From 9febc7a6627cbc0d675de2bc2c11c561d0df0bd3 Mon Sep 17 00:00:00 2001 From: terry Date: Thu, 18 Jun 1998 16:47:00 +0000 Subject: [PATCH] Implement CheckHidden(), so that we can have some semblance of security. --- webtools/bonsai/cvsblame.cgi | 10 ++++++++- webtools/bonsai/cvsblame.pl | 14 +++++++++--- webtools/bonsai/cvsquery.pl | 9 ++++++-- webtools/bonsai/cvsview2.cgi | 25 ++++++++++++++------- webtools/bonsai/rview.cgi | 2 ++ webtools/bonsai/utils.pl | 43 ++++++++++++++++++++++++++++++++++++ 6 files changed, 89 insertions(+), 14 deletions(-) diff --git a/webtools/bonsai/cvsblame.cgi b/webtools/bonsai/cvsblame.cgi index 7f13ae0cdf6..7d6f17fd096 100755 --- a/webtools/bonsai/cvsblame.cgi +++ b/webtools/bonsai/cvsblame.cgi @@ -128,8 +128,12 @@ print "\n"; exit; found_file: + ($rcs_path) = $rcs_filename =~ m@$root/(.*)/.+?,v@; +CheckHidden($rcs_filename); + + # Parse the rcs file ($opt_rev is passed as a global) # $revision = &parse_cvs_file($rcs_filename); @@ -209,7 +213,11 @@ print $font_tag; # $start_of_mark = 0; $end_of_mark = 0; -$line_num_width = int(log($#revision_map)/log(10)) + 1; +$count = $#revision_map; +if ($count == 0) { + $count = 1; +} +$line_num_width = int(log($count)/log(10)) + 1; $revision_width = 3; $author_width = 5; $line = 0; diff --git a/webtools/bonsai/cvsblame.pl b/webtools/bonsai/cvsblame.pl index c731dcb8a40..7c85af1367f 100755 --- a/webtools/bonsai/cvsblame.pl +++ b/webtools/bonsai/cvsblame.pl @@ -28,8 +28,6 @@ # ############################################################################## -# $Id: cvsblame.pl,v 1.1 1998-06-16 21:42:56 terry Exp $ - require 'timelocal.pl'; # timestamps require 'ctime.pl'; # human-readable dates @@ -133,6 +131,10 @@ sub get_token { # Undo escape-coding of @ characters. $token =~ s/@@/@/og; + # Digest any extra blank lines. + while (($line_buffer =~ /^$/) && !eof(RCSFILE)) { + $line_buffer = ; + } return $token; } @@ -492,6 +494,8 @@ sub parse_cvs_file { # (%revision_deltatext) @revision_map = (); + CheckHidden($rcs_pathname); + die "$progname: error: This file appeared to be under CVS control, " . "but the RCS file is inaccessible.\n(Couldn't open '$rcs_pathname')\n" if !open (RCSFILE, "< $rcs_pathname"); @@ -653,6 +657,8 @@ sub read_cvs_entries $cvsdir = $directory . '/CVS'; + CheckHidden($cvsdir); + return if (! -d $cvsdir); return if !open(ENTRIES, "< $cvsdir/Entries"); @@ -677,6 +683,8 @@ sub read_cvs_entries # Given path to file in CVS working directory, compute path to RCS # repository file. Cache that info for future use. + + sub rcs_pathname { ($pathname) = @_; @@ -689,7 +697,7 @@ sub rcs_pathname { if (!defined($repository{$directory})) { &read_cvs_entries($directory); } - + if (!defined($cvs_revision{$pathname})) { die "$progname: error: File '$pathname' does not appear to be under" . " CVS control.\n" diff --git a/webtools/bonsai/cvsquery.pl b/webtools/bonsai/cvsquery.pl index 454f70139eb..5be3316ec1f 100755 --- a/webtools/bonsai/cvsquery.pl +++ b/webtools/bonsai/cvsquery.pl @@ -177,13 +177,19 @@ sub query_checkins { # print ""; + $key = "$ci->[$CI_DIR]/$ci->[$CI_FILE]"; + if (IsHidden("$ci->[$CI_REPOSITORY]/$key")) { + next; + } + + + if( $have_mod_map && !&in_module( $mod_map, $ci->[$CI_DIR], $ci->[$CI_FILE] ) ){ next; } if( $begin_tag) { - $key = "$ci->[$CI_DIR]/$ci->[$CI_FILE]"; $rev = $begin_tag->{$key}; print "
$key begintag is $rev
\n"; if ($rev == "" || rev_is_after($ci->[$CI_REV], $rev)) { @@ -192,7 +198,6 @@ sub query_checkins { } if( $end_tag) { - $key = "$ci->[$CI_DIR]/$ci->[$CI_FILE]"; $rev = $end_tag->{$key}; print "
$key endtag is $rev
\n"; if ($rev == "" || rev_is_after($rev, $ci->[$CI_REV])) { diff --git a/webtools/bonsai/cvsview2.cgi b/webtools/bonsai/cvsview2.cgi index ac903c7c2af..5fdb9309497 100755 --- a/webtools/bonsai/cvsview2.cgi +++ b/webtools/bonsai/cvsview2.cgi @@ -381,6 +381,7 @@ if ($opt_command eq 'DIFF' || &die("command $opt_command: file not defined in URL\n") if $opt_file eq ''; &die("command $opt_command: rev1 not defined in URL\n") if $opt_rev1 eq ''; &die("command $opt_command: rev2 not defined in URL\n") if $opt_rev2 eq ''; + } # Propagate diff options to created links @@ -442,10 +443,6 @@ sub do_diff_frameset { # Create links to document created by DIFF command. sub do_diff_links { - chdir($dir); - - open(RCSDIFF, "$rcsdiff -r$opt_rev1 -r$opt_rev2 $opt_file 2>/dev/null |"); - print "\n"; print "\n"; + print "$opt_file: $opt_rev1 vs. $opt_rev2\n"; print ""; print "\n"; - print "$opt_file: $opt_rev1 vs. $opt_rev2\n"; + CheckHidden("$dir/$opt_file"); + + chdir($dir); + + open(RCSDIFF, "$rcsdiff -r$opt_rev1 -r$opt_rev2 $opt_file 2>/dev/null |"); + print '
'; @@ -578,6 +581,8 @@ sub do_diff { print ""; + CheckHidden("$dir/$opt_file"); + chdir($dir); local ($rcsfile) = "$opt_file,v"; @@ -591,11 +596,13 @@ sub do_diff { # Show specified CVS log entry. sub do_log { + print "$opt_file: $opt_rev CVS log entry\n"; + print '
';
+
+    CheckHidden("$dir/$opt_file");
 
