From 9a10fd447c5646456421bc7c0107bf930f3acbf8 Mon Sep 17 00:00:00 2001
From: =?utf8?q?Paul=20H=C3=A4nsch?= <paul@plutz.net>
Date: Mon, 23 Aug 2021 14:34:20 +0200
Subject: [PATCH] Squashed 'cgilite/' changes from b65a5ae..38702db

38702db improved gonzo mac if openssl is unavailable
8be65ce bugfix: faulty check in update and append
904badc bugfix: parameter passing in cgilite_value calls
4a04dc4 portability GNU `date` / Busybox `date`
76395d4 Fix: prevent horizontal rule from masking 2nd order heading
52e7985 enable pipe/argument choice for more functions

git-subtree-dir: cgilite
git-subtree-split: 38702dbb48387609925572f2269b222f87eb9c1a
---
 cgilite.sh   |  6 +++---
 file.sh      |  3 +--
 markdown.awk | 10 +++++-----
 session.sh   | 51 +++++++++++++++++++++++++++++----------------------
 storage.sh   |  4 ++--
 5 files changed, 40 insertions(+), 34 deletions(-)

diff --git a/cgilite.sh b/cgilite.sh
index f766ee2..9fa56ee 100755
--- a/cgilite.sh
+++ b/cgilite.sh
@@ -157,15 +157,15 @@ cgilite_keys(){
   | sort -u
 }
 
-GET(){ cgilite_value "${QUERY_STRING}" $@; }
+GET(){ cgilite_value "${QUERY_STRING}" "$@"; }
 GET_COUNT(){ cgilite_count "${QUERY_STRING}" $1; }
 GET_KEYS(){ cgilite_keys "${QUERY_STRING}"; }
 
-POST(){ cgilite_value "${cgilite_post}" $@; }
+POST(){ cgilite_value "${cgilite_post}" "$@"; }
 POST_COUNT(){ cgilite_count "${cgilite_post}" $1; }
 POST_KEYS(){ cgilite_keys "${cgilite_post}"; }
 
-REF(){ cgilite_value "${HTTP_REFERER#*\?}" $@; }
+REF(){ cgilite_value "${HTTP_REFERER#*\?}" "$@"; }
 REF_COUNT(){ cgilite_count "${HTTP_REFERER#*\?}" $1; }
 REF_KEYS(){ cgilite_keys "${HTTP_REFERER#*\?}"; }
 
diff --git a/file.sh b/file.sh
index 04a8ef6..6f956df 100755
--- a/file.sh
+++ b/file.sh
@@ -58,8 +58,7 @@ FILE(){
 
   file_size="$(stat -Lc %s "$file")"
   file_date="$(stat -Lc %Y "$file")"
-  http_date="$(date -uRd @$file_date)"
-  http_date="${http_date%+0000}GMT"
+  http_date="$(date -ud "@$file_date" +"%a, %d %b %Y %T GMT")"
   cachedate="$(
     # Parse the allowable date formats from Section 3.3.1 of
     # https://www.w3.org/Protocols/rfc2616/rfc2616-sec3.html
diff --git a/markdown.awk b/markdown.awk
index 512be5d..361e600 100755
--- a/markdown.awk
+++ b/markdown.awk
@@ -274,11 +274,6 @@ function _block( block, LOCAL, st, len, hlvl, htxt, guard, code, indent ) {
   } else if ( AllowHTML && match( block, /^ ? ? ?(<\/[A-Za-z][A-Za-z0-9-]*[[:space:]]*>|<[A-Za-z][A-Za-z0-9-]*([[:space:]]+[A-Za-z_:][A-Za-z0-9_\.:-]*([[:space:]]*=[[:space:]]*([[:space:]"'=<>`]+|"[^"]*"|'[^']*'))?)*[[:space:]]*\/?>)([[:space:]]*\n)([^\n]|\n[ \t]*[^\n])*(\n[[:space:]]*\n|$)/) ) {
     len = RLENGTH; st = RSTART;
     return substr(block, st, len) _block(substr(block, st + len));
-
-  # Horizontal rule
-  } else if ( match( block, /(^|\n) ? ? ?((\* *){3,}|(- *){3,}|(_ *){3,})($|\n)/) ) {
-    len = RLENGTH; st = RSTART;
-    return _block(substr(block, 1, st - 1)) "<hr />\n" _block(substr(block, st + len));
  
   # Blockquote (leading >)
   } else if ( match( block, /^> /) ) {
@@ -369,6 +364,11 @@ function _block( block, LOCAL, st, len, hlvl, htxt, guard, code, indent ) {
     return "<h" hlvl " id=\"" hid " - " HTML(htxt) "\">" inline( htxt ) "</h" hlvl ">\n\n" \
            _block( substr( block, len + 1) );
 
+  # Horizontal rule
+  } else if ( match( block, /(^|\n) ? ? ?((\* *){3,}|(- *){3,}|(_ *){3,})($|\n)/) ) {
+    len = RLENGTH; st = RSTART;
+    return _block(substr(block, 1, st - 1)) "<hr />\n" _block(substr(block, st + len));
+
   # Plain paragraph
   } else {
     match( block, /(^|\n)[[:space:]]*(\n|$)/ ) || match( block, /$/ );
diff --git a/session.sh b/session.sh
index b9cef4d..ca931fa 100755
--- a/session.sh
+++ b/session.sh
@@ -3,6 +3,9 @@
 [ -n "$include_session" ] && return 0
 include_session="$0"
 
