Many hyperlinks are disabled.
Use anonymous login
to enable hyperlinks.
Overview
| Comment: | Enhance codecheck1.c to detect cases where style_header() is called with arguments that are not easily proven to be HTML-free. Fix multiple calls to style_header() to prove they are always HTML-free. |
|---|---|
| Downloads: | Tarball | ZIP archive |
| Timelines: | family | ancestors | descendants | both | enhanced-defenses |
| Files: | files | file ages | folders |
| SHA3-256: |
2da41072ffefda46af03195e4098099d |
| User & Date: | drh 2025-03-07 15:56:57.629 |
Context
|
2025-03-07
| ||
| 16:30 | The codecheck1 utility makes a distinction between routines that need to generate HTML-free content and routines that generate content that is safe for any generic HTTP reply. Closed-Leaf check-in: cd9086c266 user: drh tags: enhanced-defenses | |
| 15:56 | Enhance codecheck1.c to detect cases where style_header() is called with arguments that are not easily proven to be HTML-free. Fix multiple calls to style_header() to prove they are always HTML-free. check-in: 2da41072ff user: drh tags: enhanced-defenses | |
|
2025-03-06
| ||
| 14:35 | Simplify www_print_timeline() so that it uses branch_of_rid() rather than computing the branch name for itself. check-in: 0150eda979 user: drh tags: trunk | |
Changes
Changes to src/branch.c.
| ︙ | ︙ | |||
942 943 944 945 946 947 948 |
showClosed = 0;
showAll = 1;
}
if( showAll ) brFlags = BRL_BOTH;
if( showClosed ) brFlags = BRL_CLOSED_ONLY;
style_set_current_feature("branch");
| | | 942 943 944 945 946 947 948 949 950 951 952 953 954 955 956 |
showClosed = 0;
showAll = 1;
}
if( showAll ) brFlags = BRL_BOTH;
if( showClosed ) brFlags = BRL_CLOSED_ONLY;
style_set_current_feature("branch");
style_header("%h", showClosed ? "Closed Branches" :
showAll ? "All Branches" : "Open Branches");
style_submenu_element("Timeline", "brtimeline");
if( showClosed ){
style_submenu_element("All", "brlist?all");
style_submenu_element("Open", "brlist?open");
}else if( showAll ){
style_submenu_element("Closed", "brlist?closed");
|
| ︙ | ︙ |
Changes to src/browse.c.
| ︙ | ︙ | |||
230 231 232 233 234 235 236 |
zRegexp = P("re");
if( zRegexp ){
zHeader = mprintf("%z matching \"%s\"", zHeader, zRegexp);
zMatch = mprintf(" matching \"%h\"", zRegexp);
}else{
zMatch = "";
}
| | | 230 231 232 233 234 235 236 237 238 239 240 241 242 243 244 |
zRegexp = P("re");
if( zRegexp ){
zHeader = mprintf("%z matching \"%s\"", zHeader, zRegexp);
zMatch = mprintf(" matching \"%h\"", zRegexp);
}else{
zMatch = "";
}
style_header("%h", zHeader);
fossil_free(zHeader);
style_adunit_config(ADUNIT_RIGHT_OK);
sqlite3_create_function(g.db, "pathelement", 2, SQLITE_UTF8, 0,
pathelementFunc, 0, 0);
url_initialize(&sURI, "dir");
cgi_check_for_malice();
cgi_query_parameters_to_url(&sURI);
|
| ︙ | ︙ | |||
793 794 795 796 797 798 799 |
}else{
if( zCI ){
zHeader = mprintf("Files in %s/ of %s", zD, zCI);
}else{
zHeader = mprintf("All Files in %s/", zD);
}
}
| | | 793 794 795 796 797 798 799 800 801 802 803 804 805 806 807 |
}else{
if( zCI ){
zHeader = mprintf("Files in %s/ of %s", zD, zCI);
}else{
zHeader = mprintf("All Files in %s/", zD);
}
}
style_header("%h", zHeader);
fossil_free(zHeader);
/* Compute the title of the page */
blob_zero(&dirname);
if( zD ){
blob_append(&dirname, "within directory ", -1);
hyperlinked_path(zD, &dirname, zCI, "tree", zREx, 0);
|
| ︙ | ︙ |
Changes to src/dispatch.c.