     chdir($dir);
 
-    print "$opt_file: $opt_rev CVS log entry\n";
-    print '
';
     open(RCSLOG, "rlog -r$opt_rev $opt_file |");
 
     while () {
@@ -639,12 +646,15 @@ sub do_directory {
 
     EmitHtmlHeader("CVS Differences", $output);
 
+    CheckHidden($dir);
     chdir($dir);
 
     print "
\n"; foreach $file (split(/\+/, $opt_files)) { local ($path) = "$dir/$file,v"; + + CheckHidden($path); $path = "$dir/Attic/$file,v" if (! -r $path); &parse_rcs_file($path); @@ -950,7 +960,6 @@ __BOTTOM__ sub do_cmd { - if ($opt_command eq 'DIFF_FRAMESET') { do_diff_frameset; } elsif ($opt_command eq 'DIFF_LINKS') { do_diff_links; } elsif ($opt_command eq 'DIFF') { do_diff; } diff --git a/webtools/bonsai/rview.cgi b/webtools/bonsai/rview.cgi index a88aab804a4..04046c65d35 100755 --- a/webtools/bonsai/rview.cgi +++ b/webtools/bonsai/rview.cgi @@ -58,6 +58,8 @@ if( $rev ne "" ){ print " Repository Directory $CVS_ROOT/$dir $s"; +CheckHidden("$CVS_ROOT/$dir"); + $output = "
"; ($dir_head, $dir_tail) = $dir =~ m@(.*/)?(.+)@; diff --git a/webtools/bonsai/utils.pl b/webtools/bonsai/utils.pl index 141eef9e991..8a6f06de7f0 100644 --- a/webtools/bonsai/utils.pl +++ b/webtools/bonsai/utils.pl @@ -129,3 +129,46 @@ sub SqlQuote { s/\\/\\\\/g; return $_; } + + +# Returns true if the given directory or filename is one of the hidden ones +# that we don't want to show users. + +sub IsHidden { + my ($name) = (@_); + $name =~ s:///*:/:g; # Remove any multiple slashes. + if (!defined @hidelist) { + if (open(HIDE, ") { + chop; + s/^\s*//g; # Strip leading whitespace + s/\s*$//g; # Strip trailing whitespace + if ( /^#/ || /^$/) { + next; + } + + push(@hidelist, $_); + } + close HIDE; + } else { + @hidelist = (); + } + } + foreach my $item (@hidelist) { + if ($name =~ m/$item/) { + return 1; + } + } + return 0; +} + +sub CheckHidden { + my ($name) = (@_); + if (IsHidden($name)) { + $| = 1; + print ""; + die "Security violation; not allowed to access $name."; + } +} + +