mirror of
https://github.com/acanas/swad-core.git
synced 2024-06-01 06:15:31 +02:00
Version 15.187
This commit is contained in:
parent
0c3dd22b3c
commit
7b2d037d62
|
@ -4416,7 +4416,7 @@ static void Act_FormStartInternal (Act_Action_t NextAction,bool PutParameterLoca
|
||||||
}
|
}
|
||||||
if (Act_Actions[NextAction].ContentType == Act_CONTENT_DATA)
|
if (Act_Actions[NextAction].ContentType == Act_CONTENT_DATA)
|
||||||
fprintf (Gbl.F.Out," enctype=\"multipart/form-data\"");
|
fprintf (Gbl.F.Out," enctype=\"multipart/form-data\"");
|
||||||
fprintf (Gbl.F.Out,">");
|
fprintf (Gbl.F.Out," accept-charset=\"windows-1252\">");
|
||||||
|
|
||||||
/* Put basic form parameters */
|
/* Put basic form parameters */
|
||||||
Act_SetParamsForm (Params,NextAction,PutParameterLocationIfNoSesion);
|
Act_SetParamsForm (Params,NextAction,PutParameterLocationIfNoSesion);
|
||||||
|
|
|
@ -132,13 +132,14 @@
|
||||||
/****************************** Public constants *****************************/
|
/****************************** Public constants *****************************/
|
||||||
/*****************************************************************************/
|
/*****************************************************************************/
|
||||||
|
|
||||||
#define Log_PLATFORM_VERSION "SWAD 15.186 (2016-04-07)"
|
#define Log_PLATFORM_VERSION "SWAD 15.187 (2016-04-07)"
|
||||||
#define CSS_FILE "swad15.186.css"
|
#define CSS_FILE "swad15.186.css"
|
||||||
#define JS_FILE "swad15.186.js"
|
#define JS_FILE "swad15.186.js"
|
||||||
|
|
||||||
// Number of lines (includes comments but not blank lines) has been got with the following command:
|
// Number of lines (includes comments but not blank lines) has been got with the following command:
|
||||||
// nl swad*.c swad*.h css/swad*.css py/swad*.py js/swad*.js soap/swad*.h sql/swad*.sql | tail -1
|
// nl swad*.c swad*.h css/swad*.css py/swad*.py js/swad*.js soap/swad*.h sql/swad*.sql | tail -1
|
||||||
/*
|
/*
|
||||||
|
Version 15.187: Apr 07, 2016 Fixed bug in forms sent using content type multipart/form-data. (198938 lines)
|
||||||
Version 15.186: Apr 07, 2016 Changes in edition of a test question. (198840 lines)
|
Version 15.186: Apr 07, 2016 Changes in edition of a test question. (198840 lines)
|
||||||
Version 15.185.4: Apr 07, 2016 Changes in edition of a test question. (198832 lines)
|
Version 15.185.4: Apr 07, 2016 Changes in edition of a test question. (198832 lines)
|
||||||
Version 15.185.3: Apr 07, 2016 Changed icons to expand / contract. (198801 lines)
|
Version 15.185.3: Apr 07, 2016 Changed icons to expand / contract. (198801 lines)
|
||||||
|
|
|
@ -919,6 +919,9 @@ unsigned Par_GetParAndChangeFormat (const char *ParamName,char *ParamValue,size_
|
||||||
{
|
{
|
||||||
unsigned NumTimes = Par_GetParameter (Par_PARAM_SINGLE,ParamName,
|
unsigned NumTimes = Par_GetParameter (Par_PARAM_SINGLE,ParamName,
|
||||||
ParamValue,MaxBytes,NULL);
|
ParamValue,MaxBytes,NULL);
|
||||||
|
|
||||||
|
// Lay_ShowAlert (Lay_ERROR,ParamValue); !!!!!!!!!!!!
