You can also construct URL's that link to your document. The URL is of the form
$ShowDocument?docid=XXXX&version=XX,
where the X's represent just the numbers of the document and version.
- (I.e. leave off the ``$ShortProject-doc-'' and ``-v.'') As above, you can leave off the
+ (I.e. leave off the $ShortProject-doc-
and -v.
) As above, you can leave off the
&version=XX to refer to the latest version.
Using "as of" instead of version number: Instead of specifying a version @@ -70,11 +70,11 @@ sub AdvancedInstructionsBody {
There is a script interface which fetches files from DocDB. The URL is +
There is a script interface which fetches files from DocDB. The URL is
$RetrieveFile?docid=XXXX&version=XX&filename=xxxxxx.
The version number can be left off to get files from the latest version number.
The filename can also be left off. If there is only one file marked Main
- that file will be retrieved.
+ that file will be retrieved.
An alternate form is
$RetrieveFile?docid=XXXX&version=XX&extension=xxx,
so for instance you can specify PDF as the extension to retrieve the PDF file
@@ -94,16 +94,16 @@ sub AdvancedInstructionsBody {
The most useful searches are by author, topic, keyword, or events.
- To link to a topic, you must first find out the topic ID number. - The easiest way to do this is to simply click on that topic from the + To link to a topic, you must first find out the topic ID number. + The easiest way to do this is to simply click on that topic from the list by topic page. - The URL for a single topic will be - $ListBy?topicid=xxx. - Similarly, links to documents by authors are most easily found by the + The URL for a single topic will be + $ListBy?topicid=xxx. + Similarly, links to documents by authors are most easily found by the list by author page.
- Use the search form to link to a keyword: + Use the search form to link to a keyword: $Search?keywordsearchmode=anysub&keywordsearch=xxxxxxx.
@@ -126,7 +126,7 @@ sub AdvancedInstructionsBody { have values of AND and OR. For instance, if you specify two authors, innerlogic=OR will return documents by either author while AND will require the document to be authored by both people. To understand - outerlogic, take the example of searching for an author and a topic. + outerlogic, take the example of searching for an author and a topic. outerlogic=OR will require a document to either have the correct author or the correct topic, while AND will require both. Both options can be specified at the same time. outerlogic defaults to AND and innerlogic defaults @@ -161,7 +161,7 @@ sub AdvancedInstructionsBody { more than one are specified, only one word must be found
More modes can be added if required. To search for more than one word, place the code for a space (%20) between them.
@@ -182,13 +182,13 @@ sub AdvancedInstructionsBody {An XML interface for retrieving information from and submiting information to DocDB is +
An XML interface for retrieving information from and submiting information to DocDB is partially complete. It is not fully complete, but it may satisfy the most common needs.
- +Any link to Search or ShowDocument described above will generate XML +
Any link to Search or ShowDocument described above will generate XML output if &outformat=xml is added to the parameter list. Search returns a summary of the found documents while ShowDocument returns all the meta-info for the document.
@@ -198,7 +198,7 @@ sub AdvancedInstructionsBody { the XML output). Future improvements to the XML facilities of DocDB may include XML output from ListBy, XML output of events, and XML output of topic, author and other lists. If any of these enhancements would be useful to you, please contact your administrator or - the developers. + the developers.Since version 8.4 DocDB has supported uploads of XML data describing documents. This is done with the XMLUpload script. The XML output of ShowDocument described above can be used almost directly to create a new document. One new XML element - must be added to such an XMLFile and a second element is optional. Both elements must be + must be added to such an XMLFile and a second element is optional. Both elements must be added as children of <docdb> (at the same level as <document>).
- +The first XML element is control which has two parameters: mode and
usedate. mode must be one of three values, new
, bump
, or updatedb
. New
ignores the document ID in the uploaded XML and creates a new document with the included
@@ -223,25 +223,25 @@ sub AdvancedInstructionsBody {
<mode>new</mode>
<usedate>yes</usedate>
</control>
-
+
The second element XML element (which is optional) is authentication which contains the username and password needed to download the file(s) in the document from the remote source. It will look like this:
- +
<authentication>
<username>http-basic-username</username>
<password>http-basic-password</password>
</authentication>
-
-
- Generally speaking, when DocDB is processing an XML file, the id numbers describing + + +
Generally speaking, when DocDB is processing an XML file, the id numbers describing things like topics, events, etc. are used and the names of those things shown in the XML file are ignored. Also, not all information about a document van be uploaded via XML. This can be changed if there is a need for it.
-If the id numbers are missing, DocDB attempts a text match for the following +
If the id numbers are missing, DocDB attempts a text match for the following information:
Finally, you will notice that there is no provision for adding files via XML. +
Finally, you will notice that there is no provision for adding files via XML. This could be added but was not needed at the moment.
- +You are about to add an author to the $Project document database. Anyone is allowed to add authors. Please be careful and make sure to put the authors first name, last name, and -middle initials (with periods) in the right place. If you make a mistake, +middle initials (with periods) in the right place. If you make a mistake, DO NOT enter the author again. Contact an -adminstrator and explain the problem. -Required fields are denoted by $RequiredMark. Click any +administrator and explain the problem. +Required fields are denoted by $RequiredMark. Click any highlighted link for quick help.
\n"; print "| "; -print FormElementTitle(-helplink => 'certname', -helptext => 'Certificate CN'); +print FormElementTitle(-helplink => 'usersname', -helptext => "User's Name"); +print " | "; +print FormElementTitle(-helplink => 'certname', -helptext => 'Certificate DN'); print " | "; print FormElementTitle(-helplink => 'certemail', -helptext => 'E-mail Address'); print " |
|---|---|---|
| \n"; - TextField(-name => "name$Row", -size => 40, -maxlength => $DBColumnSize{EmailUser}{Name} ); + TextField(-name => "commonname$Row", -size => 40, -maxlength => $DBColumnSize{EmailUser}{Name} ); + print " | \n"; + TextField(-name => "name$Row", -size => 40, -maxlength => 2048); print " | \n"; TextField(-name => "email$Row", -size => 30, -maxlength => $DBColumnSize{EmailUser}{EmailAddress}); print " |
| '; +print ' | ||
| '; print $query -> submit (-value => "Insert Users"); print " | ||
| Your name (Certificate CN): $CertCN\n"; + print " | Your certificate DN: $CertDN\n"; + print " |
| Your name (certificate CN): $CertCN\n"; TextField(-name => "email", -helplink => "email", -helptext => "Your E-mail", -size => 20, -maxlength => 64, -default => $CertEmail); print " | \n";
@@ -104,14 +100,14 @@ if ($CertificateStatus eq "verified") {
print "|
| \n"; - TextArea(-helplink => "certnote", -helptext => "Notes", + TextArea(-helplink => "certnote", -helptext => "Notes", -extratext => "(Identify yourself or other notes if needed.)", - -name => "certnote"); + -name => "certnote"); print " | |
| \n"; print $query -> submit (-value => "Apply for access"); print " | |
The match has been confirmed.
Press the button below to reload the original page.
";
&DocDBNavBar;
&DocDBFooter($DBWebMasterEmail,$DBWebMasterName);
-
+
exit;
diff --git a/DocDB/cgi/DisplayMeeting b/DocDB/cgi/DisplayMeeting
index 2259e97e..91b75411 100755
--- a/DocDB/cgi/DisplayMeeting
+++ b/DocDB/cgi/DisplayMeeting
@@ -8,7 +8,7 @@
#
# Author: Eric Vaandering (ewv@fnal.gov)
-# Copyright 2001-2009 Eric Vaandering, Lynn Garren, Adam Bryant
+# Copyright 2001-2013 Eric Vaandering, Lynn Garren, Adam Bryant
# This file is part of DocDB.
@@ -27,6 +27,7 @@
use Benchmark;
use CGI;
+use CGI::Untaint;
use DBI;
$StartTime = new Benchmark;
@@ -35,6 +36,7 @@ require "DocDBGlobals.pm";
require "Messages.pm";
require "HTMLUtilities.pm";
+require "UntaintInput.pm";
require "ResponseElements.pm";
require "Sorts.pm";
require "Scripts.pm";
@@ -53,12 +55,12 @@ require "EventUtilities.pm";
require "Utilities.pm";
$query = new CGI; # Global for subroutines
+$query -> autoEscape(0);
+my $Untaint = CGI::Untaint -> new($query -> Vars);
-%params = $query -> Vars;
-
-my $SessionID = $params{sessionid};
-my $SessionSeparatorID = $params{sessionseparatorid};
-my $EventID = $params{conferenceid};
+my $SessionID = $Untaint -> extract(-as_integer => "sessionid") || 0;
+my $SessionSeparatorID = $Untaint -> extract(-as_integer => "sessionseparatorid") || 0;
+my $EventID = $Untaint -> extract(-as_integer => "conferenceid") || 0;
@ErrorStack = ();
@WarnStack = ();
diff --git a/DocDB/cgi/DocDBFields.pm b/DocDB/cgi/DocDBFields.pm
index d09622b7..c11dd1c0 100644
--- a/DocDB/cgi/DocDBFields.pm
+++ b/DocDB/cgi/DocDBFields.pm
@@ -6,7 +6,7 @@
#
# Author: Eric Vaandering (ewv@fnal.gov)
-# Copyright 2001-2009 Eric Vaandering, Lynn Garren, Adam Bryant
+# Copyright 2001-2013 Eric Vaandering, Lynn Garren, Adam Bryant
# This file is part of DocDB.
diff --git a/DocDB/cgi/DocDBGlobals.pm b/DocDB/cgi/DocDBGlobals.pm
index c3aecf41..d4e897ac 100644
--- a/DocDB/cgi/DocDBGlobals.pm
+++ b/DocDB/cgi/DocDBGlobals.pm
@@ -1,4 +1,4 @@
-#
+# Name: $RCSfile$
# Description: Configuration file for the DocDB. Sets default
# values and script names. Do not change this file,
# specific local settings are in ProjectGlobals.pm.
@@ -7,7 +7,7 @@
# Author: Eric Vaandering (ewv@fnal.gov)
# Modified:
#
-# Copyright 2001-2009 Eric Vaandering, Lynn Garren, Adam Bryant
+# Copyright 2001-2013 Eric Vaandering, Lynn Garren, Adam Bryant
# This file is part of DocDB.
@@ -26,6 +26,8 @@
# Constants
+use DateTime;
+$LocalTimezone = DateTime::TimeZone->new(name => 'local');
$TRUE = 1;
$FALSE = 0;
@@ -89,13 +91,20 @@ $Preferences{Security}{Certificates}{FNALKCA} = $FALSE; # TRUE or FALSE - s
$Preferences{Security}{Certificates}{DOEGrids} = $FALSE; # TRUE or FALSE - show DOEgrid certificate instructions
$Preferences{Security}{Certificates}{ShowCertInstructions} = $FALSE; # TRUE or FALSE - show certificate instructions even on non-cert version
+$Preferences{Security}{AuthName} = ""; # Set to override default AuthName of group1 or group2, etc.
+
$Preferences{Options}{DynamicFullList}{Private} = $FALSE; # Generate Full document list by dynamically for private db
$Preferences{Options}{DynamicFullList}{Public} = $FALSE; # Generate Full document list by dynamically for public db
$Preferences{Options}{AlwaysRetrieveFile} = $FALSE; # Always use RetrieveFile instead of File Links
+@{$Preferences{Options}{FileEndingsForAttachment}} = ("doc","docx","xls","xlsx","ppt","pptx","pps","ppsx");
$Preferences{Options}{SubmitAgree} = ""; # "Put text here to make users agree to a privacy statement or some-such.
