCnt), zCnt, "v%d", cnt); |
| 1877 | zValue = PD(zCnt,""); |
| 1878 | setup_update_url_alias(&sql, "", zNewName, zValue); |
| 1879 | db_unprotect(PROTECT_CONFIG); |
| 1880 | db_multi_exec("%s", blob_sql_text(&sql)); |
| 1881 | db_protect_pop(); |
| 1882 | blob_reset(&sql); |
| 1883 | blob_reset(&namelist); |
| 1884 | cnt = 0; |
| 1885 | } |
| 1886 | db_prepare(&q, |
| 1887 |