| ︙ | ︙ | |||
836 837 838 839 840 841 842 |
if( zCmd==0 ) zCmd = P("name");
cgi_check_for_malice();
if( zCmd && *zCmd ){
int rc;
const CmdOrPage *pCmd = 0;
style_set_current_feature("tkt");
| | | 836 837 838 839 840 841 842 843 844 845 846 847 848 849 850 |
if( zCmd==0 ) zCmd = P("name");
cgi_check_for_malice();
if( zCmd && *zCmd ){
int rc;
const CmdOrPage *pCmd = 0;
style_set_current_feature("tkt");
style_header("Help: %h", zCmd);
style_submenu_element("Command-List", "%R/help");
if( search_restrict(SRCH_HELP)!=0 ){
style_submenu_element("Search","%R/search?y=h");
}
rc = dispatch_name_search(zCmd, CMDFLAG_ANY|CMDFLAG_PREFIX, &pCmd);
if( *zCmd=='/' ){
|
| ︙ | ︙ |
Changes to src/doc.c.
| ︙ | ︙ | |||
789 790 791 792 793 794 795 |
Blob title;
int isPopup = P("popup")!=0;
blob_init(&title,0,0);
if( fossil_strcmp(zMime, "text/x-fossil-wiki")==0 ){
Blob tail = BLOB_INITIALIZER;
style_adunit_config(ADUNIT_RIGHT_OK);
if( wiki_find_title(pBody, &title, &tail) ){
| | | | | | | | | | 789 790 791 792 793 794 795 796 797 798 799 800 801 802 803 804 805 806 807 808 809 810 811 812 813 814 815 816 817 818 819 820 821 822 823 824 825 826 827 828 829 830 831 832 833 834 835 836 837 838 839 840 841 842 843 844 845 846 847 848 849 850 851 852 853 854 855 856 857 858 859 |
Blob title;
int isPopup = P("popup")!=0;
blob_init(&title,0,0);
if( fossil_strcmp(zMime, "text/x-fossil-wiki")==0 ){
Blob tail = BLOB_INITIALIZER;
style_adunit_config(ADUNIT_RIGHT_OK);
if( wiki_find_title(pBody, &title, &tail) ){
if( !isPopup ) style_header("%h", blob_str(&title));
wiki_convert(&tail, 0, WIKI_BUTTONS);
}else{
if( !isPopup ) style_header("%h", zDefaultTitle);
wiki_convert(pBody, 0, WIKI_BUTTONS);
}
if( !isPopup ){
document_emit_js();
style_finish_page();
}
blob_reset(&tail);
}else if( fossil_strcmp(zMime, "text/x-markdown")==0 ){
Blob tail = BLOB_INITIALIZER;
markdown_to_html(pBody, &title, &tail);
if( !isPopup ){
if( blob_size(&title)>0 ){
style_header("%h", blob_str(&title));
}else{
style_header("%h", zDefaultTitle);
}
}
convert_href_and_output(&tail);
if( !isPopup ){
document_emit_js();
style_finish_page();
}
blob_reset(&tail);
}else if( fossil_strcmp(zMime, "text/plain")==0 ){
style_header("%h", zDefaultTitle);
@ <blockquote><pre>
@ %h(blob_str(pBody))
@ </pre></blockquote>
document_emit_js();
style_finish_page();
}else if( fossil_strcmp(zMime, "text/html")==0
&& doc_is_embedded_html(pBody, &title) ){
if( blob_size(&title)==0 ) blob_append(&title,zFilename,-1);
if( !isPopup ) style_header("%h", blob_str(&title));
convert_href_and_output(pBody);
if( !isPopup ){
document_emit_js();
style_finish_page();
}
}else if( fossil_strcmp(zMime, "text/x-pikchr")==0 ){
style_adunit_config(ADUNIT_RIGHT_OK);
if( !isPopup ) style_header("%h", zDefaultTitle);
wiki_render_by_mimetype(pBody, zMime);
if( !isPopup ) style_finish_page();
#ifdef FOSSIL_ENABLE_TH1_DOCS
}else if( Th_AreDocsEnabled() &&
fossil_strcmp(zMime, "application/x-th1")==0 ){
int raw = P("raw")!=0;
if( !raw ){
Blob tail;
blob_zero(&tail);
if( wiki_find_title(pBody, &title, &tail) ){
style_header("%h", blob_str(&title));
Th_Render(blob_str(&tail));
blob_reset(&tail);
}else{
style_header("%h", zFilename);
Th_Render(blob_str(pBody));
}
}else{
|
| ︙ | ︙ |
Changes to src/event.c.
