From f2e63f9ef2a8af259d244f87709fd0a08c42b190 Mon Sep 17 00:00:00 2001 From: =?utf8?q?Paul=20H=C3=A4nsch?= Date: Mon, 4 Jan 2021 18:34:35 +0100 Subject: [PATCH] Squashed 'cgilite/' changes from b8cec22..a1caf91 a1caf91 include guard for main script, prevent double read of post data 147c722 mime types for streaming formats 1caf684 prevent line breaks in debug message 06a4763 try reading session key from post before trying cookie 1462517 escape CR and TAB in URLs 00ba4b0 avoid confusion regarding carriage return when escaping HTML (especially in textarea) 238f0f8 rudimentary debug function git-subtree-dir: cgilite git-subtree-split: a1caf91a5e6ab2d13790ec6a0c1eaf2b4030a0e8 --- cgilite.sh | 9 +++++++++ file.sh | 7 ++++++- session.sh | 10 +++++----- 3 files changed, 20 insertions(+), 6 deletions(-) diff --git a/cgilite.sh b/cgilite.sh index f03f747..f766ee2 100755 --- a/cgilite.sh +++ b/cgilite.sh @@ -18,6 +18,9 @@ # You should have received a copy of the GNU Affero General Public License # along with CGIlite. If not, see . +[ -n "$include_cgilite" ] && return 0 +# guard set after webserver part + # ksh and zsh workaround # set -o posix # ksh, not portable setopt -o OCTAL_ZEROES 2>&- @@ -119,11 +122,14 @@ if [ -z "$REQUEST_METHOD" ]; then exit 0 fi +include_cgilite="$0" + if [ "${REQUEST_METHOD}" = POST -a "${CONTENT_LENGTH:-0}" -gt 0 -a \ "${CONTENT_TYPE}" = "application/x-www-form-urlencoded" ]; then cgilite_post="$(head -c "$CONTENT_LENGTH")" fi +debug(){ [ $# -gt 0 ] && printf '%s\n' "$@" >&2 || tee -a /dev/stderr; } [ "${DEBUG+x}" ] && env >&2 cgilite_count(){ @@ -200,6 +206,7 @@ HTML(){ \'*) out="${out}'";; \[*) out="${out}[";; \]*) out="${out}]";; + "${CR}"*) out="${out} ";; "${BR}"*) out="${out} ";; *) out="${out}${str%"${str#?}"}";; esac @@ -222,6 +229,8 @@ URL(){ \[*) out="${out}%5B";; \]*) out="${out}%5D";; \ *) out="${out}%20";; + " "*) out="${out}%09";; + "${CR}"*) out="${out}%0D";; "${BR}"*) out="${out}%0A";; %*) out="${out}%25";; *) out="${out}${str%"${str#?}"}";; diff --git a/file.sh b/file.sh index 51ec245..04a8ef6 100755 --- a/file.sh +++ b/file.sh @@ -32,9 +32,14 @@ file_type(){ svg) printf 'image/svg+xml';; gif) printf 'image/gif';; webm) printf 'video/webm';; - mp4) printf 'video/mp4';; + mp4|m4v) printf 'video/mp4';; + m4a) printf 'audio/mp4';; ogg) printf 'audio/ogg';; xml) printf 'application/xml';; + m3u8) printf 'application/x-mpegURL';; + ts) printf 'video/MP2T';; + mpd) printf 'application/dash+xml';; + m4s) printf 'video/iso.segment';; *) printf 'application/octet-stream';; esac } diff --git a/session.sh b/session.sh index ee5c499..12788d3 100755 --- a/session.sh +++ b/session.sh @@ -57,7 +57,7 @@ update_session(){ local session sid time sig serverkey checksig IFS=- read -r sid time sig <<-END - $(COOKIE session) + $(POST session_key || COOKIE session) END serverkey="$(server_key)" @@ -68,7 +68,7 @@ update_session(){ -a "$time" -ge "$_DATE" \ -a "$(printf %s "$sid" |checkid)" ] 2>&- then - debug Setting up new session + debug "Setting up new session" sid="$(randomid)" fi @@ -78,6 +78,6 @@ update_session(){ printf %s\\n "${sid}-${time}-${sig}" } -SESSION_ID="$(update_session)" -SET_COOKIE 0 session="$SESSION_ID" Path=/ SameSite=Strict HttpOnly -SESSION_ID="${SESSION_ID%%-*}" +SESSION_KEY="$(update_session)" +SET_COOKIE 0 session="$SESSION_KEY" Path=/ SameSite=Strict HttpOnly +SESSION_ID="${SESSION_KEY%%-*}" -- 2.39.2