[Projects] build-farm 354: Harden build.pl w.r.t. URL encoding.

https://svn.lrde.epita.fr/svn/lrde-tools/trunk/build-farm Index: ChangeLog from Roland Levillain &lt;roland(a)lrde.epita.fr&gt; Let build.pl be robust to project (and host) names containing special characters w.r.t. URL encoding. * web/build.pl (build_status_link, view_global_summary) (view_all_pkg_builds, view_build, view_host_history): Protect the host and tree names using URI::Escape. build.pl | 42 ++++++++++++++++++++++++++++-------------- 1 file changed, 28 insertions(+), 14 deletions(-) Index: web/build.pl --- web/build.pl (revision 353) +++ web/build.pl (working copy) @@ -31,6 +31,7 @@ use Data::Dumper; use CGI::Form; use File::stat; +use URI::Escape; my $req = new CGI::Form; @@ -208,7 +209,10 @@ { my ($host, $tree) = (shift, shift); my (%st) = @_; - my $ret = "<a href=\"$myself?host=$host&tree=$tree\">"; + my $tree_url = "$myself?" . + "host=" . uri_escape($host) . "&" . + "tree=" . uri_escape($tree); + my $ret = "<a href=\"$tree_url\">"; my $ok = "<font color=green>ok</font>"; my $ko = "<font color=red>%d</font>"; @@ -317,7 +321,8 @@ print "<td colspan=6 class=\"project\" style=\"border: none; padding-top: 8pt;\">" . shift(@categories) . "</td></tr>\n"; next; } - print "<td><a href=\"$myself?tree=$tree\">$tree</a></td>\n"; + my $tree_url = "$myself?tree=" . uri_escape($tree); + print "<td><a href=\"$tree_url\">$tree</a></td>\n"; foreach my $host (@hosts) { my (%st) = build_info($host, $tree); my $bage = build_age($host, $tree); @@ -328,7 +333,10 @@ print "<td align=center>"; } - my $link = "<a href=\"$myself?tree=$tree&host=$host\" onmouseover=\"this.T_SHADOWWIDTH=6; this.T_WIDTH=170; return escape('<table border=0><tr><td>Revision:</td><td>$st{'revision'}</td></tr><tr><td>Last Build:</td><td>$st{'build_shortdate'}</td></tr><tr><td>Last check:</td><td>$age</td></tr></table>')\"><img width=16 src=\"%s\"></a>"; + my $tree_url = "$myself?" . + "tree=" . uri_escape($tree) . "&" . + "host=" . uri_escape($host); + my $link = "<a href=\"$tree_url\" onmouseover=\"this.T_SHADOWWIDTH=6; this.T_WIDTH=170; return escape('<table border=0><tr><td>Revision:</td><td>$st{'revision'}</td></tr><tr><td>Last Build:</td><td>$st{'build_shortdate'}</td></tr><tr><td>Last check:</td><td>$age</td></tr></table>')\"><img width=16 src=\"%s\"></a>"; # show first icon for conf/build/install/dist # or skipped, or nothing @@ -465,7 +473,7 @@ # Draw the "recent builds" view sub view_all_pkg_builds() { - my $tree=$req->param("tree"); + my $tree=uri_unescape($req->param("tree")); my @process_tree = (); if ($tree eq '*Tous*') { @process_tree = @trees; @@ -524,9 +532,9 @@ ############################################## # view one build in detail sub view_build() { - my $host=$req->param("host"); - my $tree=$req->param("tree"); - my $date=$req->param("date"); + my $host=uri_unescape($req->param("host")); + my $tree=uri_unescape($req->param("tree")); + my $date=uri_unescape($req->param("date")); $date = "$1-$2_$3-$4" if ($date =~ /([0-9]+)_([0-9]+)_([0-9]+)_([0-9]+)/); my $file="build.$tree.$host"; @@ -562,6 +570,9 @@ print util::FileLoad("../web/$host.html"); + my $tree_url = "$myself?function=History&". + "tree=" . uri_escape($tree) . "&" . + "host=" . uri_escape($host); print " <table class=\"real\"> <tr><td width=130>Host:</td><td><a href=\"$myself?host=$host\">$host</a> - $hosts{$host}</td></tr> @@ -569,7 +580,7 @@ <tr><td>Tree:</td><td>$tree</td></tr> <tr><td>Build Revision:</td><td>" . $st{'revision'} . "</td></tr> <tr><td>Build Age:</td><td>" . red_age($age) . "</td></tr> -<tr><td>Last Build:</td><td>$st{'build_date'} (<a href=\"$myself?function=History&tree=$tree&host=$host\">view history</a>)</td></tr> +<tr><td>Last Build:</td><td>$st{'build_date'} (<a href=\"$tree_url\">view history</a>)</td></tr> <tr><td>Status:</td><td>$status</td></tr> "; while (my $log = <LOG>) { @@ -618,8 +629,8 @@ ############################################## # print history logs sub view_host_history() { - my $host=$req->param("host"); - my $tree=$req->param("tree"); + my $host=uri_unescape($req->param("host")); + my $tree=uri_unescape($req->param("tree")); # FIXME: sort logs. my @logs = glob("build.$tree.$host.*.log"); @@ -639,9 +650,12 @@ my $status = build_status_link($host, $tree, %st); { $status =~ s/<\/?a[^>]*?>//g; } + my $tree_url = + "$myself?function=View+Build&host=$host" . + "&tree=$tree&date=$1_$2_$3_$4"; print " <tr> - <td><a href=\"$myself?function=View+Build&host=$host&tree=$tree&date=$1_$2_$3_$4\">$1/$2 $3H$4</a><br></td> + <td><a href=\"$tree_url\">$1/$2 $3H$4</a><br></td> <td align=center>$st{'revision'}</td> <td align=center>$status</td> </tr>"; @@ -790,7 +804,7 @@ page_top(); -my $fn_name = $req->param("function"); +my $fn_name = uri_unescape($req->param("function")); if ($fn_name eq "History") { view_host_history(); @@ -799,8 +813,8 @@ } elsif ($fn_name eq "Host Summary") { view_summary(); } else { - my $host = $req->param("host"); - my $tree = $req->param("tree"); + my $host = uri_unescape($req->param("host")); + my $tree = uri_unescape($req->param("tree")); $tree = '*Tous*' if ! defined $req->param("tree"); $host = '*Tous*' if ! defined $req->param("host");