Overview
Comment:Added escape of \n \r as option to session:apply-type-preference
Downloads: Tarball | ZIP archive | SQL archive
Timelines: family | ancestors | descendants | both | crypt
Files: files | file ages | folders
SHA1: 759286996923f77dee91377d2678abc4971e1216
User & Date: matt on 2016-11-08 06:18:54
Other Links: branch diff | manifest | tags
Context
2016-11-08
06:20
Merged crypt branch check-in: 0e2bee049a user: matt tags: trunk
06:18
Added escape of \n \r as option to session:apply-type-preference Leaf check-in: 7592869969 user: matt tags: crypt
2016-10-20
17:53
Replace external openssl call with "crypt" egg.

The OpenSSL call was using the old UNIX crypt DES password hashing, which is very weak. Crypt will default to a more sensible mechanism (Blowfish, but in the future could transparently switch).

Old passwords will continue to work, because the crypt egg detects DES salts and happily hashes them. When creating new passwords, they will be hashed using the modern algorithm.

The OpenSSL call passed the password to the shell, so an onlooker on the server could see it in plaintext. It also neglected to escape the password for the shell, resulting in a command injection vulnerability. check-in: 1b5a5d3a6e user: sjamaan tags: crypt

Changes
Hide Diffs Side-by-Side Diffs Ignore Whitespace Patch

Modified doc/howto.txt from [a12cd32804] to [08742b584b]. 

81
82
83
84
85
86
87

88



89
90
91
92
93
94
95
96

97
98
99
100
101
102
103

81
82
83
84
85
86
87
88

89
90
91
92
93
94
95
96
97
98

99
100
101
102
103
104
105
106








+
-
+
+
+







-
+










make a selection drop down
~~~~~~~~~~~~~~~~~~~~~~~~~~

In view.scm: 

;;                                   Label   Value visible-str selected
(s:select '(("World" 0)("Country" 1)("State" 2 #t)("Town/City" 3)) 'name 'scope)
(s:select '(("World" 0)("Country" 1)("State" 2     "The state" #t       )("Town/City" 3)) 'name 'scope)

Visible str will be shown if provided. Selected will set that entry to pre-selected.

In control.scm:

(let ((scope     (s:get-input 'scope))
      (scope-num (s:get-input 'scope 'number))) ;; 'number, 'raw or 'escaped
  ....

The optional third entry sets that item as selected if true
The optional fourth entry sets that item as selected if true

Simple error reporting
~~~~~~~~~~~~~~~~~~~~~~

In control.scm:
(s:set-err "You must provide an email address")

Modified session.scm from [feaf3112af] to [2fc2bb77c1]. 

732
733
734
735
736
737
738









739
740
741
742
743
744
745

732
733
734
735
736
737
738
739
740
741
742
743
744
745
746
747
748
749
750
751
752
753
754








+
+
+
+
+
+
+
+
+








		      (cdr params))))
    (case dtype
      ((raw)     res)
      ((number)  (if (string? res)(string->number res) #f))
      ((escaped) (if (string? res)
		     (s:html-filter->string res tags)
		     res))
      ((escaped-nl) (if (string? res) ;; escape \n and \r
			(string-intersperse
			 (string-split
			  (string-intersperse
			   (string-split (s:html-filter->string res tags) "\n")
			   "\\n")
			  "\r")
			 "\\r")
			res))
      (else      (if (string? res)
		     (s:html-filter->string res '())
		     res)))))

(define (session:get-param self key type-params)
  ;; (session:log s:session "params=" (slot-ref s:session 'params))
  (let* ((params (sdat-get-params self))

Modified setup.scm from [90e6633a2e] to [f8cd7b3789]. 

1
2
3
4
5
6
7
8
9
10
11
12
13




14
15
16
17
18
19
20

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24














+
+
+
+








;; Copyright 2007-2011, Matthew Welland.
;; 
;;  This program is made available under the GNU GPL version 2.0 or
;;  greater. See the accompanying file COPYING for details.
;; 
;;  This program is distributed WITHOUT ANY WARRANTY; without even the
;;  implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR
;;  PURPOSE.

(declare (unit setup))
(declare (uses session))
(require-extension srfi-69)
(require-extension regex)

;; macros in sugar don't work, have to load in all files or use compiled mode?
;;
;; (include "sugar.scm")

;; use this for getting data from page to page when scope and evals
;; get in the way
(define s:local-vars (make-hash-table))

(define (s:local-set! k v)
  (hash-table-set! s:local-vars k v))

Modified sugar.scm from [8c9838f5ec] to [b784df1be7]. 

85
86
87
88
89
90
91




92





93

94
95
96
97
98
99
100

85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101

102
103
104
105
106
107
108
109








+
+
+
+

+
+
+
+
+
-
+








;;   v ; => 9
;;   (+= v 3 4)
;;   v ; => 16
;;   (+= v)
;;   v ; => 16
;; 

(define-simple-syntax (s:if-param varname first ...)
  (if (s:get varname)
      first
      ...))

(define-simple-syntax (s:if-sessionvar varname first ...)
  (if (s:session-var-get varname)
      first
      ...))

;; (define-macro (s:if-param varname . dat)
;; (define-macro (s:if-param varname ...)
;;   (match dat
;; 	 (()    '())
;; 	 ((a)    `(if (s:get ,varname) ,a '()))
;; 	 ((a b)  `(if (s:get ,varname) ,a ,b))))
;; 
;; (define-macro (s:if-sessionvar varname . dat)
;;   (match dat

Modified tests/test.scm from [7deafec480] to [5b953a7034]. 

10
11
12
13
14
15
16
17


18
19
20
21
22
23
24

10
11
12
13
14
15
16

17
18
19
20
21
22
23
24
25








-
+
+








;;  PURPOSE.

(use test md5)

(require-extension sqlite3)
(import (prefix sqlite3 sqlite3:))

(require-library dbi)
;; (require-library dbi)
(use (prefix dbi dbi:))

(load "./requirements.scm")
(load "./cookie.scm")
(load "./misc-stml.scm")
(load "./formdat.scm")
(load "./stml.scm")
(load "./session.scm")