From 7f88d20823ad9d375900657334bc27793860f6ee Mon Sep 17 00:00:00 2001 From: Lars Hjemli Date: Sun, 12 Jun 2011 20:49:35 +0000 Subject: [PATCH] ui-plain.c: fix html and links generated by print_dir() and print_dir_entry() This patch fixes the following issues: * the base argument usually isn't zero-terminated, so printing base without considering baselen will usually generate random garbage * when the current url represents a directory but doesn't end in a slash, relative urls would be incorrect * using unescaped paths allows XSS Signed-off-by: Lars Hjemli --- ui-plain.c | 65 ++++++++++++++++++++++++++++++++++++++---------------- 1 file changed, 46 insertions(+), 19 deletions(-) diff --git a/ui-plain.c b/ui-plain.c index 1b2b672..733db4d 100644 --- a/ui-plain.c +++ b/ui-plain.c @@ -52,30 +52,57 @@ static void print_object(const unsigned char *sha1, const char *path) match = 1; } -static void print_dir(const unsigned char *sha1, const char *path, - const char *base) +static char *buildpath(const char *base, int baselen, const char *path) { - char *fullpath; - if (path[0] || base[0]) - fullpath = fmt("/%s%s/", base, path); + if (path[0]) + return fmt("%.*s%s/", baselen, base, path); else - fullpath = "/"; + return fmt("%.*s/", baselen, base); +} + +static void print_dir(const unsigned char *sha1, const char *base, + int baselen, const char *path) +{ + char *fullpath, *slash; + size_t len; + + fullpath = buildpath(base, baselen, path); + slash = (fullpath[0] == '/' ? "" : "/"); ctx.page.etag = sha1_to_hex(sha1); cgit_print_http_headers(&ctx); - htmlf("%s\n\n" - "

%s

\n