I agree:"
+# On updates of documents, require an entry in the note field and/or zero out the submitter and require a new entry
+$Preferences{Options}{Update}{RequireNote} = $FALSE;
+$Preferences{Options}{Update}{RequireSubmitter} = $FALSE;
+
$Preferences{Components}{iCal} = $TRUE; # Display links to iCal calendars
$Preferences{Topics}{MinLevel}{Document} = 1;
diff --git a/DocDB/cgi/DocDBHelp b/DocDB/cgi/DocDBHelp
index 86e89f33..fc779e66 100755
--- a/DocDB/cgi/DocDBHelp
+++ b/DocDB/cgi/DocDBHelp
@@ -1,17 +1,17 @@
#! /usr/bin/env perl
#
# Description: Usually called as a pop-up, this looks up in docdb.hlp
-# the information on a specific topic.
+# the information on a specific topic.
#
# Author: Eric Vaandering (ewv@fnal.gov)
-# Modified:
+# Modified:
-# Copyright 2001-2009 Eric Vaandering, Lynn Garren, Adam Bryant
+# Copyright 2001-2013 Eric Vaandering, Lynn Garren, Adam Bryant
# This file is part of DocDB.
# DocDB is free software; you can redistribute it and/or modify
-# it under the terms of version 2 of the GNU General Public License
+# it under the terms of version 2 of the GNU General Public License
# as published by the Free Software Foundation.
# DocDB is distributed in the hope that it will be useful,
@@ -23,7 +23,8 @@
# along with DocDB; if not, write to the Free Software
# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA
-use CGI;
+use CGI;
+use CGI::Untaint;
use XML::Parser::PerlSAX;
use XML::PatAct::MatchName;
use XML::PatAct::ToObjects;
@@ -32,6 +33,7 @@ use XML::Grove::AsCanonXML;
require "DocDBGlobals.pm";
require "HTMLUtilities.pm";
+require "UntaintInput.pm";
my $DefaultPatterns = [
'helpfile' => [ qw{ -holder } ],
@@ -51,7 +53,7 @@ my $ProjectPatterns = [
if (-e "ProjectHelp.xml") {
$ProjectHelp = 1;
-}
+}
my $DefaultMatcher = XML::PatAct::MatchName -> new(Patterns => $DefaultPatterns);
my $DefaultHandler = XML::PatAct::ToObjects -> new(Patterns => $DefaultPatterns,
@@ -70,12 +72,13 @@ if ($ProjectHelp) {
# Start page
-$query = new CGI;
+$query = new CGI;
+$query -> autoEscape(0);
+my $Untaint = CGI::Untaint -> new($query -> Vars);
print $query -> header( -charset => $HTTP_ENCODING );
&DocDBHeader("$Project DocDB Help","",-nobody => $TRUE);
-%params = $query -> Vars;
-$helpterm = $params{term}; # Extract term user wants help for
+$helpterm = $Untaint -> extract(-as_safehtml => "term") || "";
# Parse XML into hashes, pull out desired text
@@ -127,6 +130,6 @@ if ($DefaultText || $ProjectText) {
}
} else {
print "No help available on this topic.
\n";
-}
+}
&DocDBFooter($DBWebMasterEmail,$DBWebMasterName,-nobody => $TRUE);
diff --git a/DocDB/cgi/DocDBHelp.xml b/DocDB/cgi/DocDBHelp.xml
index 45fa90ba..fa35bd13 100644
--- a/DocDB/cgi/DocDBHelp.xml
+++ b/DocDB/cgi/DocDBHelp.xml
@@ -10,7 +10,7 @@
Author: Eric Vaandering (ewv@fnal.gov)
- Copyright 2001-2009 Eric Vaandering, Lynn Garren, Adam Bryant
+ Copyright 2001-2013 Eric Vaandering, Lynn Garren, Adam Bryant
This file is part of DocDB.
@@ -1248,14 +1248,23 @@ or may not be the same as the web username and password.
This form allows you to delete the user, change which groups the
user belongs to, ";
@@ -121,7 +129,7 @@ print "\n";
print " $SecurityGroup has these members: \n";
+ retrieve it. \n";
}
EndPage(@ErrorStack);
diff --git a/DocDB/cgi/EmailLogin b/DocDB/cgi/EmailLogin
index 7f9ee8ea..49c5cd7b 100755
--- a/DocDB/cgi/EmailLogin
+++ b/DocDB/cgi/EmailLogin
@@ -6,7 +6,7 @@
# Modified:
#
-# Copyright 2001-2009 Eric Vaandering, Lynn Garren, Adam Bryant
+# Copyright 2001-2013 Eric Vaandering, Lynn Garren, Adam Bryant
# This file is part of DocDB.
@@ -32,6 +32,7 @@ require "ResponseElements.pm";
require "EmailSecurity.pm";
$query = new CGI; # Global for subroutines
+$query -> autoEscape(0);
$dbh = DBI->connect('DBI:mysql:'.$db_name.':'.$db_host,$db_rouser,$db_ropass);
diff --git a/DocDB/cgi/EmailSecurity.pm b/DocDB/cgi/EmailSecurity.pm
index bdbad545..4c1f3dde 100644
--- a/DocDB/cgi/EmailSecurity.pm
+++ b/DocDB/cgi/EmailSecurity.pm
@@ -8,7 +8,7 @@
#
# Author: Eric Vaandering (ewv@fnal.gov)
-# Copyright 2001-2009 Eric Vaandering, Lynn Garren, Adam Bryant
+# Copyright 2001-2013 Eric Vaandering, Lynn Garren, Adam Bryant
# This file is part of DocDB.
@@ -77,9 +77,9 @@ sub UserPrefForm ($) {
print "
When updating a document, you can change all the information above.
- However, all the forms should be pre-filled for you with the information from
- the previous version. You will either have to supply all the files you want to
- be in the new version, or choose to have unchanged files copied to the next version.
Finally, updating the database information about the document is similar to
updating the document except for two things. First, you can't supply new
@@ -471,7 +475,7 @@ HTML
forms to your liking and to save some typing by telling the database who you
are. Once the database knows who you are, your name will be pre-selected as the requester and
+ Once the database knows who you are, your name will be pre-selected as the submitter and
author of new documents. You can, of course, change this setting to enter
documents by people other than (or in addition to) yourself. An optional component of DocDB is to allow some documents to be An optional component of DocDB is to allow some documents to be When displaying document version(s) in a list, there are obvious indications of
which documents are approved, which are unapproved, and which are obsolete
- (even if they were approved at some time). All information about who DocDB contains the ability to allow any number of approval The signoff system provides a number of additional convieniences: A number of other features are planned and will be added as needed: On the new document page is a box labeled If the submitter chooses to enable signoffs for a document, click the
+ The status of the document will be When updating a document, you are allowed to change the approvers required,
+ including
+ removing all approvers. Then update the document as needed and any signoffs
+ will be
+ handled as for new documents. All necessary approvals are set to unapproved
+ for the new version of the document. When updating metadata, you are allowed to change the approvers required,
+ including
+ removing all approvers. Then update the metadata as needed. All necessary approvals are set to unapproved
+ for the document. Adding a file does not allow any changes to the list of approvers.
+ All necessary approvals are set to unapproved
+ for the document. Approvers will receive an e-mail requesting they sign the document. A URL
+ of the document page
+ is included in the e-mail. This document page contains a button to press
+ (and possibly a password to enter) next
+ to the name of the approver. Once all approvers have signed the document, the status
+ will change to
+ $Text =~ s/\s*\n\s*/ Here are the results of your modification: \n";
-}
+}
print " \n";
@@ -132,5 +135,5 @@ print " \n";
&DocDBNavBar;
&DocDBFooter($DBWebMasterEmail,$DBWebMasterName);
-
+
exit;
diff --git a/DocDB/cgi/JournalAdminister b/DocDB/cgi/JournalAdminister
index d96d68dd..937ff6b6 100755
--- a/DocDB/cgi/JournalAdminister
+++ b/DocDB/cgi/JournalAdminister
@@ -2,17 +2,17 @@
#
# Description: This script is called by AdministerForm and does administration
# on journals in the DB. This script adds, modifies and deletes
-# journals.
+# journals.
#
# Author: Eric Vaandering (ewv@fnal.gov)
-# Modified:
+# Modified:
-# Copyright 2001-2009 Eric Vaandering, Lynn Garren, Adam Bryant
+# Copyright 2001-2013 Eric Vaandering, Lynn Garren, Adam Bryant
# This file is part of DocDB.
# DocDB is free software; you can redistribute it and/or modify
-# it under the terms of version 2 of the GNU General Public License
+# it under the terms of version 2 of the GNU General Public License
# as published by the Free Software Foundation.
# DocDB is distributed in the hope that it will be useful,
@@ -25,41 +25,43 @@
# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA
use CGI;
+use CGI::Untaint;
use DBI;
require "DocDBGlobals.pm";
require "ResponseElements.pm";
require "Security.pm";
require "HTMLUtilities.pm";
+require "UntaintInput.pm";
require "MiscSQL.pm";
require "JournalHTML.pm";
require "Messages.pm";
$query = new CGI; # Global for subroutines
-
-%params = $query -> Vars;
+$query -> autoEscape(0);
+my $Untaint = CGI::Untaint -> new($query -> Vars);
@ErrorStack = ();
@WarnStack = ();
-# Parameters to script
+# Parameters to script
-$Password = $params{password};
-my $Username = $params{admuser};
-$Action = $params{admaction};
+my $Password = $Untaint -> extract(-as_printable => "password") || "";
+my $Username = $Untaint -> extract(-as_printable => "admuser") || "";
+my $Action = $Untaint -> extract(-as_printable => "admaction") || "";
-$JournalID = $params{journal};
-$FullName = $params{name};
-$Abbreviation = $params{abbr};
-$Acronym = $params{acronym};
-$Publisher = $params{pub};
-$URL = $params{url};
+my $JournalID = $Untaint -> extract(-as_integer => "journal") || 0;
+my $FullName = $Untaint -> extract(-as_safehtml => "name") || "";
+my $Abbreviation = $Untaint -> extract(-as_safehtml => "abbr") || "";
+my $Acronym = $Untaint -> extract(-as_safehtml => "acronym") || "";
+my $Publisher = $Untaint -> extract(-as_safehtml => "pub") || "";
+my $URL = $Untaint -> extract(-as_safehtml => "url") || "";
$dbh = DBI->connect('DBI:mysql:'.$db_name.':'.$db_host,$Username,$Password);
unless ($dbh) {
push @ErrorStack,$Msg_AdminNoConnect;
-}
+}
print $query -> header( -charset => $HTTP_ENCODING );
&DocDBHeader("Modified List of Institutions");
@@ -67,7 +69,7 @@ print $query -> header( -charset => $HTTP_ENCODING );
unless (&CanAdminister) {
push @ErrorStack,$Msg_AdminNoLogin;
-}
+}
&EndPage(@ErrorStack);
&GetJournals;
@@ -86,33 +88,33 @@ if ($Action eq "Delete") { # Delete institutions
}
&EndPage(@ErrorStack);
-# Deal with name changes
+# Deal with name changes
- if ($FullName) {
+ if ($FullName) {
print "Updating journal name. \n";
-}
+}
print " \n";
@@ -151,5 +153,5 @@ print " \n";
&DocDBNavBar;
&DocDBFooter($DBWebMasterEmail,$DBWebMasterName);
-
+
exit;