| ︙ | ︙ | |||
150 151 152 153 154 155 156 |
if( blob_size(&title)==0 ){
blob_appendf(&title, "Tech-note %S", zId);
}
}else{
blob_appendf(&title, "Tech-note %S", zId);
tail = fullbody;
}
| | | 150 151 152 153 154 155 156 157 158 159 160 161 162 163 164 |
if( blob_size(&title)==0 ){
blob_appendf(&title, "Tech-note %S", zId);
}
}else{
blob_appendf(&title, "Tech-note %S", zId);
tail = fullbody;
}
style_header("%h", blob_str(&title));
if( g.perm.WrWiki && g.perm.Write && nextRid==0 ){
style_submenu_element("Edit", "%R/technoteedit?name=%!S", zId);
if( g.perm.Attach ){
style_submenu_element("Attach",
"%R/attachadd?technote=%!S&from=%R/technote/%!S", zId, zId);
}
}
|
| ︙ | ︙ |
Changes to src/finfo.c.
| ︙ | ︙ | |||
382 383 384 385 386 387 388 |
login_check_credentials();
if( !g.perm.Read ){ login_needed(g.anon.Read); return; }
fnid = db_int(0, "SELECT fnid FROM filename WHERE name=%Q", zFilename);
ridCi = zCI ? name_to_rid_www("ci") : 0;
if( fnid==0 ){
style_header("No such file");
}else if( ridCi==0 ){
| | | | 382 383 384 385 386 387 388 389 390 391 392 393 394 395 396 397 398 |
login_check_credentials();
if( !g.perm.Read ){ login_needed(g.anon.Read); return; }
fnid = db_int(0, "SELECT fnid FROM filename WHERE name=%Q", zFilename);
ridCi = zCI ? name_to_rid_www("ci") : 0;
if( fnid==0 ){
style_header("No such file");
}else if( ridCi==0 ){
style_header("All files named \"%h\"", zFilename);
}else{
style_header("History of %h of %h",zFilename, zCI);
}
login_anonymous_available();
tmFlags = timeline_ss_submenu();
if( tmFlags & TIMELINE_COLUMNAR ){
zStyle = "Columnar";
}else if( tmFlags & TIMELINE_COMPACT ){
zStyle = "Compact";
|
| ︙ | ︙ |
Changes to src/forum.c.
| ︙ | ︙ | |||
1207 1208 1209 1210 1211 1212 1213 |
" substr(event.comment,instr(event.comment,':')+2)"
" FROM forumpost, event"
" WHERE event.objid=forumpost.fpid"
" AND forumpost.fpid=%d;",
fpid
);
style_set_current_feature("forum");
| | | 1207 1208 1209 1210 1211 1212 1213 1214 1215 1216 1217 1218 1219 1220 1221 |
" substr(event.comment,instr(event.comment,':')+2)"
" FROM forumpost, event"
" WHERE event.objid=forumpost.fpid"
" AND forumpost.fpid=%d;",
fpid
);
style_set_current_feature("forum");
style_header("%h%s", zThreadTitle, *zThreadTitle ? "" : "Forum");
fossil_free(zThreadTitle);
if( mode!=FD_CHRONO ){
style_submenu_element("Chronological", "%R/%s/%s?t=c%s%s", g.zPath, zName,
bUnf ? "&unf" : "", bHist ? "&hist" : "");
}
if( mode!=FD_HIER ){
style_submenu_element("Hierarchical", "%R/%s/%s?t=h%s%s", g.zPath, zName,
|
| ︙ | ︙ | |||
1932 1933 1934 1935 1936 1937 1938 |
srchFlags = search_restrict(SRCH_FORUM);
if( !g.perm.RdForum ){
login_needed(g.anon.RdForum);
return;
}
cgi_check_for_malice();
style_set_current_feature("forum");
| | | 1932 1933 1934 1935 1936 1937 1938 1939 1940 1941 1942 1943 1944 1945 1946 |
srchFlags = search_restrict(SRCH_FORUM);
if( !g.perm.RdForum ){
login_needed(g.anon.RdForum);
return;
}
cgi_check_for_malice();
style_set_current_feature("forum");
style_header("%h%s", db_get("forum-title","Forum"),
isSearch ? " Search Results" : "");
style_submenu_element("Timeline", "%R/timeline?ss=v&y=f&vfx");
if( g.perm.WrForum ){
style_submenu_element("New Thread","%R/forumnew");
}else{
/* Can't combine this with previous case using the ternary operator
* because that causes an error yelling about "non-constant format"
|
| ︙ | ︙ |
Changes to src/info.c.
