ref: 64e62d3b3040a78b5ef187f3d9ad41ff6ac6278f
parent: 4b8ea49899363f37f7da2ff77506f4089dce46fb
author: uriel <[email protected]>
date: Sat Jun 6 12:20:02 EDT 2009
Move shared .tpl files to tpl/ from lib/, this fixes a DoS vulneravility where master_template.tpl could be accessed as a standalone .tpl file that recursively called itself.
--- a/bin/corehandlers.rc
+++ b/bin/corehandlers.rc
@@ -92,7 +92,7 @@
if not if(test -f $local_path.html)
handler_body_main=(html_handler $local_path.html)
# Global tpl (eg sitemap.tpl), should take precedence over txt handler!
- if not if(test -f lib^$req_path^.tpl)
+ if not if(test -f tpl^$req_path^.tpl)
handler_body_main=(tpl_handler lib^$req_path^.tpl)
if not if(test -f $local_path.txt)
handler_body_main=(txt_handler $local_path.txt)
--- a/lib/_debug.tpl
+++ /dev/null
@@ -1,29 +1,0 @@
-% if(! ~ $#debug_shell 0) {
-<form method="POST" name="prompt">
-<input size="80" type="text" name="command" value="%($"post_arg_command%)" />
-<input type="submit" Value="Run" />
-</form>
-<script language="javascript"><!--
-document.prompt.command.focus()
-//--></script>
-
-%{
-fn evl {
- # Buffering is probably messing this up:
- #rc -c 'flag x +;{'^$post_arg_command'} |[2] awk ''{print ">> "$0}'''
- rc -c 'flag s +; flag x +;'^$post_arg_command
-}
- if(! ~ $#post_arg_command 0 && ! ~ $#post_arg_command '') {
- echo '<hr /><pre>'
- evl | escape_html |[2] awk '{print "<b>"$0"</b>"}'
- echo '</pre>'
- }
-%}
-% }
-
-<hr /><pre>
-% env | escape_html
-</pre><hr />
-
-% umask
-
--- a/lib/_users/login.tpl
+++ /dev/null
@@ -1,18 +1,0 @@
-<h1>User login</h1>
-<br />
-% if(check_user) {
- You are logged in as: <b>%($logged_user%)</b>
-% }
-% if not {
-% if (~ $REQUEST_METHOD POST)
-% echo '<div class="notify_errors">Login failed!</div>'
-<form method="post" action="" style="text-align: right; float: left;">
-<fieldset>
- <label>User name: <input type="text" name="user_name" value="%($"post_arg_user_name%)"/></label><br />
- <label>User password: <input type="password" name="user_password" /></label><br />
- <input name="s" type="submit" value="Login" />
-</fieldset>
-</form>
-% }
-
-<br style="clear:left" />
--- a/lib/sitemap.tpl
+++ /dev/null
@@ -1,65 +1,0 @@
-<h1>Site map</h1>
-
-%{
-tmpfile=/tmp/werc_sitemap_$pid.txt
-saveddf=$dirfilter
-
-fn get_md_title {
- sed 's/^(................................................................[^ ]*).*$/\1/g; 1q' < $1
-}
-
-fn get_html_title {
- # H1 is not reliable because htmlroff doesn't use it :(
- #desc=`{cat $1 | sed 32q | grep '<[Hh]1>' | sed 's/<[Hh]1>(.*)(<\/[Hh]1>|$)/\1/;s/<[^>]*>//g;1q'}
- # Pick the first line of body instead
- desc=`{sed -n '/<[Bb][Oo][Dd][Yy]/,/./s/(<[^>]*>|$)//gp' < $1}
- if(~ $#desc 0)
- desc=`{sed 's/<[^>]*>//g; 1q' < $1}
-}
-
-fn get_file_title {
-
- if(~ $1 */) {
- if(test -f $1/index.md)
- get_md_title $1/index.md
- if not if(test -f $1/index.html)
- get_html_title $1/index.html
- }
- if not if(~ $1 *.md)
- get_md_title $1
- if not if(~ $1 *.html)
- get_html_title $1
- if not
- echo ''
-}
-
-fn listDir {
- d=$1
- dirfilter=$saveddf
- if(test -f $d/_werc/config)
- . ./$d/_werc/config
-
- if(~ $#perm_redir_to 0) {
- echo '<ul class="sitemap-list">'
-
- for(i in `{ls -dF $d^*/ $d^*.md $d^*.html $d^*.txt >[2]/dev/null | sed $dirfilter}) {
- desc=`{get_file_title $i}
- u=`{echo $i|sed 's!'$sitedir'!!; '$dirclean's!/index$!/!; '}