diff --git a/DocDB/cgi/JournalHTML.pm b/DocDB/cgi/JournalHTML.pm
index b1da4841..673abf64 100644
--- a/DocDB/cgi/JournalHTML.pm
+++ b/DocDB/cgi/JournalHTML.pm
@@ -1,16 +1,16 @@
#
-# Description: Routines with form elements and other HTML generating
+# Description: Routines with form elements and other HTML generating
# code pertaining to Journals and References.
#
# Author: Eric Vaandering (ewv@fnal.gov)
-# Modified:
+# Modified:
-# Copyright 2001-2009 Eric Vaandering, Lynn Garren, Adam Bryant
+# Copyright 2001-2013 Eric Vaandering, Lynn Garren, Adam Bryant
# This file is part of DocDB.
# DocDB is free software; you can redistribute it and/or modify
-# it under the terms of version 2 of the GNU General Public License
+# it under the terms of version 2 of the GNU General Public License
# as published by the Free Software Foundation.
# DocDB is distributed in the hope that it will be useful,
@@ -22,69 +22,71 @@
# along with DocDB; if not, write to the Free Software
# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA
+require "HTMLUtilities.pm";
+
sub JournalSelect (;%) {
my (%Params) = @_;
-
+
my $Disabled = $Params{-disabled} || "0";
my $Mode = $Params{-format} || "0";
-
+
my $Booleans = "";
-
+
if ($Disabled) {
$Booleans .= "-disabled";
- }
-
+ }
+
my @JournalIDs = keys %Journals;
my %JournalLabels = ();
foreach my $ID (@JournalIDs) {
- $JournalLabels{$ID} = $Journals{$ID}{Abbreviation};
+ $JournalLabels{$ID} = SmartHTML({-text => $Journals{$ID}{Abbreviation}},);
}
@JournalIDs = sort @JournalIDs; #FIXME Sort by abbreviation
print FormElementTitle(-helplink => "journal", -helptext => "Journal");
- print $query -> scrolling_list(-name => "journal", -values => \@JournalIDs,
- -labels => \%JournalLabels, -size => 10,
+ print $query -> scrolling_list(-name => "journal", -values => \@JournalIDs,
+ -labels => \%JournalLabels, -size => 10,
-default => $JournalDefault, $Booleans);
}
sub JournalEntryBox (;%) {
my (%Params) = @_;
-
+
my $Disabled = $Params{-disabled} || "0";
my $Mode = $Params{-format} || "0";
-
+
my $Booleans = "";
-
+
if ($Disabled) {
$Booleans .= "-disabled";
- }
+ }
print " \n";
-}
+}
print " \n";
$keyadminform = "Administer Keywords";
@@ -139,5 +141,5 @@ print " \n";
&DocDBNavBar;
&DocDBFooter($DBWebMasterEmail,$DBWebMasterName);
-
+
exit;
diff --git a/DocDB/cgi/KeywordHTML.pm b/DocDB/cgi/KeywordHTML.pm
index 53df0eca..fa63711c 100644
--- a/DocDB/cgi/KeywordHTML.pm
+++ b/DocDB/cgi/KeywordHTML.pm
@@ -1,18 +1,18 @@
#
# Name: KeywordHTML.pm
-# Description: Routines to produce snippets of HTML and form elements
-# dealing with keywords
+# Description: Routines to produce snippets of HTML and form elements
+# dealing with keywords
#
# Author: Lynn Garren (garren@fnal.gov)
# Modified: Eric Vaandering (ewv@fnal.gov)
#
-# Copyright 2001-2009 Eric Vaandering, Lynn Garren, Adam Bryant
+# Copyright 2001-2013 Eric Vaandering, Lynn Garren, Adam Bryant
# This file is part of DocDB.
# DocDB is free software; you can redistribute it and/or modify
-# it under the terms of version 2 of the GNU General Public License
+# it under the terms of version 2 of the GNU General Public License
# as published by the Free Software Foundation.
# DocDB is distributed in the hope that it will be useful,
@@ -24,27 +24,35 @@
# along with DocDB; if not, write to the Free Software
# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA
+use HTML::Entities;
+use URI::Escape;
+
+require "HTMLUtilities.pm";
+
sub KeywordGroupInfo ($;$) {
my ($KeyID,$mode) = @_;
-
+
require "KeywordSQL.pm";
-
+
&FetchKeywordGroup($KeyID);
my $info;
if ($mode eq "short") {
- $info = $KeywordGroups{$KeyID}{Short};
+ $info = SmartHTML({-text=>$KeywordGroups{$KeyID}{Short}});
} elsif ($mode eq "long") {
- $info = $KeywordGroups{$KeyID}{Long};
+ $info = SmartHTML({-text=>$KeywordGroups{$KeyID}{Long}});
} else {
- $info = $KeywordGroups{$KeyID}{Short};
+ $info = SmartHTML({-text=>$KeywordGroups{$KeyID}{Short}});
}
-
+
return $info;
}
sub KeywordsbyKeywordGroup ($;$) {
+
+ # FIXME_XSS: Check to make sure this kind of search still works.
+ # May need to remove special characters or adapt search atoms
my ($KeywordGroupID,$Mode) = @_;
-
+
require "Sorts.pm";
my @KeywordIDs = sort byKeyword &GetKeywordsByKeywordGroupID($KeywordGroupID);
@@ -55,19 +63,20 @@ sub KeywordsbyKeywordGroup ($;$) {
foreach my $KeywordID (@KeywordIDs) {
my $KeyLink;
if ($Mode eq "chooser") {
+ my $SafeKeyword = SmartHTML({-text=>$Keywords{$KeywordID}{Short}});
$KeyLink = "$Keywords{$KeywordID}{Short}";
+ "onclick=\"InsertKeyword('$SafeKeyword');\">$SafeKeyword";
} else {
$KeyLink = &KeywordLinkByID($KeywordID,-format => "short");
}
print " \n";
-}
+}
print " \n";
$keyadminform = "Administer Keywords";
@@ -173,5 +175,5 @@ print " \n";
&DocDBNavBar;
&DocDBFooter($DBWebMasterEmail,$DBWebMasterName);
-
+
exit;
diff --git a/DocDB/cgi/KeywordSQL.pm b/DocDB/cgi/KeywordSQL.pm
index 4d3507d8..9b7a05c2 100644
--- a/DocDB/cgi/KeywordSQL.pm
+++ b/DocDB/cgi/KeywordSQL.pm
@@ -5,7 +5,7 @@
# Author: Lynn Garren (garren@fnal.gov)
# Modified: Eric Vaandering (ewv@fnal.gov)
-# Copyright 2001-2009 Eric Vaandering, Lynn Garren, Adam Bryant
+# Copyright 2001-2013 Eric Vaandering, Lynn Garren, Adam Bryant
# This file is part of DocDB.
diff --git a/DocDB/cgi/ListAllMeetings b/DocDB/cgi/ListAllMeetings
index 2d48c63a..d2ecc19b 100755
--- a/DocDB/cgi/ListAllMeetings
+++ b/DocDB/cgi/ListAllMeetings
@@ -8,7 +8,7 @@
#
# Author: Eric Vaandering (ewv@fnal.gov)
-# Copyright 2001-2009 Eric Vaandering, Lynn Garren, Adam Bryant
+# Copyright 2001-2013 Eric Vaandering, Lynn Garren, Adam Bryant
# This file is part of DocDB.
@@ -26,22 +26,24 @@
# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA
use CGI;
+use CGI::Untaint;
use DBI;
require "DocDBGlobals.pm";
require "MeetingSQL.pm";
require "MeetingHTML.pm";
require "HTMLUtilities.pm";
+require "UntaintInput.pm";
require "SecuritySQL.pm";
$query = new CGI; # Global for subroutines
+$query -> autoEscape(0);
+my $Untaint = CGI::Untaint -> new($query -> Vars);
$dbh = DBI->connect('DBI:mysql:'.$db_name.':'.$db_host,$db_rouser,$db_ropass);
-%params = $query -> Vars;
-
-my $Mode = $params{mode} || "display";
-my $EventGroupID = $params{eventgroupid};
-my $EventGroup = $params{eventgroup};
+my $Mode = $Untaint -> extract(-as_printable => "mode") || "display";
+my $EventGroupID = $Untaint -> extract(-as_integer => "eventgroupid") || 0;
+my $EventGroup = $Untaint -> extract(-as_integer => "eventgroup") || 0;
GetSecurityGroups();
diff --git a/DocDB/cgi/ListAuthors b/DocDB/cgi/ListAuthors
index 96e16878..99df7d66 100755
--- a/DocDB/cgi/ListAuthors
+++ b/DocDB/cgi/ListAuthors
@@ -2,12 +2,12 @@
#
# Author Eric Vaandering (ewv@fnal.gov)
-# Copyright 2001-2009 Eric Vaandering, Lynn Garren, Adam Bryant
+# Copyright 2001-2013 Eric Vaandering, Lynn Garren, Adam Bryant
# This file is part of DocDB.
# DocDB is free software; you can redistribute it and/or modify
-# it under the terms of version 2 of the GNU General Public License
+# it under the terms of version 2 of the GNU General Public License
# as published by the Free Software Foundation.
# DocDB is distributed in the hope that it will be useful,
@@ -19,7 +19,7 @@
# along with DocDB; if not, write to the Free Software
# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA
-use CGI;
+use CGI;
use DBI;
require "DocDBGlobals.pm";
@@ -28,6 +28,7 @@ require "ResponseElements.pm";
require "HTMLUtilities.pm";
$query = new CGI; # Global for subroutines
+$query -> autoEscape(0);
$dbh = DBI->connect('DBI:mysql:'.$db_name.':'.$db_host,$db_rouser,$db_ropass);
GetInstitutions();
diff --git a/DocDB/cgi/ListBy b/DocDB/cgi/ListBy
index 61a5afda..4d022bda 100755
--- a/DocDB/cgi/ListBy
+++ b/DocDB/cgi/ListBy
@@ -8,7 +8,7 @@
#
# Author: Eric Vaandering (ewv@fnal.gov)
-# Copyright 2001-2009 Eric Vaandering, Lynn Garren, Adam Bryant
+# Copyright 2001-2013 Eric Vaandering, Lynn Garren, Adam Bryant
# This file is part of DocDB.
@@ -27,6 +27,7 @@
use Benchmark;
use CGI;
+use CGI::Untaint;
use DBI;
$StartTime = new Benchmark;
@@ -35,30 +36,31 @@ require "DocDBGlobals.pm";
require "DocumentHTML.pm";
require "SecuritySQL.pm";
require "HTMLUtilities.pm";
+require "UntaintInput.pm";
require "DocumentUtilities.pm";
$query = new CGI; # Global for subroutines
+$query -> autoEscape(0);
+my $Untaint = CGI::Untaint -> new($query -> Vars);
-%params = $query -> Vars;
+my $Days = $Untaint -> extract(-as_integer => "days") || 0;
+my $TypeID = $Untaint -> extract(-as_integer => "typeid") || 0;
+my $AuthorID = $Untaint -> extract(-as_integer => "authorid") || 0;
-my $Days = $params{days} || 0;
-my $TypeID = $params{typeid} || 0;
-my $AuthorID = $params{authorid} || 0;
+my $TopicID = $Untaint -> extract(-as_integer => "topicid") || 0;
+my $Topic = $Untaint -> extract(-as_safehtml => "topic") || "";
-my $TopicID = $params{topicid} || 0;
-my $Topic = $params{topic} || 0;
+my $EventID = $Untaint -> extract(-as_integer => "eventid") || 0;
+my $EventGroupID = $Untaint -> extract(-as_integer => "eventgroupid") || 0;
+my $EventGroup = $Untaint -> extract(-as_safehtml => "eventgroup") || "";
-my $EventID = $params{eventid} || 0;
-my $EventGroupID = $params{eventgroupid} || 0;
-my $EventGroup = $params{eventgroup} || "";
+my $GroupID = $Untaint -> extract(-as_integer => "groupid") || 0;
+my $Group = $Untaint -> extract(-as_safehtml => "group") || "";
-my $GroupID = $params{groupid} || 0;
-my $Group = $params{group} || "";
+my $AllPubs = $Untaint -> extract(-as_safehtml => "allpubs") || "";
+my $AllDocs = $Untaint -> extract(-as_safehtml => "alldocs") || "";
-my $AllPubs = $params{allpubs} || "";
-my $AllDocs = $params{alldocs} || "";
-
-my $Mode = $params{mode} || "";
+my $Mode = $Untaint -> extract(-as_safehtml => "mode") || "";
$dbh = DBI->connect('DBI:mysql:'.$db_name.':'.$db_host,$db_rouser,$db_ropass);
@@ -116,15 +118,16 @@ if ($Days) {
$SubTopicMessage = "(subtopic of ".TopicLink({-topicid => $ParentTopicID}).")";
}
- $Message = "These documents on $Topics{$TopicID}{Long}
- $SubTopicMessage ";
+ $Message = "These documents on ".