| ︙ | ︙ | |||
2926 2927 2928 2929 2930 2931 2932 |
style_set_current_page("doc/tip/%T", zName);
}
}else if( descOnly ){
zHeader = mprintf("Artifact Description [%S]", zUuid);
}else{
zHeader = mprintf("Artifact [%S]", zUuid);
}
| | | 2926 2927 2928 2929 2930 2931 2932 2933 2934 2935 2936 2937 2938 2939 2940 |
style_set_current_page("doc/tip/%T", zName);
}
}else if( descOnly ){
zHeader = mprintf("Artifact Description [%S]", zUuid);
}else{
zHeader = mprintf("Artifact [%S]", zUuid);
}
style_header("%h", zHeader);
fossil_free(zCIUuid);
fossil_free(zHeader);
if( !isFile && g.perm.Admin ){
Stmt q;
db_prepare(&q,
"SELECT coalesce(user.login,rcvfrom.uid),"
" datetime(rcvfrom.mtime,toLocal()),"
|
| ︙ | ︙ | |||
3701 3702 3703 3704 3705 3706 3707 |
if( zNewBrFlag[0] && zNewBranch[0] ) change_branch(rid,zNewBranch);
apply_newtags(&ctrl, rid, zUuid, 0, 0);
cgi_redirectf("%R/ci/%S", zUuid);
}
blob_zero(&comment);
blob_append(&comment, zNewComment, -1);
zUuid[10] = 0;
| | | 3701 3702 3703 3704 3705 3706 3707 3708 3709 3710 3711 3712 3713 3714 3715 |
if( zNewBrFlag[0] && zNewBranch[0] ) change_branch(rid,zNewBranch);
apply_newtags(&ctrl, rid, zUuid, 0, 0);
cgi_redirectf("%R/ci/%S", zUuid);
}
blob_zero(&comment);
blob_append(&comment, zNewComment, -1);
zUuid[10] = 0;
style_header("Edit Check-in [%h]", zUuid);
if( P("preview") ){
Blob suffix;
int nTag = 0;
@ <b>Preview:</b>
@ <blockquote>
@ <table border=0>
if( zNewColorFlag[0] && zNewColor && zNewColor[0] ){
|
| ︙ | ︙ |
Changes to src/report.c.
| ︙ | ︙ | |||
1211 1212 1213 1214 1215 1216 1217 |
}
if( g.perm.TktFmt ){
style_submenu_element("SQL", "%R/rptsql/%d",rn);
}
if( g.perm.NewTkt ){
style_submenu_element("New Ticket", "%R/tktnew");
}
| | | 1211 1212 1213 1214 1215 1216 1217 1218 1219 1220 1221 1222 1223 1224 1225 |
}
if( g.perm.TktFmt ){
style_submenu_element("SQL", "%R/rptsql/%d",rn);
}
if( g.perm.NewTkt ){
style_submenu_element("New Ticket", "%R/tktnew");
}
style_header("%h", zTitle);
}
if( zDesc && zDesc[0] && zMimetype ){
Blob src;
blob_init(&src, zDesc, -1);
wiki_render_by_mimetype(&src, zMimetype);
blob_reset(&src);
@ <br>
|
| ︙ | ︙ |
Changes to src/skins.c.
| ︙ | ︙ | |||
994 995 996 997 998 999 1000 |
if( P("revert")!=0 && cgi_csrf_safe(2) ){
zContent = zDflt;
isRevert = 1;
}
db_begin_transaction();
style_set_current_feature("skins");
| | | 994 995 996 997 998 999 1000 1001 1002 1003 1004 1005 1006 1007 1008 |
if( P("revert")!=0 && cgi_csrf_safe(2) ){
zContent = zDflt;
isRevert = 1;
}
db_begin_transaction();
style_set_current_feature("skins");
style_header("%h", zTitle);
for(j=0; j<count(aSkinAttr); j++){
style_submenu_element(aSkinAttr[j].zSubmenu,
"%R/setup_skinedit?w=%d&basis=%h&sk=%d",j,zBasis,iSkin);
}
@ <form action="%R/setup_skinedit" method="post"><div>
login_insert_csrf_secret();
@ <input type='hidden' name='w' value='%d(ii)'>
|
| ︙ | ︙ |
Changes to src/th_main.c.
| ︙ | ︙ | |||
1538 1539 1540 1541 1542 1543 1544 |
const char **argv,
int *argl
){
if( argc!=2 ){
return Th_WrongNumArgs(interp, "styleHeader TITLE");
}
if( Th_IsRepositoryOpen() ){
| | | 1538 1539 1540 1541 1542 1543 1544 1545 1546 1547 1548 1549 1550 1551 1552 |
const char **argv,
int *argl
){
if( argc!=2 ){
return Th_WrongNumArgs(interp, "styleHeader TITLE");
}
if( Th_IsRepositoryOpen() ){
style_header("%h", argv[1]);
Th_SetResult(interp, 0, 0);
return TH_OK;
}else{
Th_SetResult(interp, "repository unavailable", -1);
return TH_ERROR;
}
}
|
| ︙ | ︙ |
Changes to src/tkt.c.