+_DATE="$(date +%s)"
+SESSION_TIMEOUT="${SESSION_TIMEOUT:-7200}"
+
 if ! which uuencode >/dev/null; then
   uuencode() { busybox uuencode "$@"; }
 fi
@@ -10,8 +13,20 @@ if ! which sha256sum >/dev/null; then
   sha256sum() { busybox sha256sum "$@"; }
 fi
 
-_DATE="$(date +%s)"
-SESSION_TIMEOUT="${SESSION_TIMEOUT:-7200}"
+if which openssl >/dev/null; then
+  session_mac(){ { [ $# -gt 0 ] && printf %s "$*" || cat; } | openssl dgst -sha1 -hmac "$(server_key)" -binary |slopecode; }
+else
+  # Gonzo MAC if openssl is unavailable
+  session_mac(){
+    { server_key | dd status=none bs=256 count=1 skip=1
+      { server_key | dd status=none bs=256 count=1
+        [ $# -gt 0 ] && printf %s "$*" || cat
+      } \
+      | sha256sum -;
+    } \
+    | sha256sum | cut -d\  -f1
+  }
+fi
 
 server_key(){
   IDFILE="${IDFILE:-${_DATA:-.}/serverkey}"
@@ -25,23 +40,13 @@ slopecode(){
   # 6-Bit Code that retains sort order of input data, while beeing safe to use
   # in ascii transmissions, unix file names, HTTP URLs, and HTML attributes
 
-  uuencode -m - | sed '
+  { [ $# -gt 0 ] && printf %s "$*" || cat; } \
+  | uuencode -m - | sed '
     1d;$d; 
     y;ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/;0123456789:=ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz;
   '
 }
 
-session_mac(){
-  local info
-  [ $# -eq 0 ] && info="$(cat)" || info="$*"
-
-  if which openssl >/dev/null; then
-    printf %s "$info" |openssl dgst -sha1 -hmac "$(server_key)" -binary |slopecode
-  else
-    { printf %s "$info"; server_key; } |sha256sum |cut -d\  -f1
-  fi
-}
-
 randomid(){
   dd bs=12 count=1 if=/dev/urandom 2>&- \
   | slopecode
@@ -60,14 +65,14 @@ timeid(){
   } | slopecode
 }
 
-checkid(){ grep -m 1 -xE '[0-9a-zA-Z:=]{16}'; }
-
 transid(){
   # transaction ID to modify a given file
   local file="$1"
   session_mac "$(stat -c %F%i%n%N%s%Y "$file" 2>&-)" "$SESSION_ID"
 }
 
+checkid(){ { [ $# -gt 0 ] && printf %s "$*" || cat; } | grep -m 1 -xE '[0-9a-zA-Z:=]{16}'; }
+
 update_session(){
   local session sid time sig checksig
 
@@ -90,18 +95,16 @@ update_session(){
   printf %s\\n "${sid} ${time} ${sig}"
 }
 
-SESSION_KEY="$(update_session)"
-SET_COOKIE 0 session="$SESSION_KEY" Path=/ SameSite=Strict HttpOnly
-SESSION_ID="${SESSION_KEY%% *}"
-
 SESSION_BIND() {
+  # Set tamper-proof authenticated cookie
   local key="$1" value="$2"
   SET_COOKIE session "$key"="${value} $(session_mac "$value" "$SESSION_ID")"
 }
 
 SESSION_VAR() {
-  local key="$1"
-  local value sig
+  # read authenticated cookie
+  # fail if value has been tampered with
+  local key="$1" value sig
   value="$(COOKIE "$key")"
   sig="${value##* }" value="${value% *}"
   if [ "$sig" = "$(session_mac "$value" "$SESSION_ID")" ]; then
@@ -110,3 +113,7 @@ SESSION_VAR() {
     return 1
   fi
 }
+
+SESSION_KEY="$(update_session)"
+SET_COOKIE 0 session="$SESSION_KEY" Path=/ SameSite=Strict HttpOnly
+SESSION_ID="${SESSION_KEY%% *}"
diff --git a/storage.sh b/storage.sh
index 355bd56..61eec88 100755
--- a/storage.sh
+++ b/storage.sh
@@ -161,7 +161,7 @@ DBM() {
     update|replace)
       k="$1" key="$(STRING "$1")" value="$(STRING "$2")"
       LOCK "$file" || return 1
-      if ! DBM check "$k"; then
+      if ! DBM "$file" check "$k"; then
         RELEASE "$file"
         return 1
       fi
@@ -178,7 +178,7 @@ DBM() {
     append)
       key="$(STRING "$1")" value="$(STRING "$2")"
       LOCK "$file" || return 1
-      if ! DBM check "$1"; then
+      if ! DBM "$file" check "$1"; then
         RELEASE "$file"
         return 1
       fi
-- 
2.39.2