Many hyperlinks are disabled.
Use anonymous login
to enable hyperlinks.
Overview
| Comment: | Spiders and robots are presented with a captcha if they request the annotation page. |
|---|---|
| Downloads: | Tarball | ZIP archive |
| Timelines: | family | ancestors | descendants | both | trunk |
| Files: | files | file ages | folders |
| SHA1: |
f8a2aa0ce7e372a25d8b9b4848800533 |
| User & Date: | drh 2013-08-25 02:11:46.879 |
Context
|
2013-08-25
| ||
| 14:53 | Added average event count per active time period to the /reports views. ... (check-in: 16f033dda3 user: stephan tags: trunk) | |
| 02:11 | Spiders and robots are presented with a captcha if they request the annotation page. ... (check-in: f8a2aa0ce7 user: drh tags: trunk) | |
|
2013-08-24
| ||
| 22:33 | Report all available CGI environment variables on the test_env page. ... (check-in: f9c2dec2ec user: drh tags: trunk) | |
Changes
Changes to src/attach.c.
| ︙ | ︙ | |||
335 336 337 338 339 340 341 |
}else{
@ <input type="hidden" name="page" value="%h(zPage)" />
}
@ <input type="hidden" name="from" value="%h(zFrom)" />
@ <input type="submit" name="ok" value="Add Attachment" />
@ <input type="submit" name="cancel" value="Cancel" />
@ </div>
| | | 335 336 337 338 339 340 341 342 343 344 345 346 347 348 349 |
}else{
@ <input type="hidden" name="page" value="%h(zPage)" />
}
@ <input type="hidden" name="from" value="%h(zFrom)" />
@ <input type="submit" name="ok" value="Add Attachment" />
@ <input type="submit" name="cancel" value="Cancel" />
@ </div>
captcha_generate(0);
@ </form>
style_footer();
}
/*
** WEBPAGE: ainfo
** URL: /ainfo?name=ARTIFACTID
|
| ︙ | ︙ |
Changes to src/captcha.c.
| ︙ | ︙ | |||
527 528 529 530 531 532 533 | /* ** Generate a captcha display together with the necessary hidden parameter ** for the seed and the entry box into which the user will type the text of ** the captcha. This is typically done at the very bottom of a form. ** ** This routine is a no-op if no captcha is required. */ | | > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > | 527 528 529 530 531 532 533 534 535 536 537 538 539 540 541 542 543 544 545 546 547 548 549 550 551 552 553 554 555 556 557 558 559 560 561 562 563 564 565 566 567 568 569 570 571 572 573 574 575 576 577 578 579 580 581 582 583 584 585 586 587 588 589 590 591 592 593 594 595 596 597 598 599 600 601 602 603 604 605 606 607 608 |
/*
** Generate a captcha display together with the necessary hidden parameter
** for the seed and the entry box into which the user will type the text of
** the captcha. This is typically done at the very bottom of a form.
**
** This routine is a no-op if no captcha is required.
*/
void captcha_generate(int showButton){
unsigned int uSeed;
const char *zDecoded;
char *zCaptcha;
if( !captcha_needed() ) return;
uSeed = captcha_seed();
zDecoded = captcha_decode(uSeed);
zCaptcha = captcha_render(zDecoded);
@ <div class="captcha"><table class="captcha"><tr><td><pre>
@ %h(zCaptcha)
@ </pre>
@ Enter security code shown above:
@ <input type="hidden" name="captchaseed" value="%u(uSeed)" />
@ <input type="text" name="captcha" size=8 />
if( showButton ){
@ <input type="submit" value="Submit">
}
@ </td></tr></table></div>
}
/*
** WEBPAGE: test-captcha
*/
void captcha_test(void){
const char *zPw = P("name");
if( zPw==0 || zPw[0]==0 ){
u64 x;
sqlite3_randomness(sizeof(x), &x);
zPw = mprintf("%016llx", x);
}
style_header("Captcha Test");
@ <pre>
@ %s(captcha_render(zPw))
@ </pre>
style_footer();