| ︙ | ︙ | |||
1248 1249 1250 1251 1252 1253 1254 |
style_submenu_element("Status", "%R/info/%s", zUuid);
if( zType[0]=='c' ){
zTitle = mprintf("Check-ins Associated With Ticket %h", zUuid);
}else{
zTitle = mprintf("Timeline Of Ticket %h", zUuid);
}
style_set_current_feature("tkt");
| | > | 1248 1249 1250 1251 1252 1253 1254 1255 1256 1257 1258 1259 1260 1261 1262 1263 |
style_submenu_element("Status", "%R/info/%s", zUuid);
if( zType[0]=='c' ){
zTitle = mprintf("Check-ins Associated With Ticket %h", zUuid);
}else{
zTitle = mprintf("Timeline Of Ticket %h", zUuid);
}
style_set_current_feature("tkt");
style_header("%h", zTitle);
fossil_free(zTitle);
sqlite3_snprintf(6, zGlobPattern, "%s", zUuid);
canonical16(zGlobPattern, strlen(zGlobPattern));
tagid = db_int(0, "SELECT tagid FROM tag WHERE tagname GLOB 'tkt-%q*'",zUuid);
if( tagid==0 ){
@ No such ticket: %h(zUuid)
style_finish_page();
|
| ︙ | ︙ | |||
1304 1305 1306 1307 1308 1309 1310 |
style_submenu_element("Timeline", "%R/tkttimeline/%s", zUuid);
if( P("raw")!=0 ){
style_submenu_element("Decoded", "%R/tkthistory/%s", zUuid);
}else if( g.perm.Admin ){
style_submenu_element("Raw", "%R/tkthistory/%s?raw", zUuid);
}
style_set_current_feature("tkt");
| | > | 1305 1306 1307 1308 1309 1310 1311 1312 1313 1314 1315 1316 1317 1318 1319 1320 |
style_submenu_element("Timeline", "%R/tkttimeline/%s", zUuid);
if( P("raw")!=0 ){
style_submenu_element("Decoded", "%R/tkthistory/%s", zUuid);
}else if( g.perm.Admin ){
style_submenu_element("Raw", "%R/tkthistory/%s?raw", zUuid);
}
style_set_current_feature("tkt");
style_header("%h", zTitle);
fossil_free(zTitle);
tagid = db_int(0, "SELECT tagid FROM tag WHERE tagname GLOB 'tkt-%q*'",zUuid);
if( tagid==0 ){
@ No such ticket: %h(zUuid)
style_finish_page();
return;
}
|
| ︙ | ︙ |
Changes to src/tktsetup.c.
| ︙ | ︙ | |||
132 133 134 135 136 137 138 |
}
isSubmit = P("submit")!=0;
z = P("x");
if( z==0 ){
z = db_get(zDbField, zDfltValue);
}
style_set_current_feature("tktsetup");
| | | 132 133 134 135 136 137 138 139 140 141 142 143 144 145 146 |
}
isSubmit = P("submit")!=0;
z = P("x");
if( z==0 ){
z = db_get(zDbField, zDfltValue);
}
style_set_current_feature("tktsetup");
style_header("Edit %h", zTitle);
if( P("clear")!=0 && cgi_csrf_safe(2) ){
db_unset(zDbField/*works-like:"x"*/, 0);
if( xRebuild ) xRebuild();
cgi_redirect("tktsetup");
}else if( isSubmit && cgi_csrf_safe(2) ){
char *zErr = 0;
if( xText && (zErr = xText(z))!=0 ){
|
| ︙ | ︙ |
Changes to src/wiki.c.
