changelog shortlog tags branches files raw gz bz2 help

Mercurial > hg > werc / changeset: Make http_redirect resolve non-absolute uris. Only allow safe chars for user names. Reliability fixes when checking $status (don't check $#status!). Check user suceeds always if user in admin group.

changeset 374: fb1db1dee588
parent 373: 5f7e186f0c24
child 375: fd845668f0cf
author: uriel@engel.se.cat-v.org
date: Fri, 30 Jan 2009 16:13:06 +0100
files: bin/cgilib.rc
description: Make http_redirect resolve non-absolute uris. Only allow safe chars for user names. Reliability fixes when checking $status (don't check $#status!). Check user suceeds always if user in admin group.
     1.1--- a/bin/cgilib.rc	Fri Jan 30 16:10:14 2009 +0100
     1.2+++ b/bin/cgilib.rc	Fri Jan 30 16:13:06 2009 +0100
     1.3@@ -10,8 +10,14 @@
     1.4 fn escape_html { sed 's/&/\&amp;/g; s/</\&lt;/g; s/>/\&gt;/g' $* }
     1.5 
     1.6 fn http_redirect {
     1.7+    if(~ $1 http:* https:*)
     1.8+        t=$1
     1.9+    if not if(~ $1 /*)
    1.10+        t=$"base_url^$1
    1.11+    if not
    1.12+        t=$"base_url^$"req_path^$1
    1.13     echo 'Status: '^$2^'
    1.14-Location: '^$1^'
    1.15+Location: '^$t^'
    1.16 
    1.17 '
    1.18     exit
    1.19@@ -189,7 +195,7 @@
    1.20 fn template { awk -f bin/template.awk $* | rc $rcargs }
    1.21 
    1.22 # Auth code
    1.23-
    1.24+allowed_user_chars='[a-zA-Z0-9_]'
    1.25 # Cookie format: WERC_USER: name:timestamp:hash(name.timestamp.password)
    1.26 # login_user can't be used from a template because it sets a cookie 
    1.27 fn login_user {
    1.28@@ -198,13 +204,13 @@
    1.29         set_cookie werc_user $"logged_user^':0:'^$"logged_password
    1.30 }
    1.31 
    1.32-# Check loggin status, if called with group arg we check membership too
    1.33+# Check login status, if called with group arg we check membership too
    1.34 fn check_user {
    1.35     get_user
    1.36     _status=$status
    1.37-    if(! ~ $#_status 0 )
    1.38+    if(! ~ $"_status '')
    1.39         _status=(Not logged in: $"_status)
    1.40-    if not if(! ~ $#* 0 && ! grep -s '^'^$logged_user^'$' etc/groups/$*) {
    1.41+    if not if(! ~ $#* 0 && ! grep -s '^'^$logged_user^'$' etc/groups/$* etc/groups/admin) {
    1.42         dprint NOT IN GROUP
    1.43         _status=(User $logged_user not in groups $*)
    1.44     }