+ SmartHTML({-text=>$Topics{$TopicID}{Long}}).
+ " $SubTopicMessage ";
if ($HasSubTopics) {
$Message .= "and sub-topics ";
}
$Message .= "are available:";
my %Hash = GetEventHashByTopic($TopicID);
if (%Hash) {
- $Message .= ' These are the security groups withing DocDB and a summary of their
+print " These are the security groups withing DocDB and a summary of their
permissions. To see the individual members of these groups, see the
lists below or click on the group name which will take you to the list.
\n";
print "Please use the following keywords to facilitate searches. Note that
spaces are NOT allowed in keywords. To suggest additional keywords, send mail
- to an adminstrator. The links below
+ to an administrator. The links below
will search the database for all instances of a single keyword. Use the
search form to do a more
complicated search. The abbreviated listing
lists all the keywords compactly.\n $KeywordAddendumText ";
- }
+ }
}
sub RevisionMailBody ($) {
@@ -144,11 +156,11 @@ sub RevisionMailBody ($) {
require "Sorts.pm";
FetchDocRevisionByID($DocRevID);
-
+
my $Title = $DocRevisions{$DocRevID}{Title};
my $FullID = FullDocumentID($DocRevisions{$DocRevID}{DOCID},$DocRevisions{$DocRevID}{VERSION});
my $URL = DocumentURL($DocRevisions{$DocRevID}{DOCID});
-
+
FetchAuthor($DocRevisions{$DocRevID}{Submitter});
my $Submitter = $Authors{$DocRevisions{$DocRevID}{Submitter}}{FULLNAME};
@@ -157,9 +169,9 @@ sub RevisionMailBody ($) {
my @AuthorIDs = AuthorRevIDsToAuthorIDs({ -authorrevids => \@AuthorRevIDs, });
my @TopicIDs = GetRevisionTopics({-docrevid => $DocRevID});
my @EventIDs = GetRevisionEvents($DocRevID);
-
-# Build list of authors
-
+
+# Build list of authors
+
my @Authors = ();
foreach $AuthorID (@AuthorIDs) {
FetchAuthor($AuthorID);
@@ -169,9 +181,9 @@ sub RevisionMailBody ($) {
push @Authors,$Authors{$AuthorID}{FULLNAME};
}
my $Authors = join ', ',@Authors;
-
+
# Build list of topics
-
+
my @Topics = ();
foreach $TopicID (@TopicIDs) {
FetchTopic({-topicid => $TopicID});
@@ -181,9 +193,9 @@ sub RevisionMailBody ($) {
push @Topics,$Topics{$TopicID}{Long};
}
my $Topics = join ', ',@Topics;
-
-# Build list of events
-
+
+# Build list of events
+
my @Events = ();
foreach $EventID (@EventIDs) {
FetchConferenceByConferenceID($EventID);
@@ -194,25 +206,25 @@ sub RevisionMailBody ($) {
" (".EuroDate($Conferences{$EventID}{StartDate}).")";
}
my $Events = join ', ',@Events;
-
-
+
+
# Construct the mail body
-
- print $Mailer " Title: ",$DocRevisions{$DocRevID}{Title},"\n";
- print $Mailer " Document ID: ",$FullID,"\n";
- print $Mailer " URL: ",$URL,"\n";
- print $Mailer " Date: ",$DocRevisions{$DocRevID}{DATE},"\n";
- print $Mailer "Submitted by: ",$Submitter,"\n";
- print $Mailer " Authors: ",$Authors,"\n";
- print $Mailer " Topics: ",$Topics,"\n";
+
+ print $Mailer " Title: ",HTML::Entities::decode_entities($DocRevisions{$DocRevID}{Title}),"\n";
+ print $Mailer " Document ID: ",HTML::Entities::decode_entities($FullID),"\n";
+ print $Mailer " URL: ",HTML::Entities::decode_entities($URL),"\n";
+ print $Mailer " Date: ",HTML::Entities::decode_entities($DocRevisions{$DocRevID}{DATE}),"\n";
+ print $Mailer "Submitted by: ",HTML::Entities::decode_entities($Submitter),"\n";
+ print $Mailer " Authors: ",HTML::Entities::decode_entities($Authors),"\n";
+ print $Mailer " Topics: ",HTML::Entities::decode_entities($Topics),"\n";
if ($Events) {
- print $Mailer " Events: ",$Events,"\n";
- }
- print $Mailer " Keywords: ",$DocRevisions{$DocRevID}{Keywords},"\n";
- print $Mailer " Abstract: ",$DocRevisions{$DocRevID}{Abstract},"\n";
+ print $Mailer " Events: ",HTML::Entities::decode_entities($Events),"\n";
+ }
+ print $Mailer " Keywords: ",HTML::Entities::decode_entities($DocRevisions{$DocRevID}{Keywords}),"\n";
+ print $Mailer " Abstract: ",HTML::Entities::decode_entities($DocRevisions{$DocRevID}{Abstract}),"\n";
if ($DocRevisions{$DocRevID}{Note}) {
- print $Mailer " Notes: ",$DocRevisions{$DocRevID}{Note},"\n";
- }
+ print $Mailer " Notes: ",HTML::Entities::decode_entities($DocRevisions{$DocRevID}{Note}),"\n";
+ }
}
sub UsersToNotify ($$) {
@@ -223,14 +235,14 @@ sub UsersToNotify ($$) {
require "MeetingSQL.pm";
require "NotificationSQL.pm";
require "TopicSQL.pm";
-
+
require "Security.pm";
require "Utilities.pm";
require "AuthorUtilities.pm";
unless ($Period eq "Immediate" || $Period eq "Daily" || $Period eq "Weekly") {
return undef;
- }
+ }
GetTopics();
@@ -248,12 +260,12 @@ sub UsersToNotify ($$) {
"select EmailUserID from Notification where Period=? and Type=? and TextKey=?");
# Get users interested in this particular document (only immediate)
-
+
if ($Period eq "Immediate") {
$Fetch -> execute("Immediate","Document",$DocumentID);
$Fetch -> bind_columns(undef,\($UserID));
while ($Fetch -> fetch) {
- $UserIDs{$UserID} = 1;
+ $UserIDs{$UserID} = 1;
}
}
@@ -263,12 +275,12 @@ sub UsersToNotify ($$) {
$Fetch -> execute($Period,"AllDocuments",1);
$Fetch -> bind_columns(undef,\($UserID));
while ($Fetch -> fetch) {
- $UserIDs{$UserID} = 1;
+ $UserIDs{$UserID} = 1;
}
$Fetch -> execute($Period,"AllDocuments",0);
$Fetch -> bind_columns(undef,\($UserID));
while ($Fetch -> fetch) {
- $UserIDs{$UserID} = 1;
+ $UserIDs{$UserID} = 1;
}
# Get users interested in topics for this reporting period
@@ -276,7 +288,7 @@ sub UsersToNotify ($$) {
GetTopics();
my @TopicIDs = ();
my @InitialTopicIDs = GetRevisionTopics( {-docrevid => $DocRevID} );
-
+
foreach my $TopicID (@InitialTopicIDs) {
push @TopicIDs,@{$TopicProvenance{$TopicID}}; # Add ancestors to list
}
@@ -285,10 +297,10 @@ sub UsersToNotify ($$) {
$Fetch -> execute($Period,"Topic",$TopicID);
$Fetch -> bind_columns(undef,\($UserID));
while ($Fetch -> fetch) {
- $UserIDs{$UserID} = 1;
+ $UserIDs{$UserID} = 1;
}
- }
-
+ }
+
# Get users interested in events for this reporting period
my @EventIDs = GetRevisionEvents($DocRevID);
@@ -297,17 +309,17 @@ sub UsersToNotify ($$) {
$Fetch -> execute($Period,"Event",$EventID);
$Fetch -> bind_columns(undef,\($UserID));
while ($Fetch -> fetch) {
- $UserIDs{$UserID} = 1;
+ $UserIDs{$UserID} = 1;
}
my $EventGroupID = $Conferences{$EventID}{EventGroupID};
-
+
$Fetch -> execute($Period,"EventGroup",$EventGroupID);
$Fetch -> bind_columns(undef,\($UserID));
while ($Fetch -> fetch) {
- $UserIDs{$UserID} = 1;
+ $UserIDs{$UserID} = 1;
}
- }
+ }
# Get users interested in authors for this reporting period
@@ -317,12 +329,12 @@ sub UsersToNotify ($$) {
$Fetch -> execute($Period,"Author",$AuthorID);
$Fetch -> bind_columns(undef,\($UserID));
while ($Fetch -> fetch) {
- $UserIDs{$UserID} = 1;
+ $UserIDs{$UserID} = 1;
}
- }
+ }
# Get users interested in keywords for this reporting period
-
+
FetchDocRevisionByID($DocRevID);
my @Keywords = split /,*\s+/,$DocRevisions{$DocRevID}{Keywords}; # Comma and/or space separated
@@ -331,13 +343,13 @@ sub UsersToNotify ($$) {
$TextFetch -> execute($Period,"Keyword",$Keyword);
$TextFetch -> bind_columns(undef,\($UserID));
while ($TextFetch -> fetch) {
- $UserIDs{$UserID} = 1;
+ $UserIDs{$UserID} = 1;
}
- }
+ }
-# Translate UserIDs into E-mail addresses,
+# Translate UserIDs into E-mail addresses,
# verify user is allowed to receive notification
-
+
foreach $UserID (keys %UserIDs) {
my $EmailUserID = FetchEmailUser($UserID);
if ($EmailUserID && CanAccess($DocumentID,$Version,$EmailUserID)) {
@@ -347,8 +359,8 @@ sub UsersToNotify ($$) {
push @Addressees,$EmailAddress;
}
}
- }
-
+ }
+
return @Addressees;
}
@@ -360,12 +372,12 @@ sub EmailKeywordForm ($) {
require "FormElements.pm";
- print FormElementTitle(-helplink => "notifykeyword", -helptext => $Period,
+ print FormElementTitle(-helplink => "notifykeyword", -helptext => $Period,
-extratext => "(separate with spaces)");
my $Keywords = join ' ',sort @Defaults;
- print $query -> textfield (-name => $Name , -default => $Keywords,
+ print $query -> textfield (-name => $Name , -default => $Keywords,
-size => 80, -maxlength => 400);
}
@@ -378,7 +390,7 @@ sub EmailAllForm ($) {
print $query -> checkbox(-name => $Name, -checked => 'checked', -value => 1, -label => 'All Documents');
} else {
print $query -> checkbox(-name => $Name, -value => 1, -label => 'All Documents');
- }
+ }
}
sub DisplayNotification ($$;$) {
@@ -398,38 +410,38 @@ sub DisplayNotification ($$;$) {
my @EventGroupIDs = @{$Notifications{$EmailUserID}{"EventGroup_".$Set}};
my @Keywords = @{$Notifications{$EmailUserID}{"Keyword_".$Set}};
my @AllDocuments = @{$Notifications{$EmailUserID}{"AllDocuments_".$Set}};
-
+
my $NewNotify = (@AllDocuments || @AuthorIDs || @TopicIDs || @EventIDs || @EventGroupIDs || @Keywords);
-
+
if ($NotifyAllTopics || $NewNotify) {
- print "$Set notifications:\n";
- print " $PersonalAccountLink /g;
- $pubinfo =~ s/\n/ Use this page to change your personal account settings. Use this page to change your personal account settings. At the top part of the page, you can change
your e-mail address, name, and whether you prefer text or HTML e-mail.
