From c491adcb47a55a68b7c234b03b7a3e4cd8b2fda8 Mon Sep 17 00:00:00 2001
From: "gerv%gerv.net" <>
Date: Wed, 18 Sep 2002 06:28:22 +0000
Subject: Bug 146495 - clean up format ambiguities. We now have separate
"format" and "ctype" parameters. Also fixes bug 140513, bug 143604, and bug
148133. Patch by gerv; r=myk.
---
globals.pl | 126 +++++++++----------------------------------------------------
1 file changed, 17 insertions(+), 109 deletions(-)
(limited to 'globals.pl')
diff --git a/globals.pl b/globals.pl
index 5931d186d..29582e153 100644
--- a/globals.pl
+++ b/globals.pl
@@ -1515,119 +1515,27 @@ $Template::Stash::SCALAR_OPS->{ truncate } =
###############################################################################
-sub GetOutputFormats {
- # Builds a set of possible output formats for a script by looking for
- # format files in the appropriate template directories as specified by
- # the template include path, the sub-directory parameter, and the
- # template name parameter.
+# Constructs a format object from URL parameters. You most commonly call it
+# like this:
+# my $format = GetFormat("foo/bar", $::FORM{'format'}, $::FORM{'ctype'});
+sub GetFormat {
+ my ($template, $format, $ctype) = @_;
- # This function is relevant for scripts with one basic function whose
- # results can be represented in multiple formats, f.e. buglist.cgi,
- # which has one function (query and display of a list of bugs) that can
- # be represented in multiple formats (i.e. html, rdf, xml, etc.).
+ $ctype ||= "html";
- # It is *not* relevant for scripts with several functions but only one
- # basic output format, f.e. editattachstatuses.cgi, which not only lists
- # statuses but also provides adding, editing, and deleting functions.
- # (although it may be possible to make this function applicable under
- # these circumstances with minimal modification).
+ # Security - allow letters and a hyphen only
+ $ctype =~ s/[^a-zA-Z\-]//g;
+ $format =~ s/[^a-zA-Z\-]//g;
- # Format files have names that look like SCRIPT-FORMAT.EXT.tmpl, where
- # SCRIPT is the name of the CGI script being invoked, SUBDIR is the name
- # of the template sub-directory, FORMAT is the name of the format, and EXT
- # is the filename extension identifying the content type of the output.
-
- # When a format file is found, a record for that format is added to
- # the hash of format records, indexed by format name, with each record
- # containing the name of the format file, its filename extension,
- # and its content type (obtained by reference to the $::contenttypes
- # hash defined in localconfig).
-
- my ($subdir, $script) = @_;
-
- # A set of output format records, indexed by format name, each record
- # containing template, extension, and contenttype fields.
- my $formats = {};
-
- # Get the template include path from the template object.
- my $includepath = $::template->context->{ LOAD_TEMPLATES }->[0]->include_path();
-
- # Loop over each include directory in reverse so that format files
- # earlier in the path override files with the same name later in
- # the path (i.e. "custom" formats override "default" ones).
- foreach my $path (reverse @$includepath) {
- # Get the list of files in the given sub-directory if it exists.
- my $dirname = File::Spec->catdir($path, $subdir);
- opendir(SUBDIR, $dirname) || next;
- my @files = readdir SUBDIR;
- closedir SUBDIR;
+ $template .= ($format ? "-$format" : "");
+ $template .= ".$ctype.tmpl";
- # Loop over each file in the sub-directory looking for format files
- # (files whose name looks like SCRIPT-FORMAT.EXT.tmpl).
- foreach my $file (@files) {
- if ($file =~ /^\Q$script\E-(.+)\.(.+)\.tmpl$/) {
- # This must be a valid file
- # If an attacker could add a previously unused format
- # type to trick us into running it, then they could just
- # change an existing one...
- # (This implies that running without a webservergroup is
- # insecure, but that is the case anyway)
- trick_taint($file);
-
- $formats->{$1} = {
- 'template' => $file ,
- 'extension' => $2 ,
- 'contenttype' => $::contenttypes->{$2} || "text/plain" ,
- };
- }
- }
- }
- return $formats;
-}
-
-sub ValidateOutputFormat {
- my ($format, $script, $subdir) = @_;
-
- # If the script name is undefined, assume the script currently being
- # executed, deriving its name from Perl's built-in $0 (program name) var.
- if (!defined($script)) {
- my ($volume, $dirs, $filename) = File::Spec->splitpath($0);
- $filename =~ /^(.+)\.cgi$/;
- $script = $1
- || DisplayError("Could not determine the name of the script.")
- && exit;
- }
-
- # If the format name is undefined or the default format is specified,
- # do not do any validation but instead return the default format.
- if (!defined($format) || $format eq "default") {
- return
- {
- 'template' => "$script.html.tmpl" ,
- 'extension' => "html" ,
- 'contenttype' => "text/html" ,
- };
- }
-
- # If the subdirectory name is undefined, assume the script name.
- $subdir = $script if !defined($subdir);
-
- # Get the list of output formats supported by this script.
- my $formats = GetOutputFormats($subdir, $script);
-
- # Validate the output format requested by the user.
- if (!$formats->{$format}) {
- my $escapedname = html_quote($format);
- DisplayError("The $escapedname output format is not
- supported by this script. Supported formats (besides the
- default HTML format) are " .
- join(", ", map(html_quote($_), keys(%$formats))) .
- ".");
- exit;
- }
-
- # Return the validated output format.
- return $formats->{$format};
+ return
+ {
+ 'template' => $template ,
+ 'extension' => $ctype ,
+ 'ctype' => $::contenttypes->{$ctype} || "text/plain" ,
+ };
}
###############################################################################
--
cgit v1.2.3-24-g4f1b