962
963
964
965
966
967
968
969
970
971
972
973
974
975
976
|
962
963
964
965
966
967
968
969
970
971
972
973
974
975
976
|
-
+
|
** are ignored.
**
** * it is impossible for a cookie or query parameter to
** override the value of an environment variable since
** environment variables always have uppercase names.
**
** 2018-03-29: Also ignore the entry if NAME that contains any characters
** other than [a-zA-Z0-9_]. There are no known exploits involving unusual
** other than [-a-zA-Z0-9_]. There are no known exploits involving unusual
** names that contain characters outside that set, but it never hurts to
** be extra cautious when sanitizing inputs.
**
** Parameters are separated by the "terminator" character. Whitespace
** before the NAME is ignored.
**
** The input string "z" is modified but no copies is made. "z"
|
1278
1279
1280
1281
1282
1283
1284
1285
1286
1287
1288
1289
1290
1291
1292
1293
1294
1295
1296
1297
1298
1299
1300
1301
1302
1303
1304
1305
1306
1307
1308
1309
1310
1311
1312
1313
1314
1315
1316
|
1278
1279
1280
1281
1282
1283
1284
1285
1286
1287
1288
1289
1290
1291
1292
1293
1294
1295
1296
1297
1298
1299
1300
1301
1302
1303
1304
1305
1306
1307
1308
1309
1310
1311
1312
1313
1314
1315
1316
1317
1318
1319
1320
1321
1322
1323
1324
1325
1326
1327
1328
1329
1330
1331
1332
1333
|
-
-
-
-
-
+
+
+
+
+
+
+
+
+
+
-
+
-
+
+
+
+
+
+
+
+
+
+
+
+
+
|
fputs(z, pLog);
}
/* Forward declaration */
static NORETURN void malformed_request(const char *zMsg, ...);
/*
** Checks the QUERY_STRING environment variable, sets it up
** via add_param_list() and, if found, applies its "skin"
** setting. Returns 0 if no QUERY_STRING is set, 1 if it is,
** and 2 if it sets the skin (in which case the cookie may
** still need flushing by the page, via cookie_render()).
** Checks the QUERY_STRING environment variable, sets it up via
** add_param_list() and, if found, applies its "skin" setting. Returns
** 0 if no QUERY_STRING is set, else it returns a bitmask of:
**
** 0x01 = QUERY_STRING was set.
** 0x02 = "skin" argument was set and processed
** 0x04 = "x-f-x-l" arg was processed.
**
* In the case of the skin, the cookie may still need flushing
** by the page, via cookie_render().
*/
int cgi_setup_query_string(void){
int rc = 0;
char * z = (char*)P("QUERY_STRING");
if( z ){
++rc;
rc = 0x01;
z = fossil_strdup(z);
add_param_list(z, '&');
z = (char*)P("skin");
if( z ){
char *zErr = skin_use_alternative(z, 2, SKIN_FROM_QPARAM);
++rc;
rc |= 0x02;
if( !zErr && P("once")==0 ){
cookie_write_parameter("skin","skin",z);
/* Per /chat discussion, passing ?skin=... without "once"
** implies the "udc" argument, so we force that into the
** environment here. */
cgi_set_parameter_nocopy("udc", "1", 1);
}
fossil_free(zErr);
}
if( !g.syncInfo.zLoginCard && 0!=(z=(char*)P("x-f-x-l")) ){
/* CGI fossil instances do not read the HTTP headers, so
** they cannot see the X-Fossil-Xfer-Login card. As a consolation
** to them, we'll accept that via this query argument. */
rc |= 0x04;
fossil_free( g.syncInfo.zLoginCard );
g.syncInfo.zLoginCard = fossil_strdup(z);
g.syncInfo.bLoginCardHeader = 3;
/*cgi_delete_parameter("x-f-x-l");*/
/*fprintf(stderr, "query string setup: x-f-x-l=%s\n",
g.syncInfo.zLoginCard);*/
}
}
return rc;
}
/*
** Initialize the query parameter database. Information is pulled from
|
2222
2223
2224
2225
2226
2227
2228
2229
2230
2231
2232
2233
2234
2235
|
2239
2240
2241
2242
2243
2244
2245
2246
2247
2248
2249
2250
2251
2252
2253
|
+
|
int x2 = 0;
if( sscanf(zVal,"bytes=%d-%d",&x1,&x2)==2 && x1>=0 && x1<=x2 ){
rangeStart = x1;
rangeEnd = x2+1;
}
}else if( fossil_strcmp(zFieldName, "x-fossil-xfer-login:")==0 ){
/*cgi_setenv("FOSSIL_LCH_cgi_handle_http_request", zVal);*/
fossil_free( g.syncInfo.zLoginCard );
g.syncInfo.zLoginCard = fossil_strdup(zVal);
g.syncInfo.bLoginCardHeader = 1;
}
}
cgi_setenv("REQUEST_SCHEME",zScheme);
cgi_init();
cgi_trace(0);
|