|
||||||
|
|
||||||
Str_ChangeFormat (Str_FROM_FORM,ChangeTo,
|
Str_ChangeFormat (Str_FROM_FORM,ChangeTo,
|
||||||
ParamValue,MaxBytes,RemoveLeadingAndTrailingSpaces);
|
ParamValue,MaxBytes,RemoveLeadingAndTrailingSpaces);
|
||||||
return NumTimes;
|
return NumTimes;
|
||||||
|
|
114
swad_string.c
114
swad_string.c
|
@ -969,24 +969,119 @@ void Str_ChangeFormat (Str_ChangeFrom_t ChangeFrom,Str_ChangeTo_t ChangeTo,
|
||||||
switch (ChangeFrom)
|
switch (ChangeFrom)
|
||||||
{
|
{
|
||||||
case Str_FROM_FORM:
|
case Str_FROM_FORM:
|
||||||
|
if (Gbl.ContentReceivedByCGI == Act_CONTENT_DATA)
|
||||||
|
{
|
||||||
|
// The form contained data and was sent with content type multipart/form-data
|
||||||
switch ((unsigned char) *PtrSrc)
|
switch ((unsigned char) *PtrSrc)
|
||||||
{
|
{
|
||||||
case '+': /***** Change every '+' to a space *****/
|
case 0x20: /* Space */
|
||||||
IsSpecialChar = true;
|
IsSpecialChar = true;
|
||||||
LengthSpecStrSrc = 1;
|
LengthSpecStrSrc = 1;
|
||||||
SpecialChar = 0x20;
|
SpecialChar = 0x20;
|
||||||
break;
|
break;
|
||||||
case '%': /***** Change "%XX" --> "&#decimal_number;" *****/
|
case 0x22: /* Change double comilla --> """ */
|
||||||
IsSpecialChar = true;
|
IsSpecialChar = true;
|
||||||
sscanf (PtrSrc+1,"%2X",&SpecialChar);
|
LengthSpecStrSrc = 1;
|
||||||
LengthSpecStrSrc = 3;
|
SpecialChar = 0x22;
|
||||||
break;
|
break;
|
||||||
case '\'': /***** Change "'" --> "'" to avoid SQL code injection *****/
|
case 0x23: /* '#' */
|
||||||
|
IsSpecialChar = true;
|
||||||
|
LengthSpecStrSrc = 1;
|
||||||
|
SpecialChar = 0x23;
|
||||||
|
break;
|
||||||
|
case 0x26: /* Change '&' --> "&" */
|
||||||
|
IsSpecialChar = true;
|
||||||
|
LengthSpecStrSrc = 1;
|
||||||
|
SpecialChar = 0x26;
|
||||||
|
break;
|
||||||
|
case 0x27: /* Change single comilla --> "'" to avoid SQL code injection */
|
||||||
IsSpecialChar = true;
|
IsSpecialChar = true;
|
||||||
LengthSpecStrSrc = 1;
|
LengthSpecStrSrc = 1;
|
||||||
SpecialChar = 0x27;
|
SpecialChar = 0x27;
|
||||||
break;
|
break;
|
||||||
case '\\':
|
case 0x2C: /* ',' */
|
||||||
|
IsSpecialChar = true;
|
||||||
|
LengthSpecStrSrc = 1;
|
||||||
|
SpecialChar = 0x2C;
|
||||||
|
break;
|
||||||
|
case 0x2F: /* '/' */
|
||||||
|
IsSpecialChar = true;
|
||||||
|
LengthSpecStrSrc = 1;
|
||||||
|
SpecialChar = 0x2F;
|
||||||
|
break;
|
||||||
|
case 0x3A: /* ':' */
|
||||||
|
IsSpecialChar = true;
|
||||||
|
LengthSpecStrSrc = 1;
|
||||||
|
SpecialChar = 0x3A;
|
||||||
|
break;
|
||||||
|
case 0x3B: /* ';' */
|
||||||
|
IsSpecialChar = true;
|
||||||
|
LengthSpecStrSrc = 1;
|
||||||
|
SpecialChar = 0x3B;
|
||||||
|
break;
|
||||||
|
case 0x3C: /* '<' --> "<" */
|
||||||
|
IsSpecialChar = true;
|
||||||
|
LengthSpecStrSrc = 1;
|
||||||
|
SpecialChar = 0x3C;
|
||||||
|
break;
|
||||||
|
case 0x3E: /* '>' --> ">" */
|
||||||
|
IsSpecialChar = true;
|
||||||
|
LengthSpecStrSrc = 1;
|
||||||
|
SpecialChar = 0x3E;
|
||||||
|
break;
|
||||||
|
case 0x3F: /* '?' */
|
||||||
|
IsSpecialChar = true;
|
||||||
|
LengthSpecStrSrc = 1;
|
||||||
|
SpecialChar = 0x3F;
|
||||||
|