}
/*
** Check to see if the current request is coming from an agent that might
** be a spider. If the agent is not a spider, then return 0 without doing
** anything. But if the user agent appears to be a spider, offer
** a captcha challenge to allow the user agent to prove that it is human
** and return non-zero.
*/
int exclude_spiders(const char *zPage){
const char *zCookieValue;
char *zCookieName;
if( g.isHuman ) return 0;
#if 0
{
const char *zReferer = P("HTTP_REFERER");
if( zReferer && strncmp(g.zBaseURL, zReferer, strlen(g.zBaseURL))==0 ){
return 0;
}
}
#endif
zCookieName = mprintf("fossil-cc-%.10s", db_get("project-code","x"));
zCookieValue = P(zCookieName);
if( zCookieValue && atoi(zCookieValue)==1 ) return 0;
if( captcha_is_correct() ){
cgi_set_cookie(zCookieName, "1", login_cookie_path(), 8*3600);
return 0;
}
/* This appears to be a spider. Offer the captcha */
style_header("Verification");
form_begin(0, "%s", zPage);
cgi_query_parameters_to_hidden();
@ <p>Please demonstrate that you are human, not a spider or robot</p>
captcha_generate(1);
@ </form>
style_footer();
return 1;
}
|
Changes to src/cgi.c.
| ︙ | ︙ | |||
402 403 404 405 406 407 408 409 410 411 412 413 414 415 416 417 418 |
static int nUsedQP = 0; /* Space actually used in aParamQP[] */
static int sortQP = 0; /* True if aParamQP[] needs sorting */
static int seqQP = 0; /* Sequence numbers */
static struct QParam { /* One entry for each query parameter or cookie */
const char *zName; /* Parameter or cookie name */
const char *zValue; /* Value of the query parameter or cookie */
int seq; /* Order of insertion */
} *aParamQP; /* An array of all parameters and cookies */
/*
** Add another query parameter or cookie to the parameter set.
** zName is the name of the query parameter or cookie and zValue
** is its fully decoded value.
**
** zName and zValue are not copied and must not change or be
** deallocated after this routine returns.
*/
| > | > | | | | 402 403 404 405 406 407 408 409 410 411 412 413 414 415 416 417 418 419 420 421 422 423 424 425 426 427 428 429 430 431 432 433 434 435 436 437 438 439 440 441 442 443 444 445 446 447 448 449 450 451 452 453 454 455 456 457 458 459 460 461 462 463 464 465 466 467 468 469 470 471 472 473 474 475 476 477 |
static int nUsedQP = 0; /* Space actually used in aParamQP[] */
static int sortQP = 0; /* True if aParamQP[] needs sorting */
static int seqQP = 0; /* Sequence numbers */
static struct QParam { /* One entry for each query parameter or cookie */
const char *zName; /* Parameter or cookie name */
const char *zValue; /* Value of the query parameter or cookie */
int seq; /* Order of insertion */
int isQP; /* True for query parameters */
} *aParamQP; /* An array of all parameters and cookies */
/*
** Add another query parameter or cookie to the parameter set.
** zName is the name of the query parameter or cookie and zValue
** is its fully decoded value.
**
** zName and zValue are not copied and must not change or be
** deallocated after this routine returns.
*/
void cgi_set_parameter_nocopy(const char *zName, const char *zValue, int isQP){
if( nAllocQP<=nUsedQP ){
nAllocQP = nAllocQP*2 + 10;
if( nAllocQP>1000 ){
/* Prevent a DOS service attack against the framework */
fossil_fatal("Too many query parameters");
}
aParamQP = fossil_realloc( aParamQP, nAllocQP*sizeof(aParamQP[0]) );
}
aParamQP[nUsedQP].zName = zName;
aParamQP[nUsedQP].zValue = zValue;
if( g.fHttpTrace ){
fprintf(stderr, "# cgi: %s = [%s]\n", zName, zValue);
}
aParamQP[nUsedQP].seq = seqQP++;
aParamQP[nUsedQP].isQP = isQP;
nUsedQP++;
sortQP = 1;
}
/*
** Add another query parameter or cookie to the parameter set.
** zName is the name of the query parameter or cookie and zValue
** is its fully decoded value.
**
** Copies are made of both the zName and zValue parameters.
*/
void cgi_set_parameter(const char *zName, const char *zValue){
cgi_set_parameter_nocopy(mprintf("%s",zName), mprintf("%s",zValue), 0);