| ︙ | ︙ | |||
469 470 471 472 473 474 475 |
const char *zPageName, /* Name of the page */
const char *zExtra /* Extra prefix text on the page header */
){
style_set_current_feature("wiki");
if( eType==WIKITYPE_UNKNOWN ) eType = wiki_page_type(zPageName);
switch( eType ){
case WIKITYPE_NORMAL: {
| | | 469 470 471 472 473 474 475 476 477 478 479 480 481 482 483 |
const char *zPageName, /* Name of the page */
const char *zExtra /* Extra prefix text on the page header */
){
style_set_current_feature("wiki");
if( eType==WIKITYPE_UNKNOWN ) eType = wiki_page_type(zPageName);
switch( eType ){
case WIKITYPE_NORMAL: {
style_header("%h%h", zExtra, zPageName);
break;
}
case WIKITYPE_CHECKIN: {
zPageName += 8;
if( zExtra[0]==0 && !P("p") ){
cgi_redirectf("%R/info/%s",zPageName);
}else{
|
| ︙ | ︙ | |||
1716 1717 1718 1719 1720 1721 1722 |
if( !isSandbox && P("cancel")!=0 ){
manifest_destroy(pWiki);
cgi_redirectf("wiki?name=%T", zPageName);
return;
}
style_set_current_page("%T?name=%T", g.zPath, zPageName);
style_set_current_feature("wiki");
| | | 1716 1717 1718 1719 1720 1721 1722 1723 1724 1725 1726 1727 1728 1729 1730 |
if( !isSandbox && P("cancel")!=0 ){
manifest_destroy(pWiki);
cgi_redirectf("wiki?name=%T", zPageName);
return;
}
style_set_current_page("%T?name=%T", g.zPath, zPageName);
style_set_current_feature("wiki");
style_header("Append Comment To: %h", zPageName);
if( !goodCaptcha ){
@ <p class="generalError">Error: Incorrect security code.</p>
}
if( isSandbox ){
@ <p class="generalError">Error: the Sandbox page may not
@ be appended to.</p>
}
|
| ︙ | ︙ | |||
1774 1775 1776 1777 1778 1779 1780 |
double rNow;
int showRid;
char zAuthor[64];
login_check_credentials();
if( !g.perm.RdWiki ){ login_needed(g.anon.RdWiki); return; }
zPageName = PD("name","");
style_set_current_feature("wiki");
| | | 1774 1775 1776 1777 1778 1779 1780 1781 1782 1783 1784 1785 1786 1787 1788 |
double rNow;
int showRid;
char zAuthor[64];
login_check_credentials();
if( !g.perm.RdWiki ){ login_needed(g.anon.RdWiki); return; }
zPageName = PD("name","");
style_set_current_feature("wiki");
style_header("History Of %h", zPageName);
showRid = P("showid")!=0;
db_prepare(&q,
"SELECT"
" event.mtime,"
" blob.uuid,"
" coalesce(event.euser,event.user),"
" event.objid,"
|
| ︙ | ︙ | |||
1918 1919 1920 1921 1922 1923 1924 |
@ </h2>
}
nextRid = wiki_next(wiki_tagid(pW1->zWikiTitle),pW1->rDate);
if( nextRid ){
style_submenu_element("Next", "%R/wdiff?rid=%d", nextRid);
}
style_set_current_feature("wiki");
| | | 1918 1919 1920 1921 1922 1923 1924 1925 1926 1927 1928 1929 1930 1931 1932 |
@ </h2>
}
nextRid = wiki_next(wiki_tagid(pW1->zWikiTitle),pW1->rDate);
if( nextRid ){
style_submenu_element("Next", "%R/wdiff?rid=%d", nextRid);
}
style_set_current_feature("wiki");
style_header("Changes To %h", pW1->zWikiTitle);
blob_zero(&d);
construct_diff_flags(1, &DCfg);
DCfg.diffFlags |= DIFF_HTML | DIFF_LINENO;
text_diff(&w2, &w1, &d, &DCfg);
@ %s(blob_str(&d))
manifest_destroy(pW1);
manifest_destroy(pW2);
|
| ︙ | ︙ |
Changes to src/xfersetup.c.
| ︙ | ︙ | |||
115 116 117 118 119 120 121 |
}
isSubmit = P("submit")!=0;
z = P("x");
if( z==0 ){
z = db_get(zDbField, zDfltValue);
}
style_set_current_feature("xfersetup");
| | | 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 |
}
isSubmit = P("submit")!=0;
z = P("x");
if( z==0 ){
z = db_get(zDbField, zDfltValue);
}
style_set_current_feature("xfersetup");
style_header("Edit %h", zTitle);
if( P("clear")!=0 && cgi_csrf_safe(2) ){
db_unset(zDbField/*works-like:"x"*/, 0);
if( xRebuild ) xRebuild();
z = zDfltValue;
}else if( isSubmit && cgi_csrf_safe(2) ){
char *zErr = 0;
if( xText && (zErr = xText(z))!=0 ){
|
| ︙ | ︙ |
Changes to src/zip.c.
