|
|
| version 1.139, 2005/11/22 11:21:35 | version 1.145, 2006/10/31 17:16:10 |
|---|---|
| Line 199 static void _load(Request& r, MethodPara | Line 199 static void _load(Request& r, MethodPara |
| VFile& self=GET_SELF(r, VFile); | VFile& self=GET_SELF(r, VFile); |
| self.set(true/*tainted*/, file.str, file.length, user_file_name, vcontent_type); | self.set(true/*tainted*/, file.str, file.length, user_file_name, vcontent_type); |
| if(file.headers) | if(file.headers) |
| file.headers->for_each(_load_pass_param, &self.fields()); | file.headers->for_each<HashStringValue*>(_load_pass_param, &self.fields()); |
| } | } |
| static void _create(Request& r, MethodParams& params) { | static void _create(Request& r, MethodParams& params) { |
| Line 259 static bool is_safe_env_key(const char* | Line 259 static bool is_safe_env_key(const char* |
| } | } |
| #ifndef DOXYGEN | #ifndef DOXYGEN |
| struct Append_env_pair_info { | struct Append_env_pair_info { |
| Request_charsets* charsets; | |
| HashStringString* env; | HashStringString* env; |
| Value* vstdin; | Value* vstdin; |
| Value* vcharset; | |
| }; | }; |
| #endif | #endif |
| static void append_env_pair( | static void append_env_pair( |
| Line 271 static void append_env_pair( | Line 271 static void append_env_pair( |
| if(akey==STDIN_EXEC_PARAM_NAME) { | if(akey==STDIN_EXEC_PARAM_NAME) { |
| info->vstdin=avalue; | info->vstdin=avalue; |
| } else if(akey==CHARSET_EXEC_PARAM_NAME) { | } else if(akey==CHARSET_EXEC_PARAM_NAME) { |
| info->vcharset=avalue; | // ignore, already processed |
| } else { | } else { |
| if(!is_safe_env_key(akey.cstr())) | if(!is_safe_env_key(akey.cstr())) |
| throw Exception("parser.runtime", | throw Exception("parser.runtime", |
| new String(akey, String::L_TAINTED), | new String(akey, String::L_TAINTED), |
| "not safe environment variable"); | "not safe environment variable"); |
| info->env->put(akey, avalue->as_string().cstr_to_string_body(String::L_UNSPECIFIED)); | info->env->put(akey, avalue->as_string().cstr_to_string_body(String::L_UNSPECIFIED, 0, info->charsets)); |
| } | } |
| } | } |
| #ifndef DOXYGEN | #ifndef DOXYGEN |
| Line 348 static void _exec_cgi(Request& r, Method | Line 348 static void _exec_cgi(Request& r, Method |
| if(params.count()>1) { | if(params.count()>1) { |
| Value& venv=params.as_no_junction(1, "env must not be code"); | Value& venv=params.as_no_junction(1, "env must not be code"); |
| if(HashStringValue* user_env=venv.get_hash()) { | if(HashStringValue* user_env=venv.get_hash()) { |
| Append_env_pair_info info={&env, 0, 0}; | // $.charset [previewing to handle URI pieces] |
| user_env->for_each(append_env_pair, &info); | if(Value* vcharset=user_env->get(CHARSET_EXEC_PARAM_NAME)) |
| charset=&charsets.get(vcharset->as_string() | |
| .change_case(r.charsets.source(), String::CC_UPPER)); | |
| // $.others | |
| Append_env_pair_info info={&r.charsets, &env, 0}; | |
| { | |
| // influence tainting | |
| // main target -- $.QUERY_STRING -- URLencoding of tainted pieces to String::L_URI lang | |
| Temp_client_charset temp(r.charsets, charset? *charset: r.charsets.source()); | |
| user_env->for_each<Append_env_pair_info*>(append_env_pair, &info); | |
| } | |
| // $.stdin | // $.stdin |
| if(info.vstdin) { | if(info.vstdin) { |
| stdin_specified=true; | stdin_specified=true; |
| Line 363 static void _exec_cgi(Request& r, Method | Line 374 static void _exec_cgi(Request& r, Method |
| 0, | 0, |
| STDIN_EXEC_PARAM_NAME " parameter must be string or file"); | STDIN_EXEC_PARAM_NAME " parameter must be string or file"); |
| } | } |
| // $.charset | |
| if(info.vcharset) | |
| charset=&charsets.get(info.vcharset->as_string() | |
| .change_case(r.charsets.source(), String::CC_UPPER)); | |
| } | } |
| } | } |
| // argv from params | // argv from params |
| ArrayString argv; | ArrayString argv; |
| if(params.count()>2) { | if(params.count()>2) { |
