Author: hannes
Date: Wed Oct 26 23:53:15 2005
New Revision: 10290
Modified:
trunk/libraries/koala/sources/examples/buddha/README
trunk/libraries/koala/sources/examples/buddha/TODO
trunk/libraries/koala/sources/examples/buddha/buddha.dylan
trunk/libraries/koala/sources/examples/buddha/class-browser.dylan
trunk/libraries/koala/sources/examples/buddha/class-editor.dylan
trunk/libraries/koala/sources/examples/buddha/config.dylan
trunk/libraries/koala/sources/examples/buddha/object-table.dylan
trunk/libraries/koala/sources/examples/buddha/zone.dylan
Log:
Bug: 7257
*add edit link to each object in browse-table
*more error checking/refill forms on errors
*updated README/TODO
*prevent directory-traversal
(base64-encode filename sent via POST to server in restore)
Modified: trunk/libraries/koala/sources/examples/buddha/README
==============================================================================
--- trunk/libraries/koala/sources/examples/buddha/README (original)
+++ trunk/libraries/koala/sources/examples/buddha/README Wed Oct 26
23:53:15 2005
@@ -46,3 +46,11 @@
run ~/bin/buddha
there should be a http-listener on the configured port
+Security considerations
+=======================
+
+Save/restore: always (when user submits a filename during save,
+and when user chooses a file during restore) converts user input
+to a base64-encoded string
+ -> no directory traversal or other malformed filenames
+-> even malformed GET/POST requests will be base64-encoded
\ No newline at end of file
Modified: trunk/libraries/koala/sources/examples/buddha/TODO
==============================================================================
--- trunk/libraries/koala/sources/examples/buddha/TODO (original)
+++ trunk/libraries/koala/sources/examples/buddha/TODO Wed Oct 26 23:53:15 2005
@@ -5,29 +5,30 @@
blackhole ip-ranges
=> requested by abuse phone
-user management
+*user management/session:
+ *put obj-tables in user session objects
+
+*command abstraction for redo/undo, recent changes
security:
-prevent cross-site scripting (escape <> in all input data)
- -put obj-table in each session...
-everyone is able to delete everything (he only has to give the
correct obj-id and use remove-object as action, so only put those
objects in his obj-table which he needs access to...
-interface to get the next /XX subnet (or the next subnet with at least Y ips)
+*interface to get the next /XX subnet (or the next subnet with at least Y ips)
*javascript chosing of network when adding subnet, dhcp-start, -end, -router
-default values for fields...
-
-string and cname lists user interface
+*default values for fields
+ *when adding new ones (dhcp-start/end/...)
-error check input on edit, not only on add
+*string and cname lists/mx user interface
-remove/edit links
+*links for gen-dhcp-config/gen-dns-config
-links for gen-dhcp-config/gen-dns-config
+*reverse-zones automatically generated
-reverse-zones automatically generated
+*caching of zones... don't increase serial if nothing changed...
with-xml:collect only works for elements, not for lists of elements
Modified: trunk/libraries/koala/sources/examples/buddha/buddha.dylan
==============================================================================
--- trunk/libraries/koala/sources/examples/buddha/buddha.dylan (original)
+++ trunk/libraries/koala/sources/examples/buddha/buddha.dylan Wed Oct 26
23:53:15 2005
@@ -224,9 +224,10 @@
name :: <string>,
type :: <file-type>)
if (type == #"file")
+ let b64-name = base64-decode(name);
collect(with-xml()
- option(base64-decode(name),
- value => name)
+ option(b64-name,
+ value => b64-name)
end);
end if;
end, *directory*))
@@ -243,6 +244,7 @@
define method respond-to-post
(page == #"restore", request :: <request>, response :: <response>)
let file = get-query-value("filename");
+ file := base64-encode(file);
let dood = make(<dood>,
locator: concatenate(*directory*, file),
direction: #"input");
@@ -266,7 +268,7 @@
div(id => "content")
{
do(browse-table(<network>, *config*.networks)),
- do(add-form(<network>, "Networks", *config*.networks))
+ do(add-form(<network>, "Networks", *config*.networks,
fill-from-request: errors))
}
end);
end;
@@ -285,7 +287,7 @@
div(id => "content")
{
do(browse-table(<subnet>, *config*.subnets)),
- do(add-form(<subnet>, "Subnets", *config*.subnets))
+ do(add-form(<subnet>, "Subnets", *config*.subnets,
fill-from-request: errors))
}
end);
end;
@@ -304,7 +306,7 @@
div(id => "content")
{
do(browse-table(<vlan>, *config*.vlans)),
- do(add-form(<vlan>, "Vlans", *config*.vlans))