}
/*
** Replace a parameter with a new value.
*/
void cgi_replace_parameter(const char *zName, const char *zValue){
int i;
for(i=0; i<nUsedQP; i++){
if( fossil_strcmp(aParamQP[i].zName,zName)==0 ){
aParamQP[i].zValue = zValue;
return;
}
}
cgi_set_parameter_nocopy(zName, zValue, 0);
}
/*
** Add a query parameter. The zName portion is fixed but a copy
** must be made of zValue.
*/
void cgi_setenv(const char *zName, const char *zValue){
cgi_set_parameter_nocopy(zName, mprintf("%s",zValue), 0);
}
/*
** Add a list of query parameters or cookies to the parameter set.
**
** Each parameter is of the form NAME=VALUE. Both the NAME and the
|
| ︙ | ︙ | |||
491 492 493 494 495 496 497 498 499 500 501 502 503 504 |
** before the NAME is ignored.
**
** The input string "z" is modified but no copies is made. "z"
** should not be deallocated or changed again after this routine
** returns or it will corrupt the parameter table.
*/
static void add_param_list(char *z, int terminator){
while( *z ){
char *zName;
char *zValue;
while( fossil_isspace(*z) ){ z++; }
zName = z;
while( *z && *z!='=' && *z!=terminator ){ z++; }
if( *z=='=' ){
| > | 493 494 495 496 497 498 499 500 501 502 503 504 505 506 507 |
** before the NAME is ignored.
**
** The input string "z" is modified but no copies is made. "z"
** should not be deallocated or changed again after this routine
** returns or it will corrupt the parameter table.
*/
static void add_param_list(char *z, int terminator){
int isQP = terminator=='&';
while( *z ){
char *zName;
char *zValue;
while( fossil_isspace(*z) ){ z++; }
zName = z;
while( *z && *z!='=' && *z!=terminator ){ z++; }
if( *z=='=' ){
|
| ︙ | ︙ | |||
512 513 514 515 516 517 518 |
}
dehttpize(zValue);
}else{
if( *z ){ *z++ = 0; }
zValue = "";
}
if( fossil_islower(zName[0]) ){
| | | 515 516 517 518 519 520 521 522 523 524 525 526 527 528 529 |
}
dehttpize(zValue);
}else{
if( *z ){ *z++ = 0; }
zValue = "";
}
if( fossil_islower(zName[0]) ){
cgi_set_parameter_nocopy(zName, zValue, isQP);
}
#ifdef FOSSIL_ENABLE_JSON
json_setenv( zName, cson_value_new_string(zValue,strlen(zValue)) );
#endif /* FOSSIL_ENABLE_JSON */
}
}
|
| ︙ | ︙ | |||
656 657 658 659 660 661 662 |
zBoundry = get_line_from_string(&z, &len);
if( zBoundry==0 ) return;
while( (zLine = get_line_from_string(&z, &len))!=0 ){
if( zLine[0]==0 ){
int nContent = 0;
zValue = get_bounded_content(&z, &len, zBoundry, &nContent);
if( zName && zValue && fossil_islower(zName[0]) ){
| | | | | | 659 660 661 662 663 664 665 666 667 668 669 670 671 672 673 674 675 676 677 678 679 680 681 682 683 684 685 686 687 688 689 690 691 692 693 694 695 696 697 698 699 |
zBoundry = get_line_from_string(&z, &len);
if( zBoundry==0 ) return;
while( (zLine = get_line_from_string(&z, &len))!=0 ){
if( zLine[0]==0 ){
int nContent = 0;
zValue = get_bounded_content(&z, &len, zBoundry, &nContent);
if( zName && zValue && fossil_islower(zName[0]) ){
cgi_set_parameter_nocopy(zName, zValue, 1);
if( showBytes ){
cgi_set_parameter_nocopy(mprintf("%s:bytes", zName),
mprintf("%d",nContent), 1);
}
}
zName = 0;
showBytes = 0;
}else{
nArg = tokenize_line(zLine, sizeof(azArg)/sizeof(azArg[0]), azArg);
for(i=0; i<nArg; i++){
int c = fossil_tolower(azArg[i][0]);
int n = strlen(azArg[i]);
if( c=='c' && sqlite3_strnicmp(azArg[i],"content-disposition:",n)==0 ){
i++;
}else if( c=='n' && sqlite3_strnicmp(azArg[i],"name=",n)==0 ){
zName = azArg[++i];
}else if( c=='f' && sqlite3_strnicmp(azArg[i],"filename=",n)==0 ){
char *z = azArg[++i];
if( zName && z && fossil_islower(zName[0]) ){
cgi_set_parameter_nocopy(mprintf("%s:filename",zName), z, 1);
}
showBytes = 1;
}else if( c=='c' && sqlite3_strnicmp(azArg[i],"content-type:",n)==0 ){
char *z = azArg[++i];
if( zName && z && fossil_islower(zName[0]) ){
cgi_set_parameter_nocopy(mprintf("%s:mimetype",zName), z, 1);
