oqapi/webgui
2
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

added a classname form control for validating classnames and do taint checking

Browse source
This commit is contained in:
JT Smith 2006-05-10 23:01:15 +00:00
parent a1a920cfea
commit 21fedb9051
5 changed files with 109 additions and 15 deletions
Download patch file Download diff file Expand all files Collapse all files

10
lib/WebGUI/Asset.pm
View file

@ -525,7 +525,7 @@ sub getEditForm {
});
$tabform->hidden({
name=>"class",
value=>$self->session->form->process("class")
value=>$self->session->form->process("class","className")
});
} else {
my $ac = $self->getAdminConsole;
@ -1244,7 +1244,7 @@ sub manageAssetsSearch {
tie %classes, "Tie::IxHash";
%classes = ("any"=>"Any Class", $self->session->db->buildHash("select distinct(className) from asset"));
delete $classes{"WebGUI::Asset"}; # don't want to search for the root asset
$output .= WebGUI::Form::selectBox($self->session, {name=>"class", value=>$self->session->form->get("class","selectBox"), defaultValue=>"any", options=>\%classes});
$output .= WebGUI::Form::selectBox($self->session, {name=>"class", value=>$self->session->form->process("class","className"), defaultValue=>"any", options=>\%classes});
$output .= WebGUI::Form::hidden($self->session, {name=>"func", value=>"manageAssets"});
$output .= WebGUI::Form::hidden($self->session, {name=>"doit", value=>"1"});
$output .= WebGUI::Form::submit($self->session, {value=>"Search"});
@ -1252,7 +1252,7 @@ sub manageAssetsSearch {
$self->session->output->print($output);
$output = '';
return undef unless ($self->session->form->get("doit"));
my $class = $self->session->form->get("class") eq "any" ? undef : $self->session->form->get("class");
my $class = $self->session->form->process("class","className") eq "any" ? undef : $self->session->form->process("class","className");
my $assets = WebGUI::Search->new($self->session,0)->search({
keywords=>$self->session->form->get("keywords"),
classes=>[$class]
@ -1766,7 +1766,7 @@ Adds a new Asset based upon the class of the current form. Returns the Asset cal
sub www_add {
my $self = shift;
my %prototypeProperties;
my $class = $self->session->form->process("class");
my $class = $self->session->form->process("class","className");
unless ($class =~ m/^[A-Za-z0-9\:]+$/) {
$self->session->errorHandler->security("tried to call an invalid class ".$class);
return "";
@ -1897,7 +1897,7 @@ sub www_editSave {
}
my $object;
if ($self->session->form->process("assetId") eq "new") {
$object = $self->addChild({className=>$self->session->form->process("class")});
$object = $self->addChild({className=>$self->session->form->process("class","className")});
return $self->www_view unless defined $object;
$object->{_parent} = $self;
} else {

8
lib/WebGUI/Asset/Post.pm
View file

@ -97,7 +97,7 @@ sub canAdd {
#-------------------------------------------------------------------
sub canEdit {
my $self = shift;
return (($self->session->form->process("func") eq "add" || ($self->session->form->process("assetId") eq "new" && $self->session->form->process("func") eq "editSave" && $self->session->form->process("class") eq "WebGUI::Asset::Post")) && $self->getThread->getParent->canPost) || # account for new posts
return (($self->session->form->process("func") eq "add" || ($self->session->form->process("assetId") eq "new" && $self->session->form->process("func") eq "editSave" && $self->session->form->process("class","className") eq "WebGUI::Asset::Post")) && $self->getThread->getParent->canPost) || # account for new posts
($self->isPoster && $self->getThread->getParent->get("editTimeout") > ($self->session->datetime->time() - $self->get("dateUpdated"))) ||
$self->getThread->getParent->canEdit;
@ -919,12 +919,12 @@ sub www_edit {
})
.WebGUI::Form::hidden($self->session, {
name=>"class",
value=>$self->session->form->process("class")
value=>$self->session->form->process("class","className")
});
$var{'isNewPost'} = 1;
$content = $self->session->form->process("content");
$title = $self->session->form->process("title");
if ($self->session->form->process("class") eq "WebGUI::Asset::Post") { # new reply
if ($self->session->form->process("class","className") eq "WebGUI::Asset::Post") { # new reply
$self->{_thread} = $self->getParent->getThread;
return $self->session->privilege->insufficient() unless ($self->getThread->canReply);
$var{isReply} = 1;
@ -943,7 +943,7 @@ sub www_edit {
name=>"subscribe",
value=>$self->session->form->process("subscribe")
});
} elsif ($self->session->form->process("class") eq "WebGUI::Asset::Post::Thread") { # new thread
} elsif ($self->session->form->process("class","className") eq "WebGUI::Asset::Post::Thread") { # new thread
return $self->session->privilege->insufficient() unless ($self->getThread->getParent->canPost);
$var{isNewThread} = 1;
if ($self->getThread->getParent->canEdit) {

