From: paul Date: Tue, 11 Aug 2015 13:42:02 +0000 (+0000) Subject: upgraded to fit new shcgi revision, slightly better input validation, switched to... X-Git-Url: https://git.plutz.net/?a=commitdiff_plain;h=HEAD;p=busy upgraded to fit new shcgi revision, slightly better input validation, switched to pandoc markdown svn path=/trunk/; revision=71 --- diff --git a/actions/introedit.sh b/actions/introedit.sh index d629a16..3c6e698 100755 --- a/actions/introedit.sh +++ b/actions/introedit.sh @@ -16,7 +16,7 @@ # along with Busy. If not, see . -info="$(echo -E "$_GET[\"i\"]" |grep -Ex 'intro|news|[0-9]{10}_[0-9]{3}')" +info="$(printf %s\\n "${_GET[i]}" |grep -Ex 'intro|news|[0-9]{10}_[0-9]{3}')" case "$info" in news) @@ -39,6 +39,6 @@ esac cgi_post -[ -z "$_POST[\"cancel\"]" ] && echo -E "$_POST[\"text\"]" >"$_DATA/Home/${file}" +[ -z "${_POST[cancel]}" ] && echo -E "${_POST[text]}" >"$_DATA/Home/${file}" echo -n "Location: ${HTTP_REFERER}#news_${info}\n\n" diff --git a/actions/lock.sh b/actions/lock.sh index ea27764..e66f29c 100755 --- a/actions/lock.sh +++ b/actions/lock.sh @@ -18,8 +18,8 @@ $ACL_WIKIEDIT || echo "Location: ?p=Error&i=noaccess\n\n" $ACL_WIKIEDIT || exit 0 -page="$(echo -E "$_GET[\"p\"]" |egrep -Ex 'Wiki')" -edit="$(echo -E "$_GET[\"e\"]" |egrep -Ex '[0-9]{10}_[0-9]{3}(_[0-9]{1,4})?')" +page="$(printf %s\\n "${_GET[p]}" |egrep -Ex 'Wiki')" +edit="$(printf %s\\n "${_GET[e]}" |egrep -Ex '[0-9]{10}_[0-9]{3}(_[0-9]{1,4})?')" case "$page" in Wiki) [ -f "$_DATA/Wiki/${edit}" ] && echo "${USER}:$(($(date +%s)+600))" >"$_DATA/Wiki/${edit}.lock" diff --git a/actions/login.sh b/actions/login.sh index 8cd9e74..62f96b6 100755 --- a/actions/login.sh +++ b/actions/login.sh @@ -17,22 +17,22 @@ cgi_post -user="$(echo -E "$_POST[\"user\"]" |sed -rn '1{/^[a-zA-Z0-9_+@.-]+$/p}')" -pass="$_POST[\"pass\"]" -userfile="$_DATA/auth/user$(echo -E "$user" |sha1sum |cut -c1-40)" +user="$(printf %s\\n "${_POST[user]}" |sed -rn '1{/^[a-zA-Z0-9_+@.-]+$/p}')" +pass="${_POST[pass]}" +userfile="$_DATA/auth/user$(printf %s\\n "$user" |sha1sum |cut -c1-40)" if [ -r "$userfile" ]; then salt=$(sed -nr 's:^salt=(.+)$:\1:p' "$userfile") ssum=$(sed -nr 's:^auth=(.+)$:\1:p' "$userfile") - rsum=$(echo -E "$salt$pass" |sha1sum |cut -c1-40) + rsum=$(printf %s\\n "$salt$pass" |sha1sum |cut -c1-40) fi if [ -n "$ssum" -a "$ssum" = "$rsum" ]; then sid="$(apg -n1 -a1 -m32 -x32 -M CLN)" sessionfile="$_DATA/auth/session$sid" - echo -E "$user $(($(date +%s) + 1800))" >"$sessionfile" - echo -E "Location: $HTTP_REFERER" - echo -E "Set-Cookie: session=$sid; HttpOnly" + printf %s\\n "$user $(($(date +%s) + 1800))" >"$sessionfile" + printf %s\\n "Location: $HTTP_REFERER" + printf %s\\n "Set-Cookie: session=$sid; HttpOnly" else - echo -E "Location: $HTTP_REFERER" + printf %s\\n "Location: $HTTP_REFERER" fi echo '' diff --git