(At the present time, all e-mail is text only, but your choice will be
remembered for future enhancements.)
Also shown are which group(s) you are a member of. If this list is incorrect,
- contact the administrators and ask them
+ contact the administrators and ask them
to change your group membership. If you want to change your password, type the new password in both boxes. If you want to change your password, type the new password in both boxes. At the bottom part of the page, select the topics
- or subtopics, authors,
+print " At the bottom part of the page, select the topics
+ or subtopics, authors,
events, or keywords you
want to be notified of changes to, either immediately or in digests sent
every day or week. This talk is a confirmed match with this document: This talk has been matched (but not confirmed) with this document:
- $Text =~ s/
- $Text =~ s/\s*\n\s*/ Number of documents found: ",int($Row),"
\n";
}
sub KeywordSelect (%) { # Scrolling selectable list for keyword groups
- my (%Params) = @_;
-
+ my (%Params) = @_;
+
my $Format = $Params{-format} || "short"; # short, long, full
my $Multiple = $Params{-multiple} || ""; # Any non-null text is "true"
my $Name = $Params{-name} || "keywordlist";
@@ -151,99 +160,104 @@ sub KeywordSelect (%) { # Scrolling selectable list for keyword groups
my $Disabled = $Params{-disabled} || "0";
my $Booleans = "";
-
+
if ($Disabled) {
$Booleans .= "-disabled";
- }
-
+ }
+
# Scrolling selectable list for keywords
my @KeywordIDs = sort byKeyword keys %Keywords;
my %KeywordLabels = ();
foreach my $ID (@KeywordIDs) {
if ($Format eq "short") {
- $KeywordLabels{$ID} = $Keywords{$ID}{Short};
+ $KeywordLabels{$ID} = SmartHTML({-text=>$Keywords{$ID}{Short}});
} elsif ($Format eq "long") {
- $KeywordLabels{$ID} = $Keywords{$ID}{Long};
+ $KeywordLabels{$ID} = SmartHTML({-text=>$Keywords{$ID}{Long}});
} elsif ($Format eq "full") {
- $KeywordLabels{$ID} = $Keywords{$ID}{Short}." [";
+ $KeywordLabels{$ID} = SmartHTML({-text=>$Keywords{$ID}{Short}})." [";
if ($MaxLabel) {
if ( (length $Keywords{$ID}{Long}) > $MaxLabel) {
- $KeywordLabels{$ID} .= substr($Keywords{$ID}{Long},0,$MaxLabel)." ...";
+ $KeywordLabels{$ID} .= substr(SmartHTML({-text=>$Keywords{$ID}{Long}}),0,$MaxLabel)." ...";
} else {
- $KeywordLabels{$ID} .= $Keywords{$ID}{Long};
+ $KeywordLabels{$ID} .= SmartHTML({-text=>$Keywords{$ID}{Long}});
}
- $KeywordLabels{$ID} .= "]";
- }
+ $KeywordLabels{$ID} .= "]";
+ }
}
- }
+ }
print FormElementTitle(-helplink => "keywords", -helptext => "Keywords");
- print $query -> scrolling_list(-name => "keywordlist", -values => \@KeywordIDs,
+ print $query -> scrolling_list(-name => "keywordlist", -values => \@KeywordIDs,
-labels => \%KeywordLabels,
-size => 10, -multiple => $Multiple, $Booleans );
};
sub KeywordGroupSelect (%) { # Scrolling selectable list for keyword groups
- my (%Params) = @_;
-
+ my (%Params) = @_;
+
my $Format = $Params{-format} || "short"; # short, full
my $Multiple = $Params{-multiple} || ""; # Any non-null text is "true"
my $Name = $Params{-name} || "keywordgroup";
my $Remove = $Params{-remove} || "";
my $Disabled = $Params{-disabled} || "0";
-
+
my $Booleans = "";
-
+
if ($Disabled) {
$Booleans .= "-disabled";
- }
-
+ }
+
print FormElementTitle(-helplink => "keywordgroups", -helptext => "Keyword Groups");
my @KeyGroupIDs = keys %KeywordGroups;
my %GroupLabels = ();
-
+
foreach my $ID (@KeyGroupIDs) {
if ($Format eq "full") {
- $GroupLabels{$ID} = "$KeywordGroups{$ID}{Short} [$KeywordGroups{$ID}{Long}]";
- } else {
- $GroupLabels{$ID} = $KeywordGroups{$ID}{Short};
- }
- }
+ $GroupLabels{$ID} = SmartHTML({-text=>$KeywordGroups{$ID}{Short}})." ".SmartHTML({-text=>$KeywordGroups{$ID}{Long}});
+ } else {
+ $GroupLabels{$ID} = SmartHTML({-text=>$KeywordGroups{$ID}{Short}});
+ }
+ }
if ($Remove) {
unshift @KeyGroupIDs,"-1";
$GroupLabels{"-1"} = "Remove existing groups";
}
-
- print $query -> scrolling_list(-name => $Name,
- -values => \@KeyGroupIDs,
- -labels => \%GroupLabels, -size => 10,
+
+ print $query -> scrolling_list(-name => $Name,
+ -values => \@KeyGroupIDs,
+ -labels => \%GroupLabels, -size => 10,
-multiple => $Multiple, $Booleans);
};
sub KeywordLinkByID ($;%) {
my ($KeywordID,%Params) = @_;
-
+
my $Format = $Params{-format} || "short"; # short, long
my $NoLink = $Params{-nolink} || ""; # will just return information
&FetchKeyword($KeywordID);
- my $Keyword = $Keywords{$KeywordID}{Short};
+ my $SafeShortKeyword = SmartHTML( {-text => $Keywords{$KeywordID}{Short}} );
+ my $SafeLongKeyword = SmartHTML( {-text => $Keywords{$KeywordID}{Long}} );
+ my $UnsafeURI = decode_entities($Keywords{$KeywordID}{Short});
+ my $SafeURI = uri_escape($UnsafeURI);
my $Link;
-
- unless ($NoLink) {
- $Link .= "";
+
+ # FIXME_XSS: Check to make sure this kind of search still works.
+ # May need to remove special characters or adapt search atoms
+ unless ($NoLink) {
+ $Link .= "";
}
-
- if ($Format eq "short") {
- $Link .= $Keywords{$KeywordID}{Short};
+
+ if ($Format eq "short") {
+ $Link .= $SafeShortKeyword;
} elsif ($Format eq "long") {
- $Link .= $Keywords{$KeywordID}{Long};
- }
+ $Link .= $SafeLongKeyword;
+ }
- unless ($NoLink) {
+ unless ($NoLink) {
$Link .= "";
}
-
+
return $Link;
}
@@ -251,26 +265,29 @@ sub KeywordLink ($;%) { # FIXME: Allow parameters of short, long, full a la Lynn
my ($Keyword,%Params) = @_;
my $Format = $Params{-format} || "short"; # short, full
-
- my $ret = "";
- $ret .= "$Keyword";
+ my $SafeKeyword = SmartHTML( {-text => $Keyword} );
+ my $UnsafeURI = decode_entities($Keyword);
+ my $SafeURI = uri_escape($UnsafeURI);
+ my $ret = "";
+ $ret .= "$SafeKeyword";
$ret .= "";
return $ret;
-}
+}
sub KeywordsBox (%) {
- my (%Params) = @_;
+ my (%Params) = @_;
#FIXME: Get rid of global default
-
+
my $Required = $Params{-required} || 0;
- my $ElementTitle = &FormElementTitle(-helplink => "keywords" ,
+ my $ElementTitle = &FormElementTitle(-helplink => "keywords" ,
-helptext => "Keywords" ,
-extratext => "(space separated) - Keyword
Chooser",
-required => $Required );
- print $ElementTitle,"\n";
- print $query -> textfield (-name => 'keywords', -default => $KeywordsDefault,
+ print $ElementTitle,"\n";
+ my $SafeDefault = SmartHTML({-text => $KeywordsDefault},);
+ print $query -> textfield (-name => 'keywords', -default => $KeywordsDefault,
-size => 70, -maxlength => 240);
};
diff --git a/DocDB/cgi/KeywordListAdminister b/DocDB/cgi/KeywordListAdminister
index 6022b8a4..dae6381d 100755
--- a/DocDB/cgi/KeywordListAdminister
+++ b/DocDB/cgi/KeywordListAdminister
@@ -1,17 +1,17 @@
#! /usr/bin/env perl
#
# Description: This script is called by KeywordAdministerForm and does administration
-# on the Keyword table in the DB.
+# on the Keyword table in the DB.
#
# Author: Lynn Garren (garren@fnal.gov)
# Modified: Eric Vaandering (ewv@fnal.gov)
-# Copyright 2001-2009 Eric Vaandering, Lynn Garren, Adam Bryant
+# Copyright 2001-2013 Eric Vaandering, Lynn Garren, Adam Bryant
# This file is part of DocDB.
# DocDB is free software; you can redistribute it and/or modify
-# it under the terms of version 2 of the GNU General Public License
+# it under the terms of version 2 of the GNU General Public License
# as published by the Free Software Foundation.
# DocDB is distributed in the hope that it will be useful,
@@ -27,6 +27,7 @@
# FIXME: Check for duplicate keyword, warn
use CGI;
+use CGI::Untaint;
use DBI;
require "DocDBGlobals.pm";
@@ -34,33 +35,34 @@ require "Sorts.pm";
require "ResponseElements.pm";
require "Security.pm";
require "HTMLUtilities.pm";
+require "UntaintInput.pm";
require "KeywordHTML.pm";
require "KeywordSQL.pm";
require "Messages.pm";
$query = new CGI; # Global for subroutines
-
-%params = $query -> Vars;
+$query -> autoEscape(0);
+my $Untaint = CGI::Untaint -> new($query -> Vars);
@ErrorStack = ();
@WarnStack = ();
-# Parameters to script
-
-my $Password = $params{password};
-my $Username = $params{admuser};
-my $Action = $params{admaction};
+# Parameters to script
+
+my $Password = $Untaint -> extract(-as_printable => "password") || "";
+my $Username = $Untaint -> extract(-as_printable => "admuser") || "";
+my $Action = $Untaint -> extract(-as_printable => "admaction") || "";
-my $KeywordID = $params{keywordlist};
-my @KeywordGroupIDs = split /\0/,$params{keywordgroup};
-my $LongName = $params{longdesc};
-my $ShortName = $params{shortdesc};
+my $KeywordID = $Untaint -> extract(-as_integer => "keywordlist") || 0;
+my @KeywordGroupIDs = @{ $Untaint -> extract(-as_listofint => "keywordgroup") || undef };
+my $LongName = $Untaint -> extract(-as_safehtml => "longdesc") || "";
+my $ShortName = $Untaint -> extract(-as_safehtml => "shortdesc") || "";
$dbh = DBI->connect('DBI:mysql:'.$db_name.':'.$db_host,$Username,$Password);
unless ($dbh) {
push @ErrorStack,$Msg_AdminNoConnect;
-}
+}
print $query -> header( -charset => $HTTP_ENCODING );
&DocDBHeader("Modified List of Keywords");
@@ -68,10 +70,10 @@ print $query -> header( -charset => $HTTP_ENCODING );
unless (&CanAdminister) {
push @ErrorStack,$Msg_AdminNoLogin;
-}
+}
&EndPage(@ErrorStack);
-if ($Action eq "Delete") {
+if ($Action eq "Delete") {
unless ($KeywordID) {
push @ErrorStack,$Msg_ModKeywdEmpty;
@@ -79,9 +81,9 @@ if ($Action eq "Delete") {
&EndPage(@ErrorStack);
&FetchKeyword($KeywordID);
my $KeywordLink = &KeywordLinkByID($KeywordID);
-
+
&DeleteKeyword($KeywordID); # Delete KeywordID from Keyword table
-
+
print "$KeywordLink has been removed from the database.\n";
print " \n";
print FormElementTitle(-helplink => "doctypeentry", -helptext => "Short Description");
- print $query -> textfield (-name => 'name',
+ print $query -> textfield (-name => 'name',
-size => 20, -maxlength => 32, $Booleans);
print " \n";
print "\n";
print " \n";
diff --git a/DocDB/cgi/DocumentAddForm b/DocDB/cgi/DocumentAddForm
index f9253771..2938cd93 100755
--- a/DocDB/cgi/DocumentAddForm
+++ b/DocDB/cgi/DocumentAddForm
@@ -1,14 +1,12 @@
#! /usr/bin/env perl
#
-# Name: $RCSfile$
+# Name: DocumentAddForm
# Description: The main form to add or modify documents or metadata
#
-# Revision: $Revision$
-# Modified: $Author$ on $Date$
-#
# Author: Eric Vaandering (ewv@fnal.gov)
+# Modified: Eric Vaandering (ewv@fnal.gov)
