ref: ecfd825d0afbebc8c4538be97c5bdfe42ffbb7ba
parent: 280c9fbff152b86c07dec9d1e470cf6acc40e74f
author: uriel <uriel@engel.se.cat-v.org>
date: Fri Jan 30 11:13:06 EST 2009
Make http_redirect resolve non-absolute uris. Only allow safe chars for user names. Reliability fixes when checking $status (don't check $#status!). Check user suceeds always if user in admin group.
--- a/bin/cgilib.rc
+++ b/bin/cgilib.rc
@@ -10,8 +10,14 @@
fn escape_html { sed 's/&/\&/g; s/</\</g; s/>/\>/g' $* } fn http_redirect {+ if(~ $1 http:* https:*)
+ t=$1
+ if not if(~ $1 /*)
+ t=$"base_url^$1
+ if not
+ t=$"base_url^$"req_path^$1
echo 'Status: '^$2^'
-Location: '^$1^'
+Location: '^$t^'
'
exit
@@ -189,7 +195,7 @@
fn template { awk -f bin/template.awk $* | rc $rcargs }# Auth code
-
+allowed_user_chars='[a-zA-Z0-9_]'
# Cookie format: WERC_USER: name:timestamp:hash(name.timestamp.password)
# login_user can't be used from a template because it sets a cookie
fn login_user {@@ -198,13 +204,13 @@
set_cookie werc_user $"logged_user^':0:'^$"logged_password
}
-# Check loggin status, if called with group arg we check membership too
+# Check login status, if called with group arg we check membership too
fn check_user {get_user
_status=$status
- if(! ~ $#_status 0 )
+ if(! ~ $"_status '')
_status=(Not logged in: $"_status)
- if not if(! ~ $#* 0 && ! grep -s '^'^$logged_user^'$' etc/groups/$*) {+ if not if(! ~ $#* 0 && ! grep -s '^'^$logged_user^'$' etc/groups/$* etc/groups/admin) {dprint NOT IN GROUP
_status=(User $logged_user not in groups $*)
}