a/actions/projectmeta.sh b/actions/projectmeta.sh index 9ee642f..1375e6c 100755 --- a/actions/projectmeta.sh +++ b/actions/projectmeta.sh @@ -23,26 +23,26 @@ $ACL_ADMIN || exit 0 cgi_post -[ "$_POST[\"btcAdGamble\"]" = yes -a "$_POST[\"btcAdErotic\"]" = yes ] && btcAdContent=1 -[ "$_POST[\"btcAdGamble\"]" != yes -a "$_POST[\"btcAdErotic\"]" = yes ] && btcAdContent=2 -[ "$_POST[\"btcAdGamble\"]" = yes -a "$_POST[\"btcAdErotic\"]" != yes ] && btcAdContent=3 -[ "$_POST[\"btcAdGamble\"]" != yes -a "$_POST[\"btcAdErotic\"]" != yes ] && btcAdContent=4 +[ "${_POST[btcAdGamble]}" = yes -a "${_POST[btcAdErotic]}" = yes ] && btcAdContent=1 +[ "${_POST[btcAdGamble]}" != yes -a "${_POST[btcAdErotic]}" = yes ] && btcAdContent=2 +[ "${_POST[btcAdGamble]}" = yes -a "${_POST[btcAdErotic]}" != yes ] && btcAdContent=3 +[ "${_POST[btcAdGamble]}" != yes -a "${_POST[btcAdErotic]}" != yes ] && btcAdContent=4 echo -E "\ -name=$_POST[\"appName\"] -slogan=$_POST[\"appSlogan\"] -repoType=$(echo -E "$_POST[\"repoType\"]" |grep -Ex 'svn|git') -svnRepo=$_POST[\"svnRepo\"] -gitRepo=$_POST[\"gitRepo\"] -useFlattr=$(echo -E "$_POST[\"useFlattr\"]" |grep -Ex 'yes') -flattrThingURL=$_POST[\"flattrThingURL\"] -usePaypal=$(echo -E "$_POST[\"usePaypal\"]" |grep -Ex 'yes') -paypalAddress=$_POST[\"paypalAddress\"] -useBitcoin=$(echo -E "$_POST[\"useBitcoin\"]" |grep -Ex 'yes') -btcAddress=$_POST[\"btcAddress\"] -advertise=$(echo -E "$_POST[\"advertise\"]" |grep -Ex 'btcAd|no') -btcAdAddress=$_POST[\"btcAdAddress\"] -btcAdContent=$btcAdContent +name="${_POST[appName]}" +slogan="${_POST[appSlogan]}" +repoType=$(printf %s\\n "$_POST[\"repoType\"]" |grep -Ex 'svn|git') +svnRepo="${_POST[svnRepo]}" +gitRepo="${_POST[gitRepo]}" +useFlattr="$(printf %s\\n "${_POST[useFlattr]}" |grep -Ex 'yes')" +flattrThingURL="${_POST[flattrThingURL]}" +usePaypal="$(printf %s\\n "${_POST[usePaypal]}" |grep -Ex 'yes')" +paypalAddress="${_POST[paypalAddress]}" +useBitcoin="$(printf %s\\n "${_POST[useBitcoin]}" |grep -Ex 'yes')" +btcAddress="${_POST[btcAddress]}" +advertise="$(printf %s\\n "${_POST[advertise]}" |grep -Ex 'btcAd|no')" +btcAdAddress="${_POST[btcAdAddress]}" +btcAdContent="$btcAdContent" " >"$metafile" echo -n "Location: ${HTTP_REFERER}\n\n" diff --git a/actions/taskmeta.sh b/actions/taskmeta.sh index cd4e900..5c5b01d 100755 --- a/actions/taskmeta.sh +++ b/actions/taskmeta.sh @@ -18,7 +18,7 @@ $ACL_CREATETASK || echo "Location: ?p=Error&i=noaccess\n\n" $ACL_CREATETASK || exit 0 -info="$_GET[\"i\"]" +info="${_GET[i]}" [ -z "$info" ] && info="$(date +%s)_$(apg -M N -a 1 -n 1 -m 3 -x 3)" descfile="$_DATA/Tasks/$info.meta" @@ -28,13 +28,13 @@ commfile="$_DATA/Tasks/$info.comment.