-# Copyright 2001-2009 Eric Vaandering, Lynn Garren, Adam Bryant
+# Copyright 2001-2013 Eric Vaandering, Lynn Garren, Adam Bryant
# This file is part of DocDB.
@@ -26,6 +24,7 @@
# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA
use CGI qw(-nosticky);
+use CGI::Untaint;
use DBI;
require "DocDBGlobals.pm";
@@ -45,6 +44,7 @@ require "TopicSQL.pm";
require "ResponseElements.pm";
require "FormElements.pm";
require "HTMLUtilities.pm";
+require "UntaintInput.pm";
require "Utilities.pm";
require "Defaults.pm";
require "Security.pm";
@@ -61,22 +61,27 @@ require "SignoffHTML.pm";
require "TalkHTML.pm";
$query = new CGI; # Global for subroutines
+$query -> autoEscape(0);
$dbh = DBI->connect('DBI:mysql:'.$db_name.':'.$db_host,$db_rouser,$db_ropass);
+@ErrorStack = ();
+@WarnStack = ();
+
&GetAuthors;
&GetTopics;
&GetSecurityGroups;
&GetDocTypes;
&GetPrefsCookie;
-%params = $query -> Vars;
+my $Untaint = CGI::Untaint -> new($query -> Vars);
-my $DocumentID = $params{docid};
-my $ConferenceID = $params{conferenceid};
-my $SessionID = $params{sessionid};
-my $Version = $params{version};
-my @PreTopics = $query -> param('pretopic');
- $mode = $params{mode}; # FIXME: Can't be my since used in subroutines
+my $DocumentID = $Untaint -> extract(-as_integer => "docid") || 0;
+my $ConferenceID = $Untaint -> extract(-as_integer => "conferenceid") || undef;
+my $SessionID = $Untaint -> extract(-as_integer => "sessionid") || undef;
+my $Version = $Untaint -> extract(-as_integer => "version") || undef;
+my $InputVersion = $Untaint -> extract(-as_integer => "version") || undef;
+my @PreTopics = @{ $Untaint -> extract(-as_listofint => "pretopic") || undef };
+ $mode = $Untaint -> extract(-as_safehtml => "mode") || ""; # FIXME: Can't be "my" since used in subroutines
if ($mode ne "add" && $mode ne "reserve" &&
$mode ne "update" && $mode ne "updatedb") {
@@ -98,14 +103,11 @@ if ($mode eq "add") {
DocDBHeader("$Project Document Update", "Document Update", -scripts => \@Scripts);
}
-@ErrorStack = ();
-@WarnStack = ();
-
unless (CanCreate()) {
push @ErrorStack,"You are not allowed to modify or create documents.";
}
if ($mode eq "update" || $mode eq "updatedb") {
- unless ($params{docid}) {
+ unless ($DocumentID) {
push @ErrorStack,"You must supply a document number to modify a document.";
}
}
@@ -140,6 +142,10 @@ if ($mode eq "reserve") {
$RequiredEntries{Abstract} = 0;
}
+if ($Preferences{Options}{Update}{RequireNote} && ($mode eq "update" || $mode eq "updatedb")){
+ $RequiredEntries{Note} = 1;
+}
+
my $DocRevID;
if ($mode eq "update" || $mode eq "updatedb") {
@@ -177,11 +183,16 @@ if ($mode eq "update" || $mode eq "updatedb") { # Need to read in last version v
$TitleDefault = $DocRevisions{$DocRevID}{Title};
$PubInfoDefault = $DocRevisions{$DocRevID}{PUBINFO};
$AbstractDefault = $DocRevisions{$DocRevID}{Abstract};
- $RequesterDefault = $DocRevisions{$DocRevID}{Submitter};
+ if (not $Preferences{Options}{Update}{RequireSubmitter}) {
+ $RequesterDefault = $DocRevisions{$DocRevID}{Submitter};
+ }
$KeywordsDefault = $DocRevisions{$DocRevID}{Keywords};
$RevisionNoteDefault = $DocRevisions{$DocRevID}{Note};
$DocTypeIDDefault = $DocRevisions{$DocRevID}{DocTypeID};
@SecurityDefaults = GetRevisionSecurityGroups($DocRevID);
+ unless (@SecurityDefaults) {
+ @SecurityDefaults = (0);
+ }
my @AuthorRevIDs = GetRevisionAuthors($DocRevID);
@AuthorRevIDs = sort AuthorRevIDsByOrder @AuthorRevIDs;
$AuthorListOrdered = IsAuthorListOrdered({ -authorrevids => \@AuthorRevIDs, });
@@ -276,12 +287,12 @@ print $query -> hidden(-name => 'docid', -default => $DocumentID);
print $query -> hidden(-name => 'oldversion',-default => $Version);
# Generate unique ID to disallow multiple posting
-srand (time ^ $$ ^ unpack "%32L*", `ps axww`);
+srand (time ^ $$ ^ unpack "%32L*", `ps -eaf`);
my $UniqueID = time."-".(int rand (2**31-1));
print $query -> hidden(-name => 'uniqueid', -default => $UniqueID);
if ($mode eq "updatedb") {
- if (defined $params{version}) {
+ if (defined $InputVersion) {
print $query -> hidden(-name => 'version', -default => $Version);
}
}
@@ -514,7 +525,7 @@ print "\n";
print "\n";
print FormElementTitle(-helplink => "doctypeentry", -helptext => "Long Description");
- print $query -> textfield (-name => 'longdesc',
+ print $query -> textfield (-name => 'longdesc',
-size => 40, -maxlength => 255, $Booleans);
print " \n";
TextField(-name => 'xrefs', -size => 40,
- -default => $XRefDefault,
+ -default => $XRefDefault, -maxlength => 2048,
-helplink => 'xrefentry', -helptext => 'Related Documents');
print "
($ApprovalStatus";
- if ($ApprovalStatus eq "Unapproved") {
+ if($ApprovalStatus eq "Approved") {
+ my $LastApproved = RevisionSignoffDate($DocRevID);
+ my $ApprovalDateTime = ConvertToDateTime({-MySQLTimeStamp => $LastApproved, });
+ my $ApprovalTime = DateTimeString({ -DateTime => $ApprovalDateTime, -ShowTime => $FALSE, });
+ $Link .= " - $ApprovalTime";
+ } elsif ($ApprovalStatus eq "Unapproved") {
if (defined $LastApproved) {
my $DocumentID = $DocRevisions{$LastApproved}{DOCID};
my $Version = $DocRevisions{$LastApproved}{Version};
diff --git a/DocDB/cgi/DocumentSQL.pm b/DocDB/cgi/DocumentSQL.pm
index 1b2591be..7f8fc7d3 100644
--- a/DocDB/cgi/DocumentSQL.pm
+++ b/DocDB/cgi/DocumentSQL.pm
@@ -1,5 +1,5 @@
-# Copyright 2001-2009 Eric Vaandering, Lynn Garren, Adam Bryant
+# Copyright 2001-2013 Eric Vaandering, Lynn Garren, Adam Bryant
# This file is part of DocDB.
diff --git a/DocDB/cgi/DocumentUtilities.pm b/DocDB/cgi/DocumentUtilities.pm
index 0b34f677..beb0d086 100644
--- a/DocDB/cgi/DocumentUtilities.pm
+++ b/DocDB/cgi/DocumentUtilities.pm
@@ -8,7 +8,7 @@
# Author: Eric Vaandering (ewv@fnal.gov)
# Modified:
-# Copyright 2001-2009 Eric Vaandering, Lynn Garren, Adam Bryant
+# Copyright 2001-2013 Eric Vaandering, Lynn Garren, Adam Bryant
# This file is part of DocDB.
diff --git a/DocDB/cgi/EditTalkInfo b/DocDB/cgi/EditTalkInfo
index a84e4f00..04f01b5b 100755
--- a/DocDB/cgi/EditTalkInfo
+++ b/DocDB/cgi/EditTalkInfo
@@ -5,14 +5,14 @@
# and display it since it could get crowded in the normal table.
#
# Author: Eric Vaandering (ewv@fnal.gov)
-# Modified:
+# Modified:
-# Copyright 2001-2009 Eric Vaandering, Lynn Garren, Adam Bryant
+# Copyright 2001-2013 Eric Vaandering, Lynn Garren, Adam Bryant
# This file is part of DocDB.
# DocDB is free software; you can redistribute it and/or modify
-# it under the terms of version 2 of the GNU General Public License
+# it under the terms of version 2 of the GNU General Public License
# as published by the Free Software Foundation.
# DocDB is distributed in the hope that it will be useful,
@@ -26,7 +26,8 @@
# FIXME: XHTML
-use CGI qw(-nosticky);
+use CGI qw(-nosticky);
+use CGI::Untaint;
use DBI;
require "DocDBGlobals.pm";
@@ -36,37 +37,29 @@ require "ResponseElements.pm";
require "Security.pm";
require "MeetingSecurityUtilities.pm";
require "HTMLUtilities.pm";
+require "UntaintInput.pm";
require "DBUtilities.pm";
-#require "DocumentSQL.pm";
-#require "RevisionSQL.pm";
require "TalkSQL.pm";
require "MeetingSQL.pm";
require "TalkHintSQL.pm";
-#require "TalkHintUtilities.pm";
-#require "DocumentUtilities.pm";
-#require "FormElements.pm";
-
-#require "DocumentHTML.pm";
-#require "TalkHTML.pm";
-#require "AuthorHTML.pm";
-#require "TopicHTML.pm";
-
-$query = new CGI;
-my %Params = $query -> Vars;
-
-my $SessionOrderID = $Params{sessionorderid};
-my $Title = $Params{talktitle};
-my $DocumentID = $Params{docid};
-my $Confirmed = $Params{talkconfirm};
-my $Length = $Params{talktime};
-my $Note = $Params{talknote};
-my @AuthorHints = split /\0/,$Params{authors};
-my @TopicHints = split /\0/,$Params{topics};
+
+$query = new CGI;
+$query -> autoEscape(0);
+my $Untaint = CGI::Untaint -> new($query -> Vars);
+
+my $SessionOrderID = $Untaint -> extract(-as_integer => "sessionorderid") || 0;
+my $Title = $Untaint -> extract(-as_safehtml => "talktitle") || "";
+my $DocumentID = $Untaint -> extract(-as_integer => "docid") || 0;
+my $Confirmed = $Untaint -> extract(-as_safehtml => "talkconfirm") || "";
+my $Length = $Untaint -> extract(-as_safehtml => "talktime") || "";
+my $Note = $Untaint -> extract(-as_safehtml => "talknote") || "";
+my @AuthorHints = @{ $Untaint -> extract(-as_listofint => "authors") || undef };
+my @TopicHints = @{ $Untaint -> extract(-as_listofint => "topics") || undef };
if ($Confirmed) {
$Confirmed = $TRUE;
}
-
+
CreateConnection(-type => "rw");
EndPage(-startpage => $TRUE);
@@ -99,14 +92,14 @@ EndPage(-startpage => $TRUE);
if ($TalkSeparatorID) { # Modify a talk separator
my $TalkSeparatorUpdate = $dbh -> prepare(
"update TalkSeparator set ".