}
}
}
}
}
}
|
| ︙ | ︙ | |||
978 979 980 981 982 983 984 |
/* If no match is found and the name begins with an upper-case
** letter, then check to see if there is an environment variable
** with the given name.
*/
if( fossil_isupper(zName[0]) ){
const char *zValue = fossil_getenv(zName);
if( zValue ){
| | | 981 982 983 984 985 986 987 988 989 990 991 992 993 994 995 |
/* If no match is found and the name begins with an upper-case
** letter, then check to see if there is an environment variable
** with the given name.
*/
if( fossil_isupper(zName[0]) ){
const char *zValue = fossil_getenv(zName);
if( zValue ){
cgi_set_parameter_nocopy(zName, zValue, 0);
CGIDEBUG(("env-match [%s] = [%s]\n", zName, zValue));
return zValue;
}
}
CGIDEBUG(("no-match [%s]\n", zName));
return zDefault;
}
|
| ︙ | ︙ | |||
1079 1080 1081 1082 1083 1084 1085 1086 1087 1088 1089 1090 1091 1092 |
if( !showAll ){
if( fossil_stricmp("HTTP_COOKIE",zName)==0 ) continue;
if( fossil_strnicmp("fossil-",zName,7)==0 ) continue;
}
cgi_printf("%h = %h <br />\n", zName, aParamQP[i].zValue);
}
}
/*
** This routine works like "printf" except that it has the
** extra formatting capabilities such as %h and %t.
*/
void cgi_printf(const char *zFormat, ...){
va_list ap;
| > > > > > > > > > > > > > > > | 1082 1083 1084 1085 1086 1087 1088 1089 1090 1091 1092 1093 1094 1095 1096 1097 1098 1099 1100 1101 1102 1103 1104 1105 1106 1107 1108 1109 1110 |
if( !showAll ){
if( fossil_stricmp("HTTP_COOKIE",zName)==0 ) continue;
if( fossil_strnicmp("fossil-",zName,7)==0 ) continue;
}
cgi_printf("%h = %h <br />\n", zName, aParamQP[i].zValue);
}
}
/*
** Export all query parameters (but not cookies or environment variables)
** as hidden values of a form.
*/
void cgi_query_parameters_to_hidden(void){
int i;
const char *zN, *zV;
for(i=0; i<nUsedQP; i++){
if( aParamQP[i].isQP==0 ) continue;
zN = aParamQP[i].zName;
zV = aParamQP[i].zValue;
@ <input type="hidden" name="%h(zN)" value="%h(zV)">
}
}
/*
** This routine works like "printf" except that it has the
** extra formatting capabilities such as %h and %t.
*/
void cgi_printf(const char *zFormat, ...){
va_list ap;
|
| ︙ | ︙ |
Changes to src/diff.c.