$(date +%s)_$(apg -M N -a 1 -n 1 -m 3 -x 3) anchor=$(ls $_DATA/Tasks |grep -A2 $info |grep '.meta$' |tail -n1 |cut -d. -f1) cgi_post -headline="$_POST[\"headline\"]" -taskstatus="$_POST[\"status\"]" -section="$_POST[\"section\"]" -description="$_POST[\"description\"]" -comment="$_POST[\"comm\"]" -[ -n "$_POST[\"cancel\"]" ] && cancel=true -[ "$_POST[\"submit\"]" = "Robots click here" ] && cancel=true +headline="${_POST[headline]}" +taskstatus="${_POST[status]}" +section="${_POST[section]}" +description="${_POST[description]}" +comment="${_POST[comm]}" +[ -n "${_POST[cancel]}" ] && cancel=true +[ "${_POST[submit]}" = "Robots click here" ] && cancel=true if [ -z "$cancel" -a -n "$comment" ]; then touch "$_DATA/Tasks/$info" diff --git a/actions/wikiedit.sh b/actions/wikiedit.sh index 12b9874..6033604 100755 --- a/actions/wikiedit.sh +++ b/actions/wikiedit.sh @@ -18,12 +18,12 @@ $ACL_WIKIEDIT || echo "Location: ?p=Error&i=noaccess\n\n" $ACL_WIKIEDIT || exit 0 -info="$(echo "$_GET[\"i\"]" |grep -Ex '[0-9]{10}_[0-9]{3}')" +info="$(printf %s\\n "${_GET[i]}" |grep -Ex '[0-9]{10}_[0-9]{3}')" [ -f "$_DATA/Wiki/$info.lock" ] && rm "$_DATA/Wiki/$info.lock" cgi_post -page="$_POST[\"page\"]" -[ -n "$_POST[\"cancel\"]" ] && cancel=true +page="${_POST[page]}" +[ -n "${_POST[cancel]}" ] && cancel=true [ -z "$cancel" -a -f "$_DATA/Wiki/$info" ] && mv "$_DATA/Wiki/$info" "$_DATA/Wiki/$info.$(date +%s)" [ -z "$cancel" ] && echo -e "${page}" >"$_DATA/Wiki/$info" diff --git a/actions/wikimeta.sh b/actions/wikimeta.sh index 51236c9..0a19719 100755 --- a/actions/wikimeta.sh +++ b/actions/wikimeta.sh @@ -19,7 +19,7 @@ $ACL_WIKIEDIT || echo "Location: ?p=Error&i=noaccess\n\n" $ACL_WIKIEDIT || exit 0 info="$(egrep -o '(^|&)i=[0-9]{10}_[0-9]{3}(&|$)' <<<"${QUERY_STRING}" |tr -d '&i=')" -info="$(echo -E "$_GET[\"i\"]" |grep -Ex '[0-9]{10}_[0-9]{3}')" +info="$(printf %s\\n "${_GET[i]}" |grep -Ex '[0-9]{10}_[0-9]{3}')" [ -z "$info" ] && info="$(date +%s)_$(apg -M N -a 1 -n 1 -m 3 -x 3)" descfile="$_DATA/Wiki/$info.meta" @@ -29,10 +29,10 @@ commfile="$_DATA/Wiki/$info.comment.$(date +%s)_$(apg -M N -a 1 -n 1 -m 3 -x 3)" anchor=$(ls "$_DATA/Wiki" |grep -A2 $info |grep '.meta$' |tail -n1 |cut -d. -f1) cgi_post -title="$_POST[\"title\"]" -description="$_POST[\"desc\"]" -comment="$_POST[\"comm\"]" -[ -n "$_POST[\"cancel\"]" ] && cancel=true +title="${_POST[title]}" +description="${_POST[desc]}" +comment="${_POST[comm]}" +[ -n "${_POST[cancel]}" ] && cancel=true if [ -z "$cancel" -a -n "$comment" ]; then touch "$_DATA/Wiki/$info" diff --git a/constants.sh b/constants.sh index 590c968..7612939 100755 --- a/constants.sh +++ b/constants.sh @@ -22,12 +22,13 @@ data_dirs Home Tasks Wiki QRcodes umask=002 #alias _wiki="stx2any --no-template --link-abbrevs --quote -T html" _wiki(){ - markdown $* |sed -r 's:<(h[1-6])>(.+):<\1>\2:g' + #markdown $* |sed -r 's:<(h[1-6])>(.+):<\1>\2:g' + pandoc -f markdown -t html "$@" |sed -r 's:<(h[1-6])>(.