- "Time=?, Title=?, Note=? ".
+ "Time=?, Title=?, Note=? ".
"where TalkSeparatorID=?");
$TalkSeparatorUpdate -> execute($Length,$Title,$Note,$TalkSeparatorID);
push @ActionStack,"Modified break: $Title";
} elsif ($SessionTalkID) { # Modify a talk
my $SessionTalkUpdate = $dbh -> prepare(
"update SessionTalk set ".
- "DocumentID=?, Confirmed=?, Time=?, HintTitle=?, Note=? ".
+ "DocumentID=?, Confirmed=?, Time=?, HintTitle=?, Note=? ".
"where SessionTalkID=?");
$SessionTalkUpdate -> execute($DocumentID,$Confirmed,$Length,$Title,$Note,$SessionTalkID);
if ($Confirmed) {
@@ -116,7 +109,7 @@ if ($TalkSeparatorID) { # Modify a talk separator
InsertAuthorHints($SessionTalkID,@AuthorHints);
push @ActionStack,"Modified talk: $Title";
}
-
+
# Start page
print $query -> header( -charset => $HTTP_ENCODING );
diff --git a/DocDB/cgi/EmailAdminister b/DocDB/cgi/EmailAdminister
index c7765775..e89a3fc4 100755
--- a/DocDB/cgi/EmailAdminister
+++ b/DocDB/cgi/EmailAdminister
@@ -1,23 +1,23 @@
#! /usr/bin/env perl
#
-# Name: EmailAdminister
-# Description: This script is called by EmailAdministerForm and does
+# Name: EmailAdminister
+# Description: This script is called by EmailAdministerForm and does
# administration on users who have signed up for email from the
# DB. Since users can change almost everything, it really just
# deletes users and changes their passwords in case they forget.
-# It also displays all the users and their notification
+# It also displays all the users and their notification
# preferences.
#
# Author: Eric Vaandering (ewv@fnal.gov)
-# Modified:
+# Modified:
#
-# Copyright 2001-2009 Eric Vaandering, Lynn Garren, Adam Bryant
+# Copyright 2001-2013 Eric Vaandering, Lynn Garren, Adam Bryant
# This file is part of DocDB.
# DocDB is free software; you can redistribute it and/or modify
-# it under the terms of version 2 of the GNU General Public License
+# it under the terms of version 2 of the GNU General Public License
# as published by the Free Software Foundation.
# DocDB is distributed in the hope that it will be useful,
@@ -30,40 +30,44 @@
# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA
use CGI;
+use CGI::Untaint;
use DBI;
require "DocDBGlobals.pm";
require "ResponseElements.pm";
require "Security.pm";
require "HTMLUtilities.pm";
+require "UntaintInput.pm";
require "SecuritySQL.pm";
require "NotificationSQL.pm";
require "Messages.pm";
require "EmailUserHTML.pm";
$query = new CGI; # Global for subroutines
+$query -> autoEscape(0);
+my $Untaint = CGI::Untaint -> new($query -> Vars);
-# Parameters to script
+# Parameters to script
-%params = $query -> Vars;
-my $Password = $params{password};
-my $Username = $params{admuser};
-my $Action = $params{admaction};
+my $Password = $Untaint -> extract(-as_printable => "password") || "";
+my $Username = $Untaint -> extract(-as_printable => "admuser") || "";
+my $Action = $Untaint -> extract(-as_printable => "admaction") || "";
-my $EmailUserID = $params{emailuserid};
-my $SingleUser = $params{singleuser};
-my $NewPassword = $params{resetpw};
-my $ClearGroups = ($params{cleargroups} eq "on");
-my $ClearUser = ($params{clearuser} eq "on");
-my $UserSign = ($params{usersign} eq "on");
-my $VerifyUser = ($params{verifyuser} eq "on");
-my @UsersGroupIDs = split /\0/,$params{usergroups};
+my $EmailUserID = $Untaint -> extract(-as_integer => "emailuserid") || 0;
+my $SingleUser = $Untaint -> extract(-as_safehtml => "singleuser") || "";
+my $NewPassword = $Untaint -> extract(-as_printable => "resetpw") || "";
+
+my $ClearGroups = ($Untaint -> extract(-as_printable => "cleargroups") eq "on");
+my $ClearUser = ($Untaint -> extract(-as_printable => "clearuser") eq "on");
+my $UserSign = ($Untaint -> extract(-as_printable => "usersign") eq "on");
+my $VerifyUser = ($Untaint -> extract(-as_printable => "verifyuser") eq "on");
+my @UsersGroupIDs = @{ $Untaint -> extract(-as_listofint => "usergroups") || undef };
$dbh = DBI->connect('DBI:mysql:'.$db_name.':'.$db_host,$Username,$Password);
unless ($dbh) {
push @ErrorStack,$Msg_AdminNoConnect;
-}
+}
print $query -> header( -charset => $HTTP_ENCODING );
DocDBHeader("Modified E-mail Users");
@@ -73,7 +77,7 @@ GetSecurityGroups();
unless (CanAdminister()) {
push @ErrorStack,$Msg_AdminNoLogin;
-}
+}
EndPage();
if ($Action eq "Delete") { # Delete user
@@ -94,21 +98,21 @@ if ($Action eq "Delete") { # Delete user
my $Table = "Email$NotifyType$NotifyTime";
my $NotifyDelete = $dbh -> prepare("delete from $Table where EmailUserID=?");
$NotifyDelete -> execute($EmailUserID);
- }
+ }
}
push @ActionStack,"The user was deleted.";
}
ActionReport();
-} elsif ($Action eq "Modify") {
- unless ($EmailUserID) { # Deal with password changes
+} elsif ($Action eq "Modify") {
+ unless ($EmailUserID) { # Deal with password changes
push @ErrorStack,$Msg_ModEUserEmpty;
}
EndPage();
FetchEmailUser($EmailUserID);
- if ($NewPassword) {
- srand (time ^ $$ ^ unpack "%32L*", `ps axww`);
+ if ($NewPassword) {
+ srand (time ^ $$ ^ unpack "%32L*", `ps -eaf`);
my $Salt = ((0..9,'a'..'z','A'..'Z','.','/')[(int rand (64))]).
((0..9,'a'..'z','A'..'Z','.','/')[(int rand (64))]);
@@ -126,9 +130,9 @@ if ($Action eq "Delete") { # Delete user
if ($ClearUser || $SingleUser) {
my $UserUpdate = $dbh -> prepare("update EmailUser set CanSign=0,Verified=0 where EmailUserID=?");
$UserUpdate -> execute($EmailUserID);
- unless ($SingleUser) {
+ unless ($SingleUser) {
push @ActionStack,"The user is no longer verified and cannot sign documents.";
- }
+ }
}
if ($UserSign) {
my $UserUpdate = $dbh -> prepare("update EmailUser set CanSign=1 where EmailUserID=?");
@@ -139,13 +143,13 @@ if ($Action eq "Delete") { # Delete user
my $UserUpdate = $dbh -> prepare("update EmailUser set Verified=1 where EmailUserID=?");
$UserUpdate -> execute($EmailUserID);
push @ActionStack,"The user is verified.";
-
+
if ($MailInstalled && $UserValidation eq "certificate") {
require "EmailUtilities.pm";
my @To = ($EmailUser{$EmailUserID}{EmailAddress},$DBWebMasterEmail);
my $Subject = "DocDB account for $EmailUser{$EmailUserID}{Name} activated";
- my $Body = "An adminstrator has approved the request for ";
+ my $Body = "An administrator has approved the request for ";
$Body .= "$EmailUser{$EmailUserID}{Name} for access to $Project DocDB. ";
$Body .= "If you did not request access to $Project DocDB, ";
$Body .= "please contact $DBWebMasterEmail immediately.";
@@ -154,35 +158,35 @@ if ($Action eq "Delete") { # Delete user
}
foreach my $UsersGroupID (@UsersGroupIDs) {
my $UsersGroupSelect = $dbh -> prepare("select UsersGroupID from UsersGroup where EmailUserID=? and GroupID=?");
- $UsersGroupSelect -> execute($EmailUserID,$UsersGroupID);
+ $UsersGroupSelect -> execute($EmailUserID,$UsersGroupID);
my ($ComboExists) = $UsersGroupSelect -> fetchrow_array;
- unless ($ComboExists) {
+ unless ($ComboExists) {
my $UsersGroupUpdate = $dbh -> prepare("insert into UsersGroup (UsersGroupID,EmailUserID,GroupID) ".
" values (0,?,?)");
- $UsersGroupUpdate -> execute($EmailUserID,$UsersGroupID);
+ $UsersGroupUpdate -> execute($EmailUserID,$UsersGroupID);
FetchSecurityGroup($UsersGroupID);
push @ActionStack,"Added user to $SecurityGroups{$UsersGroupID}{NAME}";
- }
- }
-
+ }
+ }
+
ClearEmailUsers();
FetchEmailUser($EmailUserID);
ActionReport();
-
+
print "The user now has the following information:
";
print "\n";
PrintEmailUserInfo($EmailUserID);
print "
\n";
-} elsif ($Action eq "New") {
+} elsif ($Action eq "New") {
push @ErrorStack,"You can't create new users here. Do it the normal way.";
} else {
push @ErrorStack,"No valid action was specified.";
-}
+}
EndPage();
WarnPage();
DocDBNavBar();
DocDBFooter($DBWebMasterEmail,$DBWebMasterName);
-
+
exit;
