From 9a10fd447c5646456421bc7c0107bf930f3acbf8 Mon Sep 17 00:00:00 2001 From: =?utf8?q?Paul=20H=C3=A4nsch?= Date: Mon, 23 Aug 2021 14:34:20 +0200 Subject: [PATCH] Squashed 'cgilite/' changes from b65a5ae..38702db 38702db improved gonzo mac if openssl is unavailable 8be65ce bugfix: faulty check in update and append 904badc bugfix: parameter passing in cgilite_value calls 4a04dc4 portability GNU `date` / Busybox `date` 76395d4 Fix: prevent horizontal rule from masking 2nd order heading 52e7985 enable pipe/argument choice for more functions git-subtree-dir: cgilite git-subtree-split: 38702dbb48387609925572f2269b222f87eb9c1a --- cgilite.sh | 6 +++--- file.sh | 3 +-- markdown.awk | 10 +++++----- session.sh | 51 +++++++++++++++++++++++++++++---------------------- storage.sh | 4 ++-- 5 files changed, 40 insertions(+), 34 deletions(-) diff --git a/cgilite.sh b/cgilite.sh index f766ee2..9fa56ee 100755 --- a/cgilite.sh +++ b/cgilite.sh @@ -157,15 +157,15 @@ cgilite_keys(){ | sort -u } -GET(){ cgilite_value "${QUERY_STRING}" $@; } +GET(){ cgilite_value "${QUERY_STRING}" "$@"; } GET_COUNT(){ cgilite_count "${QUERY_STRING}" $1; } GET_KEYS(){ cgilite_keys "${QUERY_STRING}"; } -POST(){ cgilite_value "${cgilite_post}" $@; } +POST(){ cgilite_value "${cgilite_post}" "$@"; } POST_COUNT(){ cgilite_count "${cgilite_post}" $1; } POST_KEYS(){ cgilite_keys "${cgilite_post}"; } -REF(){ cgilite_value "${HTTP_REFERER#*\?}" $@; } +REF(){ cgilite_value "${HTTP_REFERER#*\?}" "$@"; } REF_COUNT(){ cgilite_count "${HTTP_REFERER#*\?}" $1; } REF_KEYS(){ cgilite_keys "${HTTP_REFERER#*\?}"; } diff --git a/file.sh b/file.sh index 04a8ef6..6f956df 100755 --- a/file.sh +++ b/file.sh @@ -58,8 +58,7 @@ FILE(){ file_size="$(stat -Lc %s "$file")" file_date="$(stat -Lc %Y "$file")" - http_date="$(date -uRd @$file_date)" - http_date="${http_date%+0000}GMT" + http_date="$(date -ud "@$file_date" +"%a, %d %b %Y %T GMT")" cachedate="$( # Parse the allowable date formats from Section 3.3.1 of # https://www.w3.org/Protocols/rfc2616/rfc2616-sec3.html diff --git a/markdown.awk b/markdown.awk index 512be5d..361e600 100755 --- a/markdown.awk +++ b/markdown.awk @@ -274,11 +274,6 @@ function _block( block, LOCAL, st, len, hlvl, htxt, guard, code, indent ) { } else if ( AllowHTML && match( block, /^ ? ? ?(<\/[A-Za-z][A-Za-z0-9-]*[[:space:]]*>|<[A-Za-z][A-Za-z0-9-]*([[:space:]]+[A-Za-z_:][A-Za-z0-9_\.:-]*([[:space:]]*=[[:space:]]*([[:space:]"'=<>`]+|"[^"]*"|'[^']*'))?)*[[:space:]]*\/?>)([[:space:]]*\n)([^\n]|\n[ \t]*[^\n])*(\n[[:space:]]*\n|$)/) ) { len = RLENGTH; st = RSTART; return substr(block, st, len) _block(substr(block, st + len)); - - # Horizontal rule - } else if ( match( block, /(^|\n) ? ? ?((\* *){3,}|(- *){3,}|(_ *){3,})($|\n)/) ) { - len = RLENGTH; st = RSTART; - return _block(substr(block, 1, st - 1)) "
\n" _block(substr(block, st + len)); # Blockquote (leading >) } else if ( match( block, /^> /) ) { @@ -369,6 +364,11 @@ function _block( block, LOCAL, st, len, hlvl, htxt, guard, code, indent ) { return "" inline( htxt ) "\n\n" \ _block( substr( block, len + 1) ); + # Horizontal rule + } else if ( match( block, /(^|\n) ? ? ?((\* *){3,}|(- *){3,}|(_ *){3,})($|\n)/) ) { + len = RLENGTH; st = RSTART; + return _block(substr(block, 1, st - 1)) "