| ︙ | ︙ | |||
988 989 990 991 992 993 994 |
if( zInclude ) blob_appendf(&cacheKey, ",in=%Q", zInclude);
if( zExclude ) blob_appendf(&cacheKey, ",ex=%Q", zExclude);
zKey = blob_str(&cacheKey);
etag_check(ETAG_HASH, zKey);
style_set_current_feature("zip");
if( P("debug")!=0 ){
| | | | 988 989 990 991 992 993 994 995 996 997 998 999 1000 1001 1002 1003 1004 1005 1006 1007 1008 1009 1010 1011 1012 1013 1014 1015 1016 |
if( zInclude ) blob_appendf(&cacheKey, ",in=%Q", zInclude);
if( zExclude ) blob_appendf(&cacheKey, ",ex=%Q", zExclude);
zKey = blob_str(&cacheKey);
etag_check(ETAG_HASH, zKey);
style_set_current_feature("zip");
if( P("debug")!=0 ){
style_header("%h Archive Generator Debug Screen", zType);
@ zName = "%h(zName)"<br>
@ rid = %d(rid)<br>
if( zInclude ){
@ zInclude = "%h(zInclude)"<br>
}
if( zExclude ){
@ zExclude = "%h(zExclude)"<br>
}
@ zKey = "%h(zKey)"
style_finish_page();
return;
}
if( referred_from_login() ){
style_header("%h Archive Download", zType);
@ <form action='%R/%s(g.zPath)/%h(zName).%s(g.zPath)'>
cgi_query_parameters_to_hidden();
@ <p>%s(zType) Archive named <b>%h(zName).%s(g.zPath)</b>
@ holding the content of check-in <b>%h(zRid)</b>:
@ <input type="submit" value="Download">
@ </form>
style_finish_page();
|
| ︙ | ︙ |
Changes to tools/codecheck1.c.
| ︙ | ︙ | |||
323 324 325 326 327 328 329 330 331 332 333 334 335 336 |
/* If the "safe-for-%s" comment appears in the argument, then
** let it through */
if( strstr(z, "/*safe-for-%s*/")!=0 ) return 1;
return 0;
}
/*
** Return true if the input is an argument that is never safe for use
** with %s.
*/
static int never_safe(const char *z){
if( strstr(z,"/*safe-for-%s*/")!=0 ) return 0;
if( z[0]=='P' ){
| > > > > > > > > > > > > > > > > > > > > | 323 324 325 326 327 328 329 330 331 332 333 334 335 336 337 338 339 340 341 342 343 344 345 346 347 348 349 350 351 352 353 354 355 356 |
/* If the "safe-for-%s" comment appears in the argument, then
** let it through */
if( strstr(z, "/*safe-for-%s*/")!=0 ) return 1;
return 0;
}
/*
** Return true if the input is an argument that is safe to use with %s
** while building HTML output.
*/
static int is_html_safe(const char *z){
/* A string literal is safe for use with %s */
if( is_string_lit(z) ) return 1;
/* Expressions of the form: EXPR ? "..." : "...." can count as
** a string literal. */
if( is_string_expr(z) ) return 1;
/* If the "safe-for-%s" comment appears in the argument, then
** let it through */
if( strstr(z, "/*safe-for-%s*/")!=0 ) return 1;
return 0;
