Fossil

Check-in [e09df6ea47]
Login
Home Timeline Docs Forum Download

Many hyperlinks are disabled.
Use anonymous login to enable hyperlinks.

Overview
Comment:Slight revision to [be5d83f93ac66f65] to allow "_" in parameter names.
Downloads: Tarball | ZIP archive
Timelines: family | ancestors | descendants | both | trunk
Files: files | file ages | folders
SHA3-256: e09df6ea475cd8543be7303dbd246c8db3bfbf69bfbca9f508b980d146862288
User & Date: drh 2018-03-29 15:20:21.176
Context
2018-03-29
15:24
Extra comment describing the previous change. ... (check-in: 6c02983d0a user: drh tags: trunk)
15:20
Slight revision to [be5d83f93ac66f65] to allow "_" in parameter names. ... (check-in: e09df6ea47 user: drh tags: trunk)
15:16
New security feature: Reject any query parameter, POST parameter, or cookie whose name contains a non-alphanumeric character. No know vulnerabilities exist because of this. I'm just be paranoid. This enhancement is inspired by Drupalgeddon2. ... (check-in: be5d83f93a user: drh tags: trunk)
Changes
Unified Diff Ignore Whitespace Patch
Changes to src/blob.c. 
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131

int fossil_isalnum(char c){
  return (c>='a' && c<='z') || (c>='A' && c<='Z') || (c>='0' && c<='9');
}

/* Return true if and only if the entire string consists of only
** alphanumeric characters.
*/
int fossil_all_alnum(const char *z){
  while( z && fossil_isalnum(z[0]) ) z++;
  return z[0]==0;
}


/*
** COMMAND: test-isspace
**








|
|








116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131

int fossil_isalnum(char c){
  return (c>='a' && c<='z') || (c>='A' && c<='Z') || (c>='0' && c<='9');
}

/* Return true if and only if the entire string consists of only
** alphanumeric characters.
*/
int fossil_no_strange_characters(const char *z){
  while( z && (fossil_isalnum(z[0]) || z[0]=='_') ) z++;
  return z[0]==0;
}


/*
** COMMAND: test-isspace
**
Changes to src/cgi.c. 
583
584
585
586
587
588
589
590
591
592
593
594
595
596
597

        z++;
      }
      dehttpize(zValue);
    }else{
      if( *z ){ *z++ = 0; }
      zValue = "";
    }
    if( fossil_islower(zName[0]) && fossil_all_alnum(zName+1) ){
      cgi_set_parameter_nocopy(zName, zValue, isQP);
    }
#ifdef FOSSIL_ENABLE_JSON
    json_setenv( zName, cson_value_new_string(zValue,strlen(zValue)) );
#endif /* FOSSIL_ENABLE_JSON */
  }
}








|








583
584
585
586
587
588
589
590
591
592
593
594
595
596
597

        z++;
      }
      dehttpize(zValue);
    }else{
      if( *z ){ *z++ = 0; }
      zValue = "";
    }
    if( fossil_islower(zName[0]) && fossil_no_strange_characters(zName+1) ){
      cgi_set_parameter_nocopy(zName, zValue, isQP);
    }
#ifdef FOSSIL_ENABLE_JSON
    json_setenv( zName, cson_value_new_string(zValue,strlen(zValue)) );
#endif /* FOSSIL_ENABLE_JSON */
  }
}
This page was generated in about 0.023s by Fossil 2.26 [1205ec86cb] 2025-04-30 16:57:32