\n" _block(substr(block, st + len)); + # Plain paragraph } else { match( block, /(^|\n)[[:space:]]*(\n|$)/ ) || match( block, /$/ ); diff --git a/session.sh b/session.sh index b9cef4d..ca931fa 100755 --- a/session.sh +++ b/session.sh @@ -3,6 +3,9 @@ [ -n "$include_session" ] && return 0 include_session="$0" +_DATE="$(date +%s)" +SESSION_TIMEOUT="${SESSION_TIMEOUT:-7200}" + if ! which uuencode >/dev/null; then uuencode() { busybox uuencode "$@"; } fi @@ -10,8 +13,20 @@ if ! which sha256sum >/dev/null; then sha256sum() { busybox sha256sum "$@"; } fi -_DATE="$(date +%s)" -SESSION_TIMEOUT="${SESSION_TIMEOUT:-7200}" +if which openssl >/dev/null; then + session_mac(){ { [ $# -gt 0 ] && printf %s "$*" || cat; } | openssl dgst -sha1 -hmac "$(server_key)" -binary |slopecode; } +else + # Gonzo MAC if openssl is unavailable + session_mac(){ + { server_key | dd status=none bs=256 count=1 skip=1 + { server_key | dd status=none bs=256 count=1 + [ $# -gt 0 ] && printf %s "$*" || cat + } \ + | sha256sum -; + } \ + | sha256sum | cut -d\ -f1 + } +fi server_key(){ IDFILE="${IDFILE:-${_DATA:-.}/serverkey}" @@ -25,23 +40,13 @@ slopecode(){ # 6-Bit Code that retains sort order of input data, while beeing safe to use # in ascii transmissions, unix file names, HTTP URLs, and HTML attributes - uuencode -m - | sed ' + { [ $# -gt 0 ] && printf %s "$*" || cat; } \ + | uuencode -m - | sed ' 1d;$d; y;ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/;0123456789:=ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz; ' } -session_mac(){ - local info - [ $# -eq 0 ] && info="$(cat)" || info="$*" - - if which openssl >/dev/null; then - printf %s "$info" |openssl dgst -sha1 -hmac "$(server_key)" -binary |slopecode - else - { printf %s "$info"; server_key; } |sha256sum |cut -d\ -f1 - fi -} - randomid(){ dd bs=12 count=1 if=/dev/urandom 2>&- \ | slopecode @@ -60,14 +65,14 @@ timeid(){ } | slopecode } -checkid(){ grep -m 1 -xE '[0-9a-zA-Z:=]{16}'; } - transid(){ # transaction ID to modify a given file local file="$1" session_mac "$(stat -c %F%i%n%N%s%Y "$file" 2>&-)" "$SESSION_ID" } +checkid(){ { [ $# -gt 0 ] && printf %s "$*" || cat; } | grep -m 1 -xE '[0-9a-zA-Z:=]{16}'; } + update_session(){ local session sid time sig checksig @@ -90,18 +95,16 @@ update_session(){ printf %s\\n "${sid} ${time} ${sig}" } -SESSION_KEY="$(update_session)" -SET_COOKIE 0 session="$SESSION_KEY" Path=/ SameSite=Strict HttpOnly -SESSION_ID="${SESSION_KEY%% *}" - SESSION_BIND() { + # Set tamper-proof authenticated cookie local key="$1" value="$2" SET_COOKIE session "$key"="${value} $(session_mac "$value" "$SESSION_ID")" } SESSION_VAR() { - local key="$1" - local value sig + # read authenticated cookie + # fail if value has been tampered with + local key="$1" value sig value="$(COOKIE "$key")" sig="${value##* }" value="${value% *}" if [ "$sig" = "$(session_mac "$value" "$SESSION_ID")" ]; then @@ -110,3 +113,7 @@ SESSION_VAR() { return 1 fi } + +SESSION_KEY="$(update_session)" +SET_COOKIE 0 session="$SESSION_KEY" Path=/ SameSite=Strict HttpOnly +SESSION_ID="${SESSION_KEY%% *}" diff --git a/storage.sh b/storage.sh index 355bd56..61eec88 100755 --- a/storage.sh +++ b/storage.sh @@ -161,7 +161,7 @@ DBM() { update|replace) k="$1" key="$(STRING "$1")" value="$(STRING "$2")" LOCK "$file" || return 1 - if ! DBM check "$k"; then + if ! DBM "$file" check "$k"; then RELEASE "$file" return 1 fi @@ -178,7 +178,7 @@ DBM() { append) key="$(STRING "$1")" value="$(STRING "$2")" LOCK "$file" || return 1 - if ! DBM check "$1"; then + if ! DBM "$file" check "$1"; then RELEASE "$file" return 1 fi -- 2.39.2