diff options
Diffstat (limited to 'Bugzilla/CGI.pm')
| -rw-r--r-- | Bugzilla/CGI.pm | 66 |
1 files changed, 61 insertions, 5 deletions
diff --git a/Bugzilla/CGI.pm b/Bugzilla/CGI.pm index 4dd223a31..c003e9295 100644 --- a/Bugzilla/CGI.pm +++ b/Bugzilla/CGI.pm @@ -73,11 +73,22 @@ sub new { # Make sure our outgoing cookie list is empty on each invocation $self->{Bugzilla_cookie_list} = []; + # Path-Info is of no use for Bugzilla and interacts badly with IIS. + # Moreover, it causes unexpected behaviors, such as totally breaking + # the rendering of pages. + my $script = basename($0); + if ($self->path_info) { + my @whitelist = ("rest.cgi"); + Bugzilla::Hook::process('path_info_whitelist', { whitelist => \@whitelist }); + if (!grep($_ eq $script, @whitelist)) { + print $self->redirect($self->url(-path => 0, -query => 1)); + } + } + # Send appropriate charset $self->charset(Bugzilla->params->{'utf8'} ? 'UTF-8' : ''); # Redirect to urlbase/sslbase if we are not viewing an attachment. - my $script = basename($0); if ($self->url_is_attachment_base and $script ne 'attachment.cgi') { $self->redirect_to_urlbase(); } @@ -224,6 +235,26 @@ sub clean_search_url { } } +sub check_etag { + my ($self, $valid_etag) = @_; + + # ETag support. + my $if_none_match = $self->http('If-None-Match'); + return if !$if_none_match; + + my @if_none = split(/[\s,]+/, $if_none_match); + foreach my $possible_etag (@if_none) { + # remove quotes from begin and end of the string + $possible_etag =~ s/^\"//g; + $possible_etag =~ s/\"$//g; + if ($possible_etag eq $valid_etag or $possible_etag eq '*') { + return 1; + } + } + + return 0; +} + # Overwrite to ensure nph doesn't get set, and unset HEADERS_ONCE sub multipart_init { my $self = shift; @@ -316,6 +347,10 @@ sub header { unshift(@_, '-x_frame_options' => 'SAMEORIGIN'); } + if ($self->{'_content_disp'}) { + unshift(@_, '-content_disposition' => $self->{'_content_disp'}); + } + # Add X-XSS-Protection header to prevent simple XSS attacks # and enforce the blocking (rather than the rewriting) mode. unshift(@_, '-x_xss_protection' => '1; mode=block'); @@ -470,9 +505,9 @@ sub redirect_search_url { # GET requests that lacked a list_id are always redirected. POST requests # are only redirected if they're under the CGI_URI_LIMIT though. - my $uri_length = length($self->self_url()); - if ($self->request_method() ne 'POST' or $uri_length < CGI_URI_LIMIT) { - print $self->redirect(-url => $self->self_url()); + my $self_url = $self->self_url(); + if ($self->request_method() ne 'POST' or length($self_url) < CGI_URI_LIMIT) { + print $self->redirect(-url => $self_url); exit; } } @@ -526,7 +561,23 @@ sub url_is_attachment_base { $regex =~ s/\\\%bugid\\\%/\\d+/; } $regex = "^$regex"; - return ($self->self_url =~ $regex) ? 1 : 0; + return ($self->url =~ $regex) ? 1 : 0; +} + +sub set_dated_content_disp { + my ($self, $type, $prefix, $ext) = @_; + + my @time = localtime(time()); + my $date = sprintf "%04d-%02d-%02d", 1900+$time[5], $time[4]+1, $time[3]; + my $filename = "$prefix-$date.$ext"; + + $filename =~ s/\s/_/g; # Remove whitespace to avoid HTTP header tampering + $filename =~ s/\\/_/g; # Remove backslashes as well + $filename =~ s/"/\\"/g; # escape quotes + + my $disposition = "$type; filename=\"$filename\""; + + $self->{'_content_disp'} = $disposition; } ########################## @@ -636,6 +687,11 @@ instead of calling this directly. Redirects from the current URL to one prefixed by the urlbase parameter. +=item C<set_dated_content_disp> + +Sets an appropriate date-dependent value for the Content Disposition header +for a downloadable resource. + =back =head1 SEE ALSO |