| for(size_t i=2; i<params.count(); i++) | // influence tainting |
| argv+=¶ms.as_string(i, "parameter must be string"); | // main target -- URLencoding of tainted pieces to String::L_URI lang |
| Temp_client_charset temp(r.charsets, charset? *charset: r.charsets.source()); | |
| for(size_t i=2; i<params.count(); i++) { | |
| const String& param=params.as_string(i, "parameter must be string"); | |
| if(param.length() > 0) { | |
| argv+=new String(param.cstr_to_string_body(String::L_UNSPECIFIED, 0, &r.charsets), String::L_AS_IS); | |
| } | |
| } | |
| } | } |
| // transcode if necessary | // transcode if necessary |
| Line 588 static void _find(Request& r, MethodPara | Line 602 static void _find(Request& r, MethodPara |
| file_spec=&r.relative(r.request_info.uri, file_name); | file_spec=&r.relative(r.request_info.uri, file_name); |
| // easy way | // easy way |
| if(file_readable(r.absolute(*file_spec))) { | if(file_exist(r.absolute(*file_spec))) { |
| r.write_assign_lang(*file_spec); | r.write_assign_lang(*file_spec); |
| return; | return; |
| } | } |
| Line 603 static void _find(Request& r, MethodPara | Line 617 static void _find(Request& r, MethodPara |
| String test_name; | String test_name; |
| test_name<<*(dirname=&dirname->mid(0, after_monkey_slash)); | test_name<<*(dirname=&dirname->mid(0, after_monkey_slash)); |
| test_name<<basename; | test_name<<basename; |
| if(file_readable(r.absolute(test_name))) { | if(file_exist(r.absolute(test_name))) { |
| r.write_assign_lang(test_name); | r.write_assign_lang(test_name); |
| return; | return; |
| } | } |
| Line 779 static void _sql(Request& r, MethodParam | Line 793 static void _sql(Request& r, MethodParam |
| VFile& self=GET_SELF(r, VFile); | VFile& self=GET_SELF(r, VFile); |
| self.set(true/*tainted*/, handlers.value.str, handlers.value.length, user_file_name_cstr, vcontent_type); | self.set(true/*tainted*/, handlers.value.str, handlers.value.length, user_file_name_cstr, vcontent_type); |
| } | } |
| /* | |
| static void _base64(Request& r, MethodParams& params) { | static void _base64(Request& r, MethodParams& params) { |
| VFile& self=GET_SELF(r, VFile); | |
| if(params.count()) { | if(params.count()) { |
| // encode | |
| const char* cstr=params.as_string(0, "parameter must be string").cstr(); | |
| const char* encoded=pa_base64_encode(cstr, strlen(cstr)); | |
| r.write_assign_lang(*new String(encoded, 0, true/*once ?param=base64(something) was needed* /)); | |
| } else { | |
| // decode | // decode |
| VString& vself=GET_SELF(r, VString); | const char* cstr=params.as_string(0, "parameter must be string").cstr(); |
| const char* cstr=vself.string().cstr(); | char* decoded_cstr=0; |
| void* decoded_cstr=0; | |
| size_t decoded_size=0; | size_t decoded_size=0; |
| pa_base64_decode(cstr, strlen(cstr), decoded_cstr, decoded_size); | pa_base64_decode(cstr, strlen(cstr), decoded_cstr, decoded_size); |
| if(decoded_cstr && decoded_size) | if(decoded_cstr && decoded_size) |
| r.write_assign_lang(*new String(static_cast<const char*>(decoded_cstr), decoded_size, true)); | self.set(true/*tainted*/, decoded_cstr, decoded_size); |
| } else { | |
| // encode | |
| const char* encoded=pa_base64_encode(self.value_ptr(), self.value_size()); | |
| r.write_assign_lang(*new String(encoded, 0, true/*once ?param=base64(something) was needed*/)); | |
| } | } |
| } | } |
| */ | |
| // constructor | // constructor |
| MFile::MFile(): Methoded("file") { | MFile::MFile(): Methoded("file") { |
| Line 862 MFile::MFile(): Methoded("file") { | Line 875 MFile::MFile(): Methoded("file") { |
| // ^file.base64[] << encode | // ^file.base64[] << encode |
| // ^file::base64[string] << decode | // ^file::base64[string] << decode |
| //add_native_method("base64", Method::CT_DYNAMIC, _base64, 0, 1); | add_native_method("base64", Method::CT_DYNAMIC, _base64, 0, 1); |
| } | } |