- if(! ~ $#desc 0 && ! ~ $desc '')
- desc=' - '$"desc
- n=`{echo /$u|sed 's/_/ /g; s,.*/([^/]+)/?$,\1,'}
- echo '<li><a href="'$base_url$u'">'^$"n^'</a>' $"desc '</li>'
- echo $base_url^$u >> $tmpfile
- if(test -d $i)
- @{ listDir $i }
- }
- echo '</ul>'
- }
-}
-
-fltr_cache listDir $sitedir/
-
-if(test -s $tmpfile)
- mv $tmpfile $sitedir/sitemap.txt &
-
-%}
--- /dev/null
+++ b/tpl/_debug.tpl
@@ -1,0 +1,29 @@
+% if(! ~ $#debug_shell 0) {
+<form method="POST" name="prompt">
+<input size="80" type="text" name="command" value="%($"post_arg_command%)" />
+<input type="submit" Value="Run" />
+</form>
+<script language="javascript"><!--
+document.prompt.command.focus()
+//--></script>
+
+%{
+fn evl {
+ # Buffering is probably messing this up:
+ #rc -c 'flag x +;{'^$post_arg_command'} |[2] awk ''{print ">> "$0}'''
+ rc -c 'flag s +; flag x +;'^$post_arg_command
+}
+ if(! ~ $#post_arg_command 0 && ! ~ $#post_arg_command '') {
+ echo '<hr /><pre>'
+ evl | escape_html |[2] awk '{print "<b>"$0"</b>"}'
+ echo '</pre>'
+ }
+%}
+% }
+
+<hr /><pre>
+% env | escape_html
+</pre><hr />
+
+% umask
+
--- /dev/null
+++ b/tpl/_users/login.tpl
@@ -1,0 +1,18 @@
+<h1>User login</h1>
+<br />
+% if(check_user) {
+ You are logged in as: <b>%($logged_user%)</b>
+% }
+% if not {
+% if (~ $REQUEST_METHOD POST)
+% echo '<div class="notify_errors">Login failed!</div>'
+<form method="post" action="" style="text-align: right; float: left;">
+<fieldset>
+ <label>User name: <input type="text" name="user_name" value="%($"post_arg_user_name%)"/></label><br />
+ <label>User password: <input type="password" name="user_password" /></label><br />
+ <input name="s" type="submit" value="Login" />
+</fieldset>
+</form>
+% }
+
+<br style="clear:left" />
--- /dev/null
+++ b/tpl/sitemap.tpl
@@ -1,0 +1,65 @@
+<h1>Site map</h1>
+
+%{
+tmpfile=/tmp/werc_sitemap_$pid.txt
+saveddf=$dirfilter
+
+fn get_md_title {
+ sed 's/^(................................................................[^ ]*).*$/\1/g; 1q' < $1
+}
+
+fn get_html_title {
+ # H1 is not reliable because htmlroff doesn't use it :(
+ #desc=`{cat $1 | sed 32q | grep '<[Hh]1>' | sed 's/<[Hh]1>(.*)(<\/[Hh]1>|$)/\1/;s/<[^>]*>//g;1q'}
+ # Pick the first line of body instead
+ desc=`{sed -n '/<[Bb][Oo][Dd][Yy]/,/./s/(<[^>]*>|$)//gp' < $1}
+ if(~ $#desc 0)
+ desc=`{sed 's/<[^>]*>//g; 1q' < $1}
+}
+
+fn get_file_title {
+
+ if(~ $1 */) {
+ if(test -f $1/index.md)
+ get_md_title $1/index.md
+ if not if(test -f $1/index.html)
+ get_html_title $1/index.html
+ }
+ if not if(~ $1 *.md)
+ get_md_title $1
+ if not if(~ $1 *.html)
+ get_html_title $1
+ if not
+ echo ''
+}
+
+fn listDir {
+ d=$1
+ dirfilter=$saveddf
+ if(test -f $d/_werc/config)
+ . ./$d/_werc/config
+
+ if(~ $#perm_redir_to 0) {
+ echo '<ul class="sitemap-list">'
+
+ for(i in `{ls -dF $d^*/ $d^*.md $d^*.html $d^*.txt >[2]/dev/null | sed $dirfilter}) {
+ desc=`{get_file_title $i}
+ u=`{echo $i|sed 's!'$sitedir'!!; '$dirclean's!/index$!/!; '}
+ if(! ~ $#desc 0 && ! ~ $desc '')
+ desc=' - '$"desc
+ n=`{echo /$u|sed 's/_/ /g; s,.*/([^/]+)/?$,\1,'}
+ echo '<li><a href="'$base_url$u'">'^$"n^'</a>' $"desc '</li>'
+ echo $base_url^$u >> $tmpfile
+ if(test -d $i)
+ @{ listDir $i }
+ }
+ echo '</ul>'
+ }
+}
+
+fltr_cache listDir $sitedir/
+
+if(test -s $tmpfile)
+ mv $tmpfile $sitedir/sitemap.txt &
+
+%}