break;
|
||||||
|
case 0x40: /* '@' */
|
||||||
|
IsSpecialChar = true;
|
||||||
|
LengthSpecStrSrc = 1;
|
||||||
|
SpecialChar = 0x40;
|
||||||
|
break;
|
||||||
|
case 0x5C: /* '\\' */
|
||||||
|
IsSpecialChar = true;
|
||||||
|
LengthSpecStrSrc = 1;
|
||||||
|
SpecialChar = 0x5C;
|
||||||
|
break;
|
||||||
|
default:
|
||||||
|
if ((unsigned char) *PtrSrc < 0x20 ||
|
||||||
|
(unsigned char) *PtrSrc > 0x7F)
|
||||||
|
{
|
||||||
|
IsSpecialChar = true;
|
||||||
|
LengthSpecStrSrc = 1;
|
||||||
|
SpecialChar = (unsigned int) (unsigned char) *PtrSrc;
|
||||||
|
}
|
||||||
|
else
|
||||||
|
{
|
||||||
|
IsSpecialChar = false;
|
||||||
|
NumPrintableCharsFromReturn++;
|
||||||
|
ThereIsSpaceChar = false;
|
||||||
|
}
|
||||||
|
break;
|
||||||
|
}
|
||||||
|
}
|
||||||
|
else // Gbl.ContentReceivedByCGI == Act_CONTENT_NORM
|
||||||
|
{
|
||||||
|
// The form contained text and was sent with content type application/x-www-form-urlencoded
|
||||||
|
switch ((unsigned char) *PtrSrc)
|
||||||
|
{
|
||||||
|
case '+': /* Change every '+' to a space */
|
||||||
|
IsSpecialChar = true;
|
||||||
|
LengthSpecStrSrc = 1;
|
||||||
|
SpecialChar = 0x20;
|
||||||
|
break;
|
||||||
|
case '%': /* Change "%XX" --> "&#decimal_number;" */
|
||||||
|
IsSpecialChar = true;
|
||||||
|
sscanf (PtrSrc+1,"%2X",&SpecialChar);
|
||||||
|
LengthSpecStrSrc = 3;
|
||||||
|
break;
|
||||||
|
case 0x27: /* Change single comilla --> "'" to avoid SQL code injection */
|
||||||
|
IsSpecialChar = true;
|
||||||
|
LengthSpecStrSrc = 1;
|
||||||
|
SpecialChar = 0x27;
|
||||||
|
break;
|
||||||
|
case 0x5C: /* '\\' */
|
||||||
IsSpecialChar = true;
|
IsSpecialChar = true;
|
||||||
LengthSpecStrSrc = 1;
|
LengthSpecStrSrc = 1;
|
||||||
SpecialChar = 0x5C;
|
SpecialChar = 0x5C;
|
||||||
|
@ -997,22 +1092,23 @@ void Str_ChangeFormat (Str_ChangeFrom_t ChangeFrom,Str_ChangeTo_t ChangeTo,
|
||||||
ThereIsSpaceChar = false;
|
ThereIsSpaceChar = false;
|
||||||
break;
|
break;
|
||||||
}
|
}
|
||||||
|
}
|
||||||
break;
|
break;
|
||||||
case Str_FROM_HTML:
|
case Str_FROM_HTML:
|
||||||
case Str_FROM_TEXT:
|
case Str_FROM_TEXT:
|
||||||
switch ((unsigned char) *PtrSrc)
|
switch ((unsigned char) *PtrSrc)
|
||||||
{
|
{
|
||||||
case 0x20: /***** Change every ' ' to a space *****/
|
case 0x20: /* Space */
|
||||||
IsSpecialChar = true;
|
IsSpecialChar = true;
|
||||||
LengthSpecStrSrc = 1;
|
LengthSpecStrSrc = 1;
|
||||||
SpecialChar = 0x20;
|
SpecialChar = 0x20;
|
||||||
break;
|
break;
|
||||||
case '\'': /***** Change "'" --> "'" to avoid SQL code injection *****/
|
case 0x27: /* Change single comilla --> "'" to avoid SQL code injection */
|
||||||
IsSpecialChar = true;
|
IsSpecialChar = true;
|
||||||
LengthSpecStrSrc = 1;
|
LengthSpecStrSrc = 1;
|
||||||
SpecialChar = 0x27;
|
SpecialChar = 0x27;
|
||||||
break;
|
break;
|
||||||
case '\\':
|
case 0x5C: /* '\\' */
|
||||||
IsSpecialChar = true;
|
IsSpecialChar = true;
|
||||||
LengthSpecStrSrc = 1;
|
LengthSpecStrSrc = 1;
|
||||||
SpecialChar = 0x5C;
|
SpecialChar = 0x5C;
|
||||||
|
|
Loading…
Reference in New Issue
Block a user