ccc449b 1) There were several places where DSGW would output and eval arbitrary javascript code passed in a CGI parameter. These have been replaced with resource strings. In all cases the values were output escaped, but still, we shouldn't be passing around bits of javascript code to execute.

Authored and Committed by rmeggins 13 years ago
53 files changed. 331 lines added. 213 lines removed.
cgiutil.c
file modified
+8 -1
config/list-Auth.html.in
file modified
+3 -0
csearch.c
file modified
+1 -3
dbtdsgw.h
file modified
+11 -1
dnedit.c
file modified
+1 -1
doauth.c
file modified
+4 -1
dosearch.c
file modified
+29 -5
dsgw.h
file modified
+9 -2
dsgwgetlang.c
file modified
+47 -1
dsgwi18n.h
file modified
+6 -0
dsgwutil.c
file modified
+0 -68
emitauth.c
file modified
+16 -1
entrydisplay.c
file modified
+11 -36
htmlout.c
file modified
+41 -0
htmlparse.c
file modified
+1 -1
lang.c
file modified
+1 -17
ldaputil.c
file modified
+1 -8
newentry.c
file modified
+27 -47
pbconfig/list-Auth.html.in
file modified
+4 -1
search.c
file modified
+10 -4
tests/dnedit/testget.4
file added
+1
tests/doauth/testpost.4
file modified
+1 -1
tests/dosearch/testget.1
file added
+0
tests/dosearch/testget.10
file added
+1
tests/dosearch/testget.2
file added
+1
tests/dosearch/testget.3
file added
+1
tests/dosearch/testget.4
file added
+1
tests/dosearch/testget.5
file added
+1
tests/dosearch/testget.6
file added
+1
tests/dosearch/testget.7
file added
+1
tests/dosearch/testget.8
file added
+1
tests/dosearch/testget.9
file added
+1
tests/dosearch/testpost.1
file added
+0
tests/dosearch/testpost.2
file added
+1
tests/dosearch/testpost.3
file added
+1
tests/dosearch/testpost.4
file added
+1
tests/dosearch/testpost.5
file added
+1
tests/dosearch/testpost.6
file added
+1
tests/dosearch/testpost.7
file added
+1
tests/dosearch/testpost.8
file added
+1
tests/edit/testget.13
file modified
+1 -1
tests/lang/testget.13
file added
+1
tests/newentry/testget.1
file added
+0
tests/newentry/testget.2
file added
+1
tests/newentry/testget.3
file added
+1
tests/newentry/testget.4
file added
+1
tests/newentry/testget.5
file added
+1
tests/newentry/testpost.1
file added
+0
tests/newentry/testpost.2
file added
+1
tests/search/testget.1
file added
+0
tests/search/testget.2
file added
+1
tests/setup.sh
file modified
+10 -9
tests/valgrind.supp
file modified
+64 -4
    1) There were several places where DSGW would output and eval arbitrary javascript code passed in a CGI parameter.  These have been replaced with resource strings.  In all cases the values were output escaped, but still, we shouldn't be passing around bits of javascript code to execute.
    2) ICU provides a function which can parse the HTTP_ACCEPT_LANGUAGE string and return the most appropriate locale, so we should use that for date calculation.
    3) Found a couple of places where uninitialized values could be used, and fixed them.
    4) Used PR_smprintf to simplify some strlen+malloc+strcpy+strcat code.
    5) dsgw_get_cgi_var will check for NULL input
    6) Do not pass in the ldap host and port in form parameters.  Always just use the values from the config file.
    7) Added many new tests and valgrind suppressions (almost all from ICU)
    
        
file modified
+8 -1
file modified
+3 -0
file modified
+1 -3
file modified
+11 -1
file modified
+1 -1
file modified
+4 -1
file modified
+29 -5
file modified
+9 -2
file modified
+47 -1
file modified
+6 -0
file modified
+0 -68
file modified
+16 -1
file modified
+11 -36
file modified
+41 -0
file modified
+1 -1
file modified
+1 -17
file modified
+1 -8
file modified
+27 -47
file modified
+4 -1
file modified
+10 -4
file modified
+1 -1
empty file added
empty file added
file modified
+1 -1
empty file added
empty file added
empty file added
file modified
+10 -9
file modified
+64 -4