94
lib/WebGUI/Form/ClassName.pm Normal file
View file

@ -0,0 +1,94 @@
package WebGUI::Form::ClassName;
=head1 LEGAL
-------------------------------------------------------------------
WebGUI is Copyright 2001-2006 Plain Black Corporation.
-------------------------------------------------------------------
Please read the legal notices (docs/legal.txt) and the license
(docs/license.txt) that came with this distribution before using
this software.
-------------------------------------------------------------------
http://www.plainblack.com info@plainblack.com
-------------------------------------------------------------------
=cut
use strict;
use base 'WebGUI::Form::Text';
use WebGUI::International;
=head1 NAME
Package WebGUI::Form::ClassName
=head1 DESCRIPTION
Creates a field for typing in perl class names which is validated for taint safety.
=head1 SEE ALSO
This is a subclass of WebGUI::Form::Text.
=head1 METHODS
The following methods are specifically available from this class. Check the superclass for additional methods.
=cut
#-------------------------------------------------------------------
=head2 definition ( [ additionalTerms ] )
See the super class for additional details.
=cut
sub definition {
my $class = shift;
my $session = shift;
my $definition = shift || [];
my $i18n = WebGUI::International->new($session);
push(@{$definition}, {
formName=>{
defaultValue=>"Class Name"
},
profileEnabled=>{
defaultValue=>1
},
});
return $class->SUPER::definition($session, $definition);
}
#-------------------------------------------------------------------
=head2 getValueFromPost ( )
Returns a class name which has been taint checked.
=cut
sub getValueFromPost {
my $self = shift;
my $value = $self->session->form->param($self->get("name"));
$value =~ s/[^\w\d\s]//g;
return $value;
}
#-------------------------------------------------------------------
=head2 toHtml ( )
Renders a class name field.
=cut
sub toHtml {
my $self = shift;
$self->session->style->setScript($self->session->url->extras('inputCheck.js'),{ type=>'text/javascript' });
$self->set("extras", $self->get('extras') . ' onkeyup="doInputCheck(document.getElementById(\''.$self->get("id").'\'),\'abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ1234567890:_\')" ');
return $self->SUPER::toHtml;
}
1;

6
lib/WebGUI/Operation/FormHelpers.pm
View file

@ -42,7 +42,7 @@ sub www_formAssetTree {
my $ancestors = $base->getLineage(["self","ancestors"],{returnObjects=>1});
foreach my $ancestor (@{$ancestors}) {
my $url = $ancestor->getUrl("op=formAssetTree;formId=".$session->form->process("formId"));
$url .= ";classLimiter=".$session->form->process("classLimiter") if ($session->form->process("classLimiter"));
$url .= ";classLimiter=".$session->form->process("classLimiter","className") if ($session->form->process("classLimiter","className"));
push(@crumb,'<a href="'.$url.'" class="crumb">'.$ancestor->get("menuTitle").'</a>');
}
my $output = '
@ -79,7 +79,7 @@ sub www_formAssetTree {
<div class="crumbTrail">'.join(" &gt; ", @crumb)."</div><br />\n";
my $children = $base->getLineage(["children"],{returnObjects=>1});
my $i18n = WebGUI::International->new($session);
my $limit = $session->form->process("classLimiter");
my $limit = $session->form->process("classLimiter","className");
foreach my $child (@{$children}) {
next unless $child->canView;
if ($limit eq "" || $child->get("className") =~ /^$limit/) {
@ -90,7 +90,7 @@ sub www_formAssetTree {
$output .= '<span class="selectLink">['.$i18n->get("select").']</span> ';
}
my $url = $child->getUrl("op=formAssetTree;formId=".$session->form->process("formId"));
$url .= ";classLimiter=".$session->form->process("classLimiter") if ($session->form->process("classLimiter"));
$url .= ";classLimiter=".$session->form->process("classLimiter","className") if ($session->form->process("classLimiter","className"));
$output .= '<a href="'.$url.'" class="traverse">'.$child->get("menuTitle").'</a>'."<br />\n";
}
$output .= '</div></body></html>';

6
lib/WebGUI/Operation/Workflow.pm
View file

@ -264,8 +264,8 @@ sub www_editWorkflowActivity {
my $session = shift;
return $session->privilege->insufficient() unless ($session->user->isInGroup("pbgroup000000000000015"));
my $activity = '';
if ($session->form->get("className")) {
$activity = WebGUI::Workflow::Activity->newByPropertyHashRef($session, {activityId=>"new",className=>$session->form->get("className")});
if ($session->form->process("className","className")) {
$activity = WebGUI::Workflow::Activity->newByPropertyHashRef($session, {activityId=>"new",className=>$session->form->process("className","className")});
} else {
$activity = WebGUI::Workflow::Activity->new($session, $session->form->get("activityId"));
}
@ -296,7 +296,7 @@ sub www_editWorkflowActivitySave {
my $activityId = $session->form->get("activityId");
my $activity = '';
if ($activityId eq "new") {
$activity = $workflow->addActivity($session->form->get("className"));
$activity = $workflow->addActivity($session->form->process("className","className"));
} else {
$activity = $workflow->getActivity($activityId);
}