|
|
| version 1.6, 2001/03/19 15:29:40 | version 1.10.2.1, 2001/03/20 17:21:54 |
|---|---|
| Line 1 | Line 1 |
| /* | /** @file |
| Parser | Parser: String class part: untaint mechanizm. |
| Copyright (c) 2001 ArtLebedev Group (http://www.artlebedev.com) | Copyright (c) 2001 ArtLebedev Group (http://www.artlebedev.com) |
| Author: Alexander Petrosyan <paf@design.ru> (http://design.ru/paf) | Author: Alexander Petrosyan <paf@design.ru> (http://design.ru/paf) |
| $Id$ | $Id$ |
| Line 28 | Line 30 |
| strncpy(copy_here, b, bsize); \ | strncpy(copy_here, b, bsize); \ |
| copy_here+=bsize; \ | copy_here+=bsize; \ |
| break | break |
| #define escape_encode(need_encode_func) \ | #define escape_encode(need_encode_func, prefix) \ |
| default: \ | default: \ |
| if(need_encode_func(*ptr)) { \ | if(need_encode_func(*ptr)) { \ |
| static const char *hex="0123456789ABCDEF"; \ | static const char *hex="0123456789ABCDEF"; \ |
| char chunk[3]={'%'}; \ | char chunk[3]={prefix}; \ |
| chunk[1]=hex[((unsigned char)*ptr)/0x10]; \ | chunk[1]=hex[((unsigned char)*ptr)/0x10]; \ |
| chunk[2]=hex[((unsigned char)*ptr)%0x10]; \ | chunk[2]=hex[((unsigned char)*ptr)%0x10]; \ |
| strncpy(copy_here, chunk, 3); copy_here+=3; \ | strncpy(copy_here, chunk, 3); copy_here+=3; \ |
| Line 40 | Line 42 |
| *copy_here++=*ptr; \ | *copy_here++=*ptr; \ |
| break | break |
| inline bool need_file_encode(unsigned char c){ | |
| if ((c>='0') && (c<='9') || (c>='A') && (c<='Z') || (c>='a') && (c<='z')) | |
| return false; | |
| return !strchr("./\\", c); | |
| } | |
| inline bool need_uri_encode(unsigned char c){ | inline bool need_uri_encode(unsigned char c){ |
| if ((c>='0') && (c<='9') || (c>='A') && (c<='Z') || (c>='a') && (c<='z')) | if ((c>='0') && (c<='9') || (c>='A') && (c<='Z') || (c>='a') && (c<='z')) |
| return false; | return false; |
| Line 55 inline bool need_header_encode(unsigned | Line 63 inline bool need_header_encode(unsigned |
| // String | // String |
| /// \todo optimize whitespaces for all but 'html' | /// @todo optimize whitespaces for all but 'html' |
| char *String::cstr() const { | char *String::cstr() const { |
| char *result=(char *)malloc(size()*UNTAINT_TIMES_BIGGER+1); | char *result=(char *)malloc(size()*UNTAINT_TIMES_BIGGER+1); |
| Line 70 char *String::cstr() const { | Line 78 char *String::cstr() const { |
| // WARNING: | // WARNING: |
| // string can grow only UNTAINT_TIMES_BIGGER | // string can grow only UNTAINT_TIMES_BIGGER |
| switch(row->item.lang) { | switch(row->item.lang) { |
| case NO: | case UL_NO: |
| // clean piece | // clean piece |
| case YES: | case UL_YES: |
| // tainted piece, but undefined untaint language | // tainted piece, but undefined untaint language |
| // for VString.get_double of tainted values | // for VString.get_double of tainted values |
| // for ^process{body} evaluation | // for ^process{body} evaluation |
| case AS_IS: | case UL_AS_IS: |
| // tainted, untaint language: as-is | // tainted, untaint language: as-is |
| memcpy(copy_here, row->item.ptr, row->item.size); | memcpy(copy_here, row->item.ptr, row->item.size); |
| copy_here+=row->item.size; | copy_here+=row->item.size; |
| break; | break; |
| case URI: | case UL_FILE_NAME: |
| // tainted, untaint language: file [name] | |
| escape( | |
| escape_value(' ', '_'); | |
| escape_encode(need_file_encode, '-'); | |
| ); | |
| break; | |
| case UL_URI: | |
| // tainted, untaint language: uri | // tainted, untaint language: uri |
| escape( | escape( |
| escape_value(' ', '+'); | escape_value(' ', '+'); |
| escape_encode(need_uri_encode); | escape_encode(need_uri_encode, '%'); |
| ); | ); |
| break; | break; |
| case HEADER: | case UL_HEADER: |
| // tainted, untaint language: header | // tainted, untaint language: header |
| escape( | escape( |
| escape_encode(need_header_encode); | escape_encode(need_header_encode, '%'); |
| ); | ); |
| break; | break; |
| case TABLE: | case UL_TABLE: |
| escape( | escape( |
| escape_value('\t', ' '); | escape_value('\t', ' '); |
| escape_value('\n', ' '); | escape_value('\n', ' '); |
| escape_default; | escape_default; |
| ); | ); |
| break; | break; |
| case SQL: | case UL_SQL: |
| // tainted, untaint language: sql | // tainted, untaint language: sql |
| // TODO: зависимость от sql сервера | // TODO: зависимость от sql сервера |
| memset(copy_here, '?', row->item.size); | memset(copy_here, '?', row->item.size); |
| copy_here+=row->item.size; | copy_here+=row->item.size; |
| break; | break; |
| case JS: | case UL_JS: |
| escape( | escape( |
| escape_subst('"', "\\\"", 2); | escape_subst('"', "\\\"", 2); |
| escape_subst('\'', "\\'", 2); | escape_subst('\'', "\\'", 2); |
| Line 118 char *String::cstr() const { | Line 133 char *String::cstr() const { |
| escape_default; | escape_default; |
| ); | ); |
| break; | break; |
| case HTML: | case UL_HTML: |
| escape( | escape( |
| escape_subst('&', "&", 5); // BEFORE consequent relpaces yelding '&' | escape_subst('&', "&", 5); // BEFORE consequent relpaces yelding '&' |
| escape_subst('>', ">", 4); | escape_subst('>', ">", 4); |
| Line 129 char *String::cstr() const { | Line 144 char *String::cstr() const { |
| escape_default; | escape_default; |
| ); | ); |
| break; | break; |
| case HTML_TYPO: | case UL_HTML_TYPO: |
| // tainted, untaint language: html-typo | // tainted, untaint language: html-typo |
| escape( | escape( |
| escape_subst('&', "&", 5); // BEFORE consequent relpaces yelding '&' | escape_subst('&', "&", 5); // BEFORE consequent relpaces yelding '&' |