}
/*
** Return true if the input is an argument that is never safe for use
** with %s.
*/
static int never_safe(const char *z){
if( strstr(z,"/*safe-for-%s*/")!=0 ) return 0;
if( z[0]=='P' ){
|
| ︙ | ︙ | |||
346 347 348 349 350 351 352 353 354 355 356 357 358 359 | ** Processing flags */ #define FMT_SQL 0x00001 /* Generator for SQL text */ #define FMT_HTML 0x00002 /* Generator for HTML text */ #define FMT_URL 0x00004 /* Generator for URLs */ #define FMT_JSON 0x00008 /* Generator for JSON */ #define FMT_SAFE 0x00010 /* Generator for human-readable text */ #define FMT_LIT 0x00020 /* Just verify that a string literal */ #define FMT_PX 0x00040 /* Must have a literal prefix in format string */ /* ** A list of internal Fossil interfaces that take a printf-style format ** string. */ | > | 366 367 368 369 370 371 372 373 374 375 376 377 378 379 380 | ** Processing flags */ #define FMT_SQL 0x00001 /* Generator for SQL text */ #define FMT_HTML 0x00002 /* Generator for HTML text */ #define FMT_URL 0x00004 /* Generator for URLs */ #define FMT_JSON 0x00008 /* Generator for JSON */ #define FMT_SAFE 0x00010 /* Generator for human-readable text */ #define FMT_FIXME FMT_SAFE #define FMT_LIT 0x00020 /* Just verify that a string literal */ #define FMT_PX 0x00040 /* Must have a literal prefix in format string */ /* ** A list of internal Fossil interfaces that take a printf-style format ** string. */ |
| ︙ | ︙ | |||
367 368 369 370 371 372 373 |
{ "audit_append", 3, FMT_SAFE },
{ "backofficeTrace", 1, FMT_SAFE },
{ "backoffice_log", 1, FMT_SAFE },
{ "blob_append_sql", 2, FMT_SQL },
{ "blob_appendf", 2, FMT_SAFE },
{ "cgi_debug", 1, FMT_SAFE },
{ "cgi_panic", 1, FMT_SAFE },
| | | | | 388 389 390 391 392 393 394 395 396 397 398 399 400 401 402 403 404 405 406 |
{ "audit_append", 3, FMT_SAFE },
{ "backofficeTrace", 1, FMT_SAFE },
{ "backoffice_log", 1, FMT_SAFE },
{ "blob_append_sql", 2, FMT_SQL },
{ "blob_appendf", 2, FMT_SAFE },
{ "cgi_debug", 1, FMT_SAFE },
{ "cgi_panic", 1, FMT_SAFE },
{ "cgi_printf", 1, FMT_FIXME },
{ "cgi_printf_header", 1, FMT_FIXME },
{ "cgi_redirectf", 1, FMT_URL },
{ "chref", 2, FMT_URL },
{ "CX", 1, FMT_FIXME },
{ "db_blob", 2, FMT_SQL },
{ "db_debug", 1, FMT_SQL },
{ "db_double", 2, FMT_SQL },
{ "db_err", 1, FMT_SAFE },
{ "db_exists", 1, FMT_SQL },
{ "db_get_mprintf", 2, FMT_SAFE },
{ "db_int", 2, FMT_SQL },
|
| ︙ | ︙ | |||
607 608 609 610 611 612 613 614 615 616 617 618 619 620 |
zFilename, lnFCall, i+fmtArg, szFName, zFCall);
nErr++;
}else if( (fmtFlags & FMT_SQL)!=0 && !is_sql_safe(zExpr) ){
printf("%s:%d: Argument %d to %.*s() not safe for SQL\n",
zFilename, lnFCall, i+fmtArg, szFName, zFCall);
nErr++;
}
}
}
}
}
if( nErr ){
for(i=0; i<nArg; i++){
| > > > > | 628 629 630 631 632 633 634 635 636 637 638 639 640 641 642 643 644 645 |
zFilename, lnFCall, i+fmtArg, szFName, zFCall);
nErr++;
}else if( (fmtFlags & FMT_SQL)!=0 && !is_sql_safe(zExpr) ){
printf("%s:%d: Argument %d to %.*s() not safe for SQL\n",
zFilename, lnFCall, i+fmtArg, szFName, zFCall);
nErr++;
}else if( (fmtFlags & FMT_HTML)!=0 && !is_html_safe(zExpr) ){
printf("%s:%d: Argument %d to %.*s() not safe for HTML\n",
zFilename, lnFCall, i+fmtArg, szFName, zFCall);
nErr++;
}
}
}
}
}
if( nErr ){
for(i=0; i<nArg; i++){
|
| ︙ | ︙ | |||
660 661 662 663 664 665 666 667 668 669 670 671 672 673 |
if( z[0]=='{' ){
nCurly++;
}else if( z[0]=='}' ){
nCurly--;
}else if( nCurly>0 && z[0]=='(' && ePrev==TK_ID
&& (x = isFormatFunc(zPrev,szPrev,&fmtFlags))>0 ){
nErr += checkFormatFunc(zName, zPrev, lnPrev, x, fmtFlags);
}
}
zPrev = z;
ePrev = eToken;
szPrev = szToken;
lnPrev = ln;
}
| > > | 685 686 687 688 689 690 691 692 693 694 695 696 697 698 699 700 |
if( z[0]=='{' ){
nCurly++;
}else if( z[0]=='}' ){
nCurly--;
}else if( nCurly>0 && z[0]=='(' && ePrev==TK_ID
&& (x = isFormatFunc(zPrev,szPrev,&fmtFlags))>0 ){
nErr += checkFormatFunc(zName, zPrev, lnPrev, x, fmtFlags);
}else if( eVerbose>=3 ){
printf("TOKEN: [%.*s]\n", szToken, z);
}
}
zPrev = z;
ePrev = eToken;
szPrev = szToken;
lnPrev = ln;
}
|
| ︙ | ︙ |