+ do(add-form(<vlan>, "Vlans", *config*.vlans,
fill-from-request: errors))
}
end);
end;
@@ -323,7 +325,7 @@
div(id => "content")
{
do(browse-table(<host>, *config*.hosts)),
- do(add-form(<host>, "Hosts", *config*.hosts))
+ do(add-form(<host>, "Hosts", *config*.hosts,
fill-from-request: errors))
}
end);
end;
@@ -344,7 +346,7 @@
div(id => "content")
{
do(browse-table(<zone>, *config*.zones)),
- do(add-form(<zone>, "Zones", *config*.zones))
+ do(add-form(<zone>, "Zones", *config*.zones,
fill-from-request: errors))
}
end);
end;
@@ -413,4 +415,4 @@
begin
main();
-end;
\ No newline at end of file
+end;
Modified: trunk/libraries/koala/sources/examples/buddha/class-browser.dylan
==============================================================================
--- trunk/libraries/koala/sources/examples/buddha/class-browser.dylan
(original)
+++ trunk/libraries/koala/sources/examples/buddha/class-browser.dylan Wed Oct
26 23:53:15 2005
@@ -100,7 +100,7 @@
object :: <object>) => (res)
with-xml()
table {
- tr { do(browse(headline, to-table-header)), th("Remove") },
+ tr { do(browse(headline, to-table-header)), th("Remove"), th("Edit")
},
do(for (ele in object)
collect(with-xml()
tr {
@@ -109,7 +109,9 @@
do(remove-form(ele,
object,
url:
get-url-from-type(headline)))
- }
+ },
+ td { a("Edit", href => concatenate("/edit?obj=",
+
get-reference(ele))) }
}
end)
end)
Modified: trunk/libraries/koala/sources/examples/buddha/class-editor.dylan
==============================================================================
--- trunk/libraries/koala/sources/examples/buddha/class-editor.dylan
(original)
+++ trunk/libraries/koala/sources/examples/buddha/class-editor.dylan Wed Oct
26 23:53:15 2005
@@ -57,7 +57,8 @@
//simple case for lists of strings....
define method add-form (type == <string>,
name :: <string>,
- parent :: <object>) => (foo)
+ parent :: <object>,
+ #key fill-from-request) => (foo)
with-xml()
form(action => "/edit", \method => "post")
{ div(class => "edit")
@@ -84,7 +85,8 @@
define method add-form (object-type :: subclass(<object>),
name :: <string>,
- parent :: <object>) => (foo) // :: <list> ?
+ parent :: <object>,
+ #key fill-from-request) => (foo) // :: <list> ?
with-xml()
form(action => "/edit", \method => "post")
{ div(class => "edit")
@@ -93,15 +95,31 @@
//here we should have at least a seperation between integer,
//strings and lists... or should we implement all lists with
//has-many?
+ let value = get-query-value(slot.slot-name);
if (slot.slot-type = <boolean>)
- collect(with-xml() input(type => "checkbox",
- name => slot.slot-name,
- value => slot.slot-name)
- end);
+ if (fill-from-request & value)
+ collect(with-xml() input(type => "checkbox",
+ name => slot.slot-name,
+ value => slot.slot-name,
+ checked => "checked")
+ end);
+ else
+ collect(with-xml() input(type => "checkbox",
+ name => slot.slot-name,
+ value => slot.slot-name)
+ end);
+ end;
else
- collect(with-xml() input(type => "text",
- name => slot.slot-name)
- end);
+ if (fill-from-request & value)
+ collect(with-xml() input(type => "text",
+ name => slot.slot-name,
+ value => value)
+ end);
+ else
+ collect(with-xml() input(type => "text",
+ name => slot.slot-name)
+ end);
+ end if;
end;
collect(with-xml() br end);
end;
@@ -109,13 +127,22 @@
collect(with-xml() text(concatenate(slot.slot-name, ": ")) end);
//get slot, generate select, option field for each element
//of global list of elements...
+ let value = get-object(get-query-value(slot.slot-name));
collect(with-xml()
\select(name => slot.slot-name)
{ do(for (ele in slot.slot-global-list(*config*))
- collect(with-xml()
- option(as(<string>, ele),
- value => get-reference(ele))
- end)
+ if (fill-from-request & (ele = value))
+ collect(with-xml()
+ option(as(<string>, ele),
+ value => get-reference(ele),
+ selected => "selected")
+ end);
+ else
+ collect(with-xml()
+ option(as(<string>, ele),
+ value => get-reference(ele))
+ end);
+ end;
end)
}
end);
@@ -246,7 +273,7 @@
else
#"edit";
end;
- respond-to-get(referer, request, response, errors: errors);
+ respond-to-get(referer, request, response, errors: if (errors.size > 0)
errors else #f end);
end;
define method add-object (parent-object :: <object>, request :: <request>)
@@ -271,7 +298,6 @@
slot.slot-setter-method(value, object);
end;
//error check object
- format-out("ADDING %= to PARENT %=\n", object, parent-object);
if (check(object))
//add to parent list.
parent-object := sort!(add!(parent-object, object));
@@ -323,7 +349,7 @@
//error check it!