+):<\1>\2:g' } LOGIN=false USER="#NONE#" -[ -z "$_GET[\"p\"]" ] && _GET["p"]=Home +[ -z "${_GET[p]}" ] && _GET[p]=Home sessfile="$_DATA/auth/session$(sed -rn 's:^.*session=([a-zA-Z0-9]{32}).*$:\1:p' <<<"$HTTP_COOKIE")" if [ -r "$sessfile" ]; then diff --git a/pages/Home.sh b/pages/Home.sh index eea4316..2dd2ccc 100755 --- a/pages/Home.sh +++ b/pages/Home.sh @@ -19,7 +19,7 @@ searchresults() { - search="$(echo "$_GET[\"s\"]" |sed 's:\t: :g;s:\r::g;s:\\:\\\\:g')" + search="$(echo "${_GET[s]}" |sed 's:\t: :g;s:\r::g;s:\\:\\\\:g')" if [ -n "$search" ]; then echo "

News search results for: $search

" diff --git a/pages/Subversion.sh b/pages/Subversion.sh index 642f43d..6f93ff2 100755 --- a/pages/Subversion.sh +++ b/pages/Subversion.sh @@ -17,8 +17,8 @@ # You should have received a copy of the GNU Affero General Public License # along with Busy. If not, see . -url="$(echo "$_GET[\"i\"]" |sed -rn '1{s:\t: :g;s:\r::g;s:\\:\\\\:g;s:/+:/:g;p}')" -rev="$(echo "$_GET[\"r\"]" |sed -rn '1{/^[0-9]+$/p}')" +url="$(echo "${_GET[i]}" |sed -rn '1{s:\t: :g;s:\r::g;s:\\:\\\\:g;s:/+:/:g;p}')" +rev="$(echo "${_GET[r]}" |sed -rn '1{/^[0-9]+$/p}')" url="${url:-/}" baseuri=$(sed -rn 's:^svnRepo=(.*)$:\1:p' project.meta) diff --git a/pages/Tasks.sh b/pages/Tasks.sh index 0950be0..34aef4d 100755 --- a/pages/Tasks.sh +++ b/pages/Tasks.sh @@ -17,10 +17,10 @@ # You should have received a copy of the GNU Affero General Public License # along with Busy. If not, see . -info="$(echo "$_GET[\"i\"]" |sed -rn '1{/^[0-9]{10}_[0-9]{3}$/p}')" -edit="$(echo "$_GET[\"e\"]" |sed -rn '1{/^[0-9]{10}_[0-9]{3}$/p}')" -search="$(echo "$_GET[\"s\"]" |sed -rn '1{s:\t: :g;s:\r::g;s:\\:\\\\:g;p}')" -new="$(echo -e "$_GET[\"n\"]" |sed -rn '1{s:\t: :g;s:\r::g;s:\\:\\\\:g;p}')" +info="$(printf %s\\n "${_GET[i]}" |sed -rn '1{/^[0-9]{10}_[0-9]{3}$/p}')" +edit="$(printf %s\\n "${_GET[e]}" |sed -rn '1{/^[0-9]{10}_[0-9]{3}$/p}')" +search="$(printf %s\\n "${_GET[s]}" |sed -rn '1{s:\t: :g;s:\r::g;s:\\:\\\\:g;p}')" +new="$(echo -e "${_GET[n]}" |sed -rn '1{s:\t: :g;s:\r::g;s:\\:\\\\:g;p}')" [ -z "$ACL_CREATETASK" ] && ACL_CREATETASK=false diff --git a/pages/Wiki.sh b/pages/Wiki.sh index b9215f9..e433b65 100755 --- a/pages/Wiki.sh +++ b/pages/Wiki.sh @@ -17,10 +17,10 @@ # You should have received a copy of the GNU Affero General Public License # along with Busy. If not, see . -info="$(egrep -o '[0-9]{10}_[0-9]{3}' <<<"$_GET[\"i\"]")" -edit="$(egrep -o '[0-9]{10}_[0-9]{3}' <<<"$_GET[\"e\"]")" - rev="$(egrep -o '[0-9]{10}' <<<"$_GET[\"r\"]")" -search="$(sed 's:\t: :g;s:\r::g;s:\\:\\\\:g' <<<"$_GET[\"s\"]")" +info="$(egrep -o '[0-9]{10}_[0-9]{3}' <<<"${_GET[i]}")" +edit="$(egrep -o '[0-9]{10}_[0-9]{3}' <<<"${_GET[e]}")" + rev="$(egrep -o '[0-9]{10}' <<<"${_GET[r]}")" +search="$(sed 's:\t: :g;s:\r::g;s:\\:\\\\:g' <<<"${_GET[s]}")" [ -n "$rev" ] && rev=".$rev" if [ -n "$search" ]; then