From: <ps...@us...> - 2010-04-25 14:09:30
|
Revision: 1935 http://znc.svn.sourceforge.net/znc/?rev=1935&view=rev Author: psychon Date: 2010-04-25 14:09:23 +0000 (Sun, 25 Apr 2010) Log Message: ----------- HTTPSock: Split up parameter access Every function on CHTTPSock which works with request parameters now has a new flag bool bPost which decides whether only POST or GET parameters should be used. This breaks everything which tries to access GET parameters, but once this is fixed we should be pretty safe against CSRF. Modified Paths: -------------- trunk/HTTPSock.cpp trunk/HTTPSock.h Modified: trunk/HTTPSock.cpp =================================================================== --- trunk/HTTPSock.cpp 2010-04-25 13:52:19 UTC (rev 1934) +++ trunk/HTTPSock.cpp 2010-04-25 14:09:23 UTC (rev 1935) @@ -66,7 +66,7 @@ void CHTTPSock::CheckPost() { if (m_sPostData.size() >= m_uPostLen) { - ParseParams(m_sPostData.Left(m_uPostLen)); + ParseParams(m_sPostData.Left(m_uPostLen), m_msvsPOSTParams); GetPage(); m_sPostData.clear(); m_bDone = true; @@ -245,7 +245,7 @@ } void CHTTPSock::ParseURI() { - ParseParams(m_sURI.Token(1, true, "?")); + ParseParams(m_sURI.Token(1, true, "?"), m_msvsGETParams); m_sURI = m_sURI.Token(0, false, "?"); } @@ -253,8 +253,8 @@ return m_sURI.Token(0, false, "?"); } -void CHTTPSock::ParseParams(const CString& sParams) { - m_msvsParams.clear(); +void CHTTPSock::ParseParams(const CString& sParams, map<CString, VCString> &msvsParams) { + msvsParams.clear(); VCString vsPairs; sParams.Split("&", vsPairs, true); @@ -264,7 +264,7 @@ CString sName = sPair.Token(0, false, "=").Escape_n(CString::EURL, CString::EASCII); CString sValue = sPair.Token(1, true, "=").Escape_n(CString::EURL, CString::EASCII); - m_msvsParams[sName].push_back(sValue); + msvsParams[sName].push_back(sValue); } } @@ -293,25 +293,39 @@ return m_sPostData; } -bool CHTTPSock::HasParam(const CString& sName) const { - return (m_msvsParams.find(sName) != m_msvsParams.end()); +bool CHTTPSock::HasParam(const CString& sName, bool bPost) const { + if (bPost) + return (m_msvsPOSTParams.find(sName) != m_msvsPOSTParams.end()); + return (m_msvsGETParams.find(sName) != m_msvsGETParams.end()); } -CString CHTTPSock::GetRawParam(const CString& sName) const { +CString CHTTPSock::GetRawParam(const CString& sName, bool bPost) const { + if (bPost) + return GetRawParam(sName, m_msvsPOSTParams); + return GetRawParam(sName, m_msvsGETParams); +} + +CString CHTTPSock::GetRawParam(const CString& sName, const map<CString, VCString>& msvsParams) { CString sRet; - map<CString, VCString>::const_iterator it = m_msvsParams.find(sName); + map<CString, VCString>::const_iterator it = msvsParams.find(sName); - if (it != m_msvsParams.end() && it->second.size() > 0) { + if (it != msvsParams.end() && it->second.size() > 0) { sRet = it->second[0]; } return sRet; } -CString CHTTPSock::GetParam(const CString& sName, const CString& sFilter) const { - CString sRet = GetRawParam(sName); +CString CHTTPSock::GetParam(const CString& sName, bool bPost, const CString& sFilter) const { + if (bPost) + return GetParam(sName, m_msvsPOSTParams, sFilter); + return GetParam(sName, m_msvsGETParams, sFilter); +} +CString CHTTPSock::GetParam(const CString& sName, const map<CString, VCString>& msvsParams, const CString& sFilter) { + CString sRet = GetRawParam(sName, msvsParams); + for (size_t i = 0; i < sFilter.length(); i++) { sRet.Replace(CString(sFilter.at(i)), ""); } @@ -319,12 +333,18 @@ return sRet; } -unsigned int CHTTPSock::GetParamValues(const CString& sName, set<CString>& ssRet, const CString& sFilter) const { +unsigned int CHTTPSock::GetParamValues(const CString& sName, set<CString>& ssRet, bool bPost, const CString& sFilter) const { + if (bPost) + return GetParamValues(sName, ssRet, m_msvsPOSTParams, sFilter); + return GetParamValues(sName, ssRet, m_msvsGETParams, sFilter); +} + +unsigned int CHTTPSock::GetParamValues(const CString& sName, set<CString>& ssRet, const map<CString, VCString>& msvsParams, const CString& sFilter) { ssRet.clear(); - map<CString, VCString>::const_iterator it = m_msvsParams.find(sName); + map<CString, VCString>::const_iterator it = msvsParams.find(sName); - if (it != m_msvsParams.end()) { + if (it != msvsParams.end()) { for (unsigned int a = 0; a < it->second.size(); a++) { CString sParam = it->second[a]; @@ -338,12 +358,18 @@ return ssRet.size(); } -unsigned int CHTTPSock::GetParamValues(const CString& sName, VCString& vsRet, const CString& sFilter) const { +unsigned int CHTTPSock::GetParamValues(const CString& sName, VCString& vsRet, bool bPost, const CString& sFilter) const { + if (bPost) + return GetParamValues(sName, vsRet, m_msvsPOSTParams, sFilter); + return GetParamValues(sName, vsRet, m_msvsGETParams, sFilter); +} + +unsigned int CHTTPSock::GetParamValues(const CString& sName, VCString& vsRet, const map<CString, VCString>& msvsParams, const CString& sFilter) { vsRet.clear(); - map<CString, VCString>::const_iterator it = m_msvsParams.find(sName); + map<CString, VCString>::const_iterator it = msvsParams.find(sName); - if (it != m_msvsParams.end()) { + if (it != msvsParams.end()) { for (unsigned int a = 0; a < it->second.size(); a++) { CString sParam = it->second[a]; @@ -357,8 +383,10 @@ return vsRet.size(); } -const map<CString, VCString>& CHTTPSock::GetParams() const { - return m_msvsParams; +const map<CString, VCString>& CHTTPSock::GetParams(bool bPost) const { + if (bPost) + return m_msvsPOSTParams; + return m_msvsGETParams; } bool CHTTPSock::IsPost() const { Modified: trunk/HTTPSock.h =================================================================== --- trunk/HTTPSock.h 2010-04-25 13:52:19 UTC (rev 1934) +++ trunk/HTTPSock.h 2010-04-25 14:09:23 UTC (rev 1935) @@ -47,7 +47,7 @@ bool Redirect(const CString& sURL); CString GetErrorPage(unsigned int uStatusId, const CString& sStatusMsg, const CString& sMessage); bool PrintErrorPage(unsigned int uStatusId, const CString& sStatusMsg, const CString& sMessage); - void ParseParams(const CString& sParams); + static void ParseParams(const CString& sParams, map<CString, VCString>& msvsParams); void ParseURI(); void GetPage(); @@ -63,9 +63,6 @@ // !Setters // Getters - bool HasParam(const CString& sName) const; - CString GetRawParam(const CString& sName) const; - CString GetParam(const CString& sName, const CString& sFilter = "\r\n") const; CString GetPath() const; bool IsLoggedIn() const { return m_bLoggedIn; } const CString& GetDocRoot() const; @@ -73,12 +70,23 @@ const CString& GetPass() const; const CString& GetParamString() const; const CString& GetContentType() const; - unsigned int GetParamValues(const CString& sName, VCString& vsRet, const CString& sFilter = "\r\n") const; - unsigned int GetParamValues(const CString& sName, set<CString>& ssRet, const CString& sFilter = "\r\n") const; - const map<CString, VCString>& GetParams() const; bool IsPost() const; // !Getters + + // Parameter access + CString GetParam(const CString& sName, bool bPost = true, const CString& sFilter = "\r\n") const; + CString GetRawParam(const CString& sName, bool bPost = true) const; + bool HasParam(const CString& sName, bool bPost = true) const; + const map<CString, VCString>& GetParams(bool bPost = true) const; + unsigned int GetParamValues(const CString& sName, VCString& vsRet, bool bPost = true, const CString& sFilter = "\r\n") const; + unsigned int GetParamValues(const CString& sName, set<CString>& ssRet, bool bPost = true, const CString& sFilter = "\r\n") const; + // !Parameter access private: + static CString GetRawParam(const CString& sName, const map<CString, VCString>& msvsParams); + static CString GetParam(const CString& sName, const map<CString, VCString>& msvsParams, const CString& sFilter); + static unsigned int GetParamValues(const CString& sName, VCString& vsRet, const map<CString, VCString>& msvsParams, const CString& sFilter); + static unsigned int GetParamValues(const CString& sName, set<CString>& ssRet, const map<CString, VCString>& msvsParams, const CString& sFilter); + protected: void PrintPage(const CString& sPage); void Init(); @@ -95,7 +103,8 @@ CString m_sPass; CString m_sContentType; CString m_sDocRoot; - map<CString, VCString> m_msvsParams; + map<CString, VCString> m_msvsPOSTParams; + map<CString, VCString> m_msvsGETParams; MCString m_msHeaders; bool m_bHTTP10Client; CString m_sIfNoneMatch; This was sent by the SourceForge.net collaborative development platform, the world's largest Open Source development site. |