| ︙ | ︙ | |||
2148 2149 2150 2151 2152 2153 2154 2155 2156 2157 2158 2159 2160 2161 |
struct AnnVers *p;
unsigned clr1, clr2, clr;
/* Gather query parameters */
showLog = atoi(PD("log","1"));
login_check_credentials();
if( !g.perm.Read ){ login_needed(); return; }
mid = name_to_typed_rid(PD("checkin","0"),"ci");
zFilename = P("filename");
fnid = db_int(0, "SELECT fnid FROM filename WHERE name=%Q", zFilename);
if( mid==0 || fnid==0 ){ fossil_redirect_home(); }
iLimit = atoi(PD("limit","20"));
if( P("filevers") ) annFlags |= ANN_FILE_VERS;
if( !db_exists("SELECT 1 FROM mlink WHERE mid=%d AND fnid=%d",mid,fnid) ){
| > | 2148 2149 2150 2151 2152 2153 2154 2155 2156 2157 2158 2159 2160 2161 2162 |
struct AnnVers *p;
unsigned clr1, clr2, clr;
/* Gather query parameters */
showLog = atoi(PD("log","1"));
login_check_credentials();
if( !g.perm.Read ){ login_needed(); return; }
if( exclude_spiders("annotate") ) return;
mid = name_to_typed_rid(PD("checkin","0"),"ci");
zFilename = P("filename");
fnid = db_int(0, "SELECT fnid FROM filename WHERE name=%Q", zFilename);
if( mid==0 || fnid==0 ){ fossil_redirect_home(); }
iLimit = atoi(PD("limit","20"));
if( P("filevers") ) annFlags |= ANN_FILE_VERS;
if( !db_exists("SELECT 1 FROM mlink WHERE mid=%d AND fnid=%d",mid,fnid) ){
|
| ︙ | ︙ |
Changes to src/login.c.
| ︙ | ︙ | |||
67 68 69 70 71 72 73 | /* ** Return a path appropriate for setting a cookie. ** ** The path is g.zTop for single-repo cookies. It is "/" for ** cookies of a login-group. */ | | | 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 |
/*
** Return a path appropriate for setting a cookie.
**
** The path is g.zTop for single-repo cookies. It is "/" for
** cookies of a login-group.
*/
const char *login_cookie_path(void){
if( login_group_name()==0 ){
return g.zTop;
}else{
return "/";
}
}
|
| ︙ | ︙ |
Changes to src/main.c.
| ︙ | ︙ | |||
1365 1366 1367 1368 1369 1370 1371 |
** handling below, and by disabling it in JSON mode I can remove
** lots of special-case handling in several JSON handlers.
*/
#ifdef FOSSIL_ENABLE_JSON
if(!g.json.isJsonMode){
#endif
dehttpize(g.zExtra);
| | | 1365 1366 1367 1368 1369 1370 1371 1372 1373 1374 1375 1376 1377 1378 1379 |
** handling below, and by disabling it in JSON mode I can remove
** lots of special-case handling in several JSON handlers.
*/
#ifdef FOSSIL_ENABLE_JSON
if(!g.json.isJsonMode){
#endif
dehttpize(g.zExtra);
cgi_set_parameter_nocopy("name", g.zExtra, 1);
#ifdef FOSSIL_ENABLE_JSON
}
#endif
}
/* Locate the method specified by the path and execute the function
** that implements that method.
|
| ︙ | ︙ |
Changes to src/tkt.c.
| ︙ | ︙ | |||
674 675 676 677 678 679 680 |
Th_CreateCommand(g.interp, "submit_ticket", submitTicketCmd,
(void*)&zNewUuid, 0);
if( g.thTrace ) Th_Trace("BEGIN_TKTNEW_SCRIPT<br />\n", -1);
if( Th_Render(zScript)==TH_RETURN && !g.thTrace && zNewUuid ){
cgi_redirect(mprintf("%s/tktview/%s", g.zTop, zNewUuid));
return;
}
| | | 674 675 676 677 678 679 680 681 682 683 684 685 686 687 688 |
Th_CreateCommand(g.interp, "submit_ticket", submitTicketCmd,
(void*)&zNewUuid, 0);
if( g.thTrace ) Th_Trace("BEGIN_TKTNEW_SCRIPT<br />\n", -1);
if( Th_Render(zScript)==TH_RETURN && !g.thTrace && zNewUuid ){
cgi_redirect(mprintf("%s/tktview/%s", g.zTop, zNewUuid));
return;
}
captcha_generate(0);
@ </form>
