92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
|
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
|
-
-
-
-
-
-
-
+
+
+
+
+
+
+
+
+
|
#if INTERFACE
/*
** Shortcuts for cgi_parameter. P("x") returns the value of query parameter
** or cookie "x", or NULL if there is no such parameter or cookie. PD("x","y")
** does the same except "y" is returned in place of NULL if there is not match.
*/
#define P(x) cgi_parameter((x),0)
#define PD(x,y) cgi_parameter((x),(y))
#define PT(x) cgi_parameter_trimmed((x),0)
#define PDT(x,y) cgi_parameter_trimmed((x),(y))
#define PB(x) cgi_parameter_boolean(x)
#define PCK(x) cgi_parameter_checked(x,1)
#define PIF(x,y) cgi_parameter_checked(x,y)
#define P(x) cgi_parameter((x),0)
#define PD(x,y) cgi_parameter((x),(y))
#define PT(x) cgi_parameter_trimmed((x),0)
#define PDT(x,y) cgi_parameter_trimmed((x),(y))
#define PB(x) cgi_parameter_boolean(x)
#define PCK(x) cgi_parameter_checked(x,1)
#define PIF(x,y) cgi_parameter_checked(x,y)
#define P_NoSQL(x) cgi_parameter_nosql((x),0)
#define PD_NoSQL(x,y) cgi_parameter_nosql((x),(y))
/*
** Shortcut for the cgi_printf() routine. Instead of using the
**
** @ ...
**
** notation provided by the translate.c utility, you can also
|
1502
1503
1504
1505
1506
1507
1508
1509
1510
1511
1512
1513
1514
1515
|
1504
1505
1506
1507
1508
1509
1510
1511
1512
1513
1514
1515
1516
1517
1518
1519
1520
1521
1522
1523
1524
1525
1526
1527
1528
1529
1530
1531
1532
1533
1534
1535
1536
1537
1538
1539
1540
1541
1542
1543
1544
1545
1546
1547
1548
1549
1550
1551
1552
1553
1554
1555
1556
1557
1558
1559
1560
1561
1562
|
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
|
CGIDEBUG(("env-match [%s] = [%s]\n", zName, zValue));
return zValue;
}
}
CGIDEBUG(("no-match [%s]\n", zName));
return zDefault;
}
/*
** Renders the "begone, spider" page and exits.
*/
static void cgi_begone_spider(void){
Blob content = empty_blob;
cgi_set_content(&content);
style_set_current_feature("test");
style_header("Spider Detected");
@ <h2>Begone, Spider!</h2>
@ <p>This page was generated because Fossil believes it has
@ detected a spider-based attack. If you believe you are seeing
@ this in error, please contact us on the forum: https://fossil-scm.org/forum
style_finish_page();
cgi_set_status(404,"Spider Detected");
cgi_reply();
exit(0);
}
/*
** If might_be_sql() returns true for the given string, calls
** cgi_begin_spider() and does not return, else this function has no
** side effects. The range of checks performed by this function may
** be extended in the future.
*/
void cgi_value_spider_check(const char *zTxt){
if( might_be_sql(zTxt) ){
cgi_begone_spider();
}
}
/*
** A variant of cgi_parameter() with the same semantics except that if
** cgi_parameter(zName,zDefault) returns a value other than zDefault
** then it passes that value to cgi_value_spider_check().
*/
const char *cgi_parameter_nosql(const char *zName, const char *zDefault){
const char *zTxt = cgi_parameter(zName, zDefault);
if( zTxt!=zDefault ){
cgi_value_spider_check(zTxt);
}
return zTxt;
}
/*
** Return the value of the first defined query parameter or cookie whose
** name appears in the list of arguments. Or if no parameter is found,
** return NULL.
*/
const char *cgi_coalesce(const char *zName, ...){
|