//slot-setter!
let current-object = slot.slot-getter-method(object);
- if (value & check(value) & (value ~= current-object))
+ if (value & (value ~= current-object))
//set slot in object
slot.slot-setter-method(value, object);
end;
Modified: trunk/libraries/koala/sources/examples/buddha/config.dylan
==============================================================================
--- trunk/libraries/koala/sources/examples/buddha/config.dylan (original)
+++ trunk/libraries/koala/sources/examples/buddha/config.dylan Wed Oct 26
23:53:15 2005
@@ -81,7 +81,10 @@
define method check (vlan :: <vlan>)
=> (res :: <boolean>)
- if (any?(method(x) x.number = vlan.number end , *config*.vlans))
+ if ((vlan.number < 0) | (vlan.number > 4095))
+ signal(make(<buddha-form-error>,
+ error: "VLAN not in range 0 - 4095"));
+ elseif (any?(method(x) x.number = vlan.number end , *config*.vlans))
signal(make(<buddha-form-error>,
error: "VLAN with same number already exists"));
elseif (any?(method(x) x.vlan-name = vlan.vlan-name end, *config*.vlans))
@@ -119,7 +122,13 @@
if (ip-in-net?(subnet, subnet.dhcp-start))
if (ip-in-net?(subnet, subnet.dhcp-end))
if (ip-in-net?(subnet, subnet.dhcp-router))
- #t;
+ if ((subnet.dhcp-router > subnet.dhcp-start)
+ & (subnet.dhcp-router < subnet.dhcp-end))
+ signal(make(<buddha-form-error>,
+ error: "Router has to be outside of dhcp-range"));
+ else
+ #t;
+ end if;
else
signal(make(<buddha-form-error>,
error: "DHCP router not in subnet"));
Modified: trunk/libraries/koala/sources/examples/buddha/object-table.dylan
==============================================================================
--- trunk/libraries/koala/sources/examples/buddha/object-table.dylan
(original)
+++ trunk/libraries/koala/sources/examples/buddha/object-table.dylan Wed Oct
26 23:53:15 2005
@@ -1,13 +1,22 @@
module: object-table
author: Hannes Mehnert <hannes@xxxxxxxxxxx>
-define constant $obj-table = make(<string-table>);
+define constant $obj-to-id-table = make(<table>);
+define constant $id-to-obj-table = make(<string-table>);
+
+define variable *counter* :: <integer> = 0;
define method get-reference (object :: <object>) => (res :: <string>)
- let address = copy-sequence(format-to-string("%=", address-of(object)),
- start: 1);
- $obj-table[address] := object;
- address;
+ let result = element($obj-to-id-table, object, default: #f);
+ if (result)
+ result;
+ else
+ let id = integer-to-string(*counter*);
+ *counter* := *counter* + 1;
+ $obj-to-id-table[object] := id;
+ $id-to-obj-table[id] := object;
+ id;
+ end;
end;
define method get-object (reference :: singleton(#f))
@@ -16,5 +25,5 @@
end;
define method get-object (reference :: <string>) => (res :: false-or(<object>))
- element($obj-table, reference, default: #f);
-end;
\ No newline at end of file
+ element($id-to-obj-table, reference, default: #f);
+end;
Modified: trunk/libraries/koala/sources/examples/buddha/zone.dylan
==============================================================================
--- trunk/libraries/koala/sources/examples/buddha/zone.dylan (original)
+++ trunk/libraries/koala/sources/examples/buddha/zone.dylan Wed Oct 26
23:53:15 2005
@@ -6,6 +6,11 @@
slot target :: <string>, init-keyword: target:;
end;
+define class <mail-exchange> (<object>)
+ slot mx-name :: <string>, init-keyword: mx-name:;
+ slot priority :: <integer>, init-keyword: priority:;
+end;
+
define web-class <zone> (<object>)
data zone-name :: <string>;
data reverse? :: <boolean>;
@@ -17,8 +22,8 @@
data expire :: <integer>;
data time-to-live :: <integer>;
data minimum :: <integer>;
- has-many nameserver :: <host>;
- has-many mail-exchange :: <host>;
+ has-many nameserver :: <string>;
+ has-many mail-exchange :: <mail-exchange>;
has-many text :: <string>;
end;
@@ -130,4 +135,4 @@
define method add-reverse-zones (network :: <network>) => ()
//XXX: add reverse zone for each /24 in network
-end;
\ No newline at end of file
+end;
--
Gd-chatter mailing list
Gd-chatter@xxxxxxxxxxxxxxxx
https://gauss.gwydiondylan.org/mailman/listinfo/gd-chatter
|