if( g.thTrace ) Th_Trace("END_TKTVIEW<br />\n", -1);
style_footer();
}
/*
** WEBPAGE: tktedit
|
| ︙ | ︙ | |||
742 743 744 745 746 747 748 |
Th_CreateCommand(g.interp, "append_field", appendRemarkCmd, 0, 0);
Th_CreateCommand(g.interp, "submit_ticket", submitTicketCmd, (void*)&zName,0);
if( g.thTrace ) Th_Trace("BEGIN_TKTEDIT_SCRIPT<br />\n", -1);
if( Th_Render(zScript)==TH_RETURN && !g.thTrace && zName ){
cgi_redirect(mprintf("%s/tktview/%s", g.zTop, zName));
return;
}
| | | 742 743 744 745 746 747 748 749 750 751 752 753 754 755 756 |
Th_CreateCommand(g.interp, "append_field", appendRemarkCmd, 0, 0);
Th_CreateCommand(g.interp, "submit_ticket", submitTicketCmd, (void*)&zName,0);
if( g.thTrace ) Th_Trace("BEGIN_TKTEDIT_SCRIPT<br />\n", -1);
if( Th_Render(zScript)==TH_RETURN && !g.thTrace && zName ){
cgi_redirect(mprintf("%s/tktview/%s", g.zTop, zName));
return;
}
captcha_generate(0);
@ </form>
if( g.thTrace ) Th_Trace("BEGIN_TKTEDIT<br />\n", -1);
style_footer();
}
/*
** Check the ticket table schema in zSchema to see if it appears to
|
| ︙ | ︙ |
Changes to src/wiki.c.
| ︙ | ︙ | |||
94 95 96 97 98 99 100 |
}
if( !g.perm.RdWiki ){
cgi_redirectf("%s/login?g=%s/home", g.zTop, g.zTop);
}
if( zPageName ){
login_check_credentials();
g.zExtra = zPageName;
| | | 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 |
}
if( !g.perm.RdWiki ){
cgi_redirectf("%s/login?g=%s/home", g.zTop, g.zTop);
}
if( zPageName ){
login_check_credentials();
g.zExtra = zPageName;
cgi_set_parameter_nocopy("name", g.zExtra, 1);
g.isHome = 1;
wiki_page();
return;
}
style_header("Home");
@ <p>This is a stub home-page for the project.
@ To fill in this page, first go to
|
| ︙ | ︙ | |||
491 492 493 494 495 496 497 |
}
login_insert_csrf_secret();
@ <input type="submit" name="submit" value="Apply These Changes" />
@ <input type="hidden" name="name" value="%h(zPageName)" />
@ <input type="submit" name="cancel" value="Cancel"
@ onclick='confirm("Abandon your changes?")' />
@ </div>
| | | 491 492 493 494 495 496 497 498 499 500 501 502 503 504 505 |
}
login_insert_csrf_secret();
@ <input type="submit" name="submit" value="Apply These Changes" />
@ <input type="hidden" name="name" value="%h(zPageName)" />
@ <input type="submit" name="cancel" value="Cancel"
@ onclick='confirm("Abandon your changes?")' />
@ </div>
captcha_generate(0);
@ </form>
manifest_destroy(pWiki);
blob_reset(&wiki);
style_footer();
}
/*
|
| ︙ | ︙ | |||
694 695 696 697 698 699 700 |
@ Comment to append (formatted as %s(zFormat)):<br />
@ <textarea name="r" class="wikiedit" cols="80"
@ rows="10" wrap="virtual">%h(PD("r",""))</textarea>
@ <br />
@ <input type="submit" name="preview" value="Preview Your Comment" />
@ <input type="submit" name="submit" value="Append Your Changes" />
@ <input type="submit" name="cancel" value="Cancel" />
| | | 694 695 696 697 698 699 700 701 702 703 704 705 706 707 708 |
@ Comment to append (formatted as %s(zFormat)):<br />
@ <textarea name="r" class="wikiedit" cols="80"
@ rows="10" wrap="virtual">%h(PD("r",""))</textarea>
@ <br />
@ <input type="submit" name="preview" value="Preview Your Comment" />
@ <input type="submit" name="submit" value="Append Your Changes" />
@ <input type="submit" name="cancel" value="Cancel" />
captcha_generate(0);
@ </form>
style_footer();
}
/*
** Name of the wiki history page being generated
*/
|
| ︙ | ︙ |