diff --git a/DocDB/cgi/EmailAdministerForm b/DocDB/cgi/EmailAdministerForm
index ae879737..55d254b4 100755
--- a/DocDB/cgi/EmailAdministerForm
+++ b/DocDB/cgi/EmailAdministerForm
@@ -10,7 +10,7 @@
#
# Author: Eric Vaandering (ewv@fnal.gov)
-# Copyright 2001-2009 Eric Vaandering, Lynn Garren, Adam Bryant
+# Copyright 2001-2013 Eric Vaandering, Lynn Garren, Adam Bryant
# This file is part of DocDB.
@@ -28,6 +28,7 @@
# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA
use CGI qw(-nosticky);
+use CGI::Untaint;
use DBI;
require "DocDBGlobals.pm";
@@ -35,6 +36,7 @@ require "Scripts.pm";
require "ResponseElements.pm";
require "Security.pm";
require "HTMLUtilities.pm";
+require "UntaintInput.pm";
require "AdministerElements.pm";
require "EmailUserHTML.pm";
require "SecurityHTML.pm";
@@ -45,11 +47,12 @@ require "SecuritySQL.pm";
require "NotificationSQL.pm";
$query = new CGI; # Global for subroutines
+$query -> autoEscape(0);
$dbh = DBI -> connect('DBI:mysql:'.$db_name.':'.$db_host,$db_rouser,$db_ropass);
-%params = $query -> Vars;
+my $Untaint = CGI::Untaint -> new($query -> Vars);
-my $EmailUserID = $params{emailuserid} || 0;
+my $EmailUserID = $Untaint -> extract(-as_integer => "emailuserid") || 0;
GetSecurityGroups();
@@ -65,6 +68,11 @@ unless (CanAdminister()) {
EndPage();
+my $UsernameHeader = "Username";
+if ($UserValidation eq "certificate") {
+ $UsernameHeader = "Certificate DN"
+}
+
if ($EmailUserID) {
print "\n";
print " \n";
- }
+ }
- }
+ }
print "\n";
- EmailUserSelect(-disabled => $TRUE, -default => [$EmailUserID]);
+ EmailUserSelect(-disabled => $TRUE, -default => [$EmailUserID], -helptext => $UsernameHeader);
print " \n";
print "\n";
@@ -195,7 +203,7 @@ if ($EmailUserID) {
my @EmailUserIDs = sort EmailUserIDsByName GetEmailUserIDs();
print " \n";
- print "
\n";
}
@@ -104,7 +113,7 @@ sub KeywordDetailedList {
my $KeywordGroup = &KeywordGroupInfo($KeywordGroupID,"short");
my $Label = $KeywordGroup;
$Label =~ s/\s+//;
-
+
print " Name Username Verified? Can Sign? Groups Name $UsernameHeader Verified? Can Sign? Groups Notifications \n";
my $Row = 0;
@@ -231,8 +239,8 @@ if ($EmailUserID) {
my $Link = $EmailAdministerForm."?emailuserid=$EmailUserID";
print "\n";
- print " ";
} elsif ($UserValidation eq "certificate") {
- print "$EmailUser{$EmailUserID}{Name} \n";
- print "$EmailUser{$EmailUserID}{Username} \n";
+ print "".SmartHTML({-text => $EmailUser{$EmailUserID}{Name}})." \n";
+ print "".SmartHTML({-text => $EmailUser{$EmailUserID}{Username}})." \n";
print "$Verified \n";
print "$CanSign \n";
print "$Groups \n";
@@ -251,7 +259,7 @@ if ($EmailUserID) {
print "\n";
foreach my $EmailUserID (@EmailUserIDs) {
if ($EmailUser{$EmailUserID}{Name}) {
- print "
\n";
print $query -> hidden(-name => 'username', -default => $Username);
print $query -> hidden(-name => 'digest', -default => $Digest);
- print "Username: \n$Username ".SmartHTML({-text => $Username})." Username: \n$Username Username: \n".SmartHTML({-text => $Username})." Username: \n";
print $query -> textfield(-name => 'username', -default => $Username,
@@ -94,16 +94,16 @@ sub UserPrefForm ($) {
if ($UserValidation eq "certificate") {
print " Real name: \n$Name E-mail address: \n";
- print $query -> textfield(-name => 'email', -default => $EmailAddress,
+ print $query -> textfield(-name => 'email', -default => SmartHTML({-text => $EmailAddress}),
-size => 24, -maxlength => 64);
print " Real name: \n";
- print $query -> textfield(-name => 'name', -default => $Name,
+ print $query -> textfield(-name => 'name', -default => SmartHTML({-text => $Name}),
-size => 24, -maxlength => 128);
print " E-mail address: \n";
- print $query -> textfield(-name => 'email', -default => $EmailAddress,
+ print $query -> textfield(-name => 'email', -default => SmartHTML({-text => $EmailAddress}),
-size => 24, -maxlength => 64);
print " New password: \n";
@@ -129,7 +129,7 @@ sub UserPrefForm ($) {
my @UserGroupIDs = &FetchUserGroupIDs($EmailUserID);
foreach my $UserGroupID (@UserGroupIDs) {
&FetchSecurityGroup($UserGroupID);
- print " \n";
print " \n";
}
diff --git a/DocDB/cgi/EmailUtilities.pm b/DocDB/cgi/EmailUtilities.pm
index b02de41f..aecf3c95 100644
--- a/DocDB/cgi/EmailUtilities.pm
+++ b/DocDB/cgi/EmailUtilities.pm
@@ -1,9 +1,9 @@
-# Copyright 2001-2009 Eric Vaandering, Lynn Garren, Adam Bryant
+# Copyright 2001-2013 Eric Vaandering, Lynn Garren, Adam Bryant
# This file is part of DocDB.
# DocDB is free software; you can redistribute it and/or modify
-# it under the terms of version 2 of the GNU General Public License
+# it under the terms of version 2 of the GNU General Public License
# as published by the Free Software Foundation.
# DocDB is distributed in the hope that it will be useful,
@@ -15,32 +15,34 @@
# along with DocDB; if not, write to the Free Software
# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA
+use HTML::Entities;
+
sub SendEmail (%) {
unless ($MailInstalled) {
return 0;
- }
+ }
require Mail::Send; #FIXME: Why not use?
require Mail::Mailer;
my (%Params) = @_;
-
+
my %Headers = ();
my @Addressees = @{$Params{-to}};
my $From = $Params{-from} || "$Project Document Database <$DBWebMasterEmail>";
my $Subject = $Params{-subject} || "$Project Document Database";
my $Body = $Params{-body} || "";
-
+
my %Headers = ();
-
+
if (@Addressees) {
print "Sending mail to: ",join ", ",@Addressees,"\n";
print " \n";
print "
\n";
@@ -76,7 +76,7 @@ sub PrintEmailUserInfo ($) {
print "\n";
- print " Username: $EmailUser{$EmailUserID}{Username} \n";
+ print "Username: ".SmartHTML({-text => $EmailUser{$EmailUserID}{Username}})." \n";
print "\n";
- print " Name: $EmailUser{$EmailUserID}{Name} \n";
+ print "Name: ".SmartHTML({-text => $EmailUser{$EmailUserID}{Name}})." \n";
print "\n";
- print " E-mail: $EmailUser{$EmailUserID}{EmailAddress} \n";
+ print "E-mail: ".SmartHTML({-text => $EmailUser{$EmailUserID}{EmailAddress}})." \n";
print "\n";
print " Verified: ";
- print "".("No","Yes")[$EmailUser{$EmailUserID}{Verified}]." \n";
+ print "".("No","Yes")[$EmailUser{$EmailUserID}{Verified}]." \n";
print "\n";
print " HTML: ";
- print "".("No","Yes")[$EmailUser{$EmailUserID}{PreferHTML}]." \n";
+ print "".("No","Yes")[$EmailUser{$EmailUserID}{PreferHTML}]." \n";
print "\n";
print " Can Sign: ";
- print "".("No","Yes")[$EmailUser{$EmailUserID}{CanSign}]." \n";
+ print "".("No","Yes")[$EmailUser{$EmailUserID}{CanSign}]." \n";
print "\n";
-
+
# Groups user belongs (or wants to belong to)
-
+
print " \n";
print "Groups: ";
- print "\n";
+ print " \n";
my @UserGroupIDs = FetchUserGroupIDs($EmailUserID);
if (@UserGroupIDs) {
print " \n";
print "\n";
foreach my $UserGroupID (@UserGroupIDs) {
FetchSecurityGroup($UserGroupID);
- print "
\n";
} else {
print " \n";
- }
+ }
print "\n";
DisplayNotification($EmailUserID,"Weekly");
- print " \n";
+ print "\n";
print "
\n";
my $Mailer = new Mail::Mailer 'smtp', Server => $MailServer;
$Headers{To} = \@Addressees;
$Headers{From} = $From;
- $Headers{Subject} = $Subject;
-
+ $Headers{Subject} = HTML::Entities::decode_entities($Subject);
+
$Mailer -> open(\%Headers); # Start mail with headers
- print $Mailer $Body;
+ print $Mailer HTML::Entities::decode_entities($Body);
$Mailer -> close; # Complete the message and send it
}
return int(@Addressees);
diff --git a/DocDB/cgi/EventAdministerForm b/DocDB/cgi/EventAdministerForm
index 153824ee..dd91d814 100755
--- a/DocDB/cgi/EventAdministerForm
+++ b/DocDB/cgi/EventAdministerForm
@@ -9,7 +9,7 @@
#
# Author: Eric Vaandering (ewv@fnal.gov)
-# Copyright 2001-2009 Eric Vaandering, Lynn Garren, Adam Bryant
+# Copyright 2001-2013 Eric Vaandering, Lynn Garren, Adam Bryant
# This file is part of DocDB.
@@ -28,6 +28,7 @@
use CGI qw(-nosticky);
+use CGI::Untaint;
use DBI;
require "DocDBGlobals.pm";
@@ -40,6 +41,7 @@ require "Sorts.pm";
require "DBUtilities.pm";
require "HTMLUtilities.pm";
+require "UntaintInput.pm";
require "MeetingSQL.pm";
require "SecuritySQL.pm";
@@ -48,19 +50,19 @@ require "MeetingHTML.pm";
require "TopicHTML.pm"; # For description boxes
$query = new CGI; # Global for subroutines
+$query -> autoEscape(0);
+my $Untaint = CGI::Untaint -> new($query -> Vars);
-%params = $query -> Vars;
+my $Password = $Untaint -> extract(-as_printable => "password") || "";
+my $Username = $Untaint -> extract(-as_printable => "admuser") || "";
+my $Action = $Untaint -> extract(-as_printable => "admaction") || "";
+my $Force = $Untaint -> extract(-as_printable => "admforce") || "";
-my $Password = $params{password};
-my $Username = $params{admuser};
-my $Action = $params{admaction};
-my $Force = $params{admforce};
-
-my $SubForm = $params{subform};
-my $EventGroupID = int($params{eventgroups});
-my $EventID = int($params{events});
-my $ShortDescription = $params{shortdesc};
-my $LongDescription = $params{longdesc};
+my $SubForm = $Untaint -> extract(-as_printable => "subform") || "";
+my $EventGroupID = $Untaint -> extract(-as_integer => "eventgroups") || 0;
+my $EventID = $Untaint -> extract(-as_integer => "events") || 0;
+my $ShortDescription = $Untaint -> extract(-as_safehtml => "shortdesc") || "";
+my $LongDescription = $Untaint -> extract(-as_safehtml => "longdesc") || "";
$query -> delete_all();
@@ -94,18 +96,19 @@ if ($SubForm eq "eventgroup") {
if ($Action eq "Delete") {
&DeleteEventGroup(-eventgroupid => $EventGroupID, -force => $Force);
} elsif ($Action eq "Modify") {
+ my $OldShortDescription = SmartHTML({-text => $EventGroups{$EventGroupID}{ShortDescription}},);
if ($ShortDescription) {
- push @ActionStack,"Updated short description of $EventGroups{$EventGroupID}{ShortDescription}";
+ push @ActionStack,"Updated short description of $OldShortDescription";
my $Update = $dbh->prepare("update EventGroup set ShortDescription=? where EventGroupID=?");
$Update -> execute($ShortDescription,$EventGroupID);
}
if ($LongDescription) {
- push @ActionStack,"Updated long description of $EventGroups{$EventGroupID}{ShortDescription}";
+ push @ActionStack,"Updated long description of $OldShortDescription";
my $Update = $dbh->prepare("update EventGroup set LongDescription=? where EventGroupID=?");
$Update -> execute($LongDescription,$EventGroupID);
}
} elsif ($Action eq "New") {
- push @ActionStack,"New event group with description $ShortDescription inserted";
+ push @ActionStack,"New event group with description $ShortDescription inserted";
my $Insert = $dbh -> prepare("insert into EventGroup (ShortDescription,LongDescription) values (?,?)");
$Insert -> execute($ShortDescription,$LongDescription);
} else {
@@ -115,7 +118,7 @@ if ($SubForm eq "eventgroup") {
if ($Action eq "Delete") {
&DeleteEvent(-eventid => $EventID, -force => $Force);
} else {
- push @WarnStack,"Only \"Delete\" is a valid action";
+ push @WarnStack,"Only \"Delete\" is a valid action for events.";
}
}
diff --git a/DocDB/cgi/EventInstructions.pm b/DocDB/cgi/EventInstructions.pm
index d7f289fa..2b727c65 100644
--- a/DocDB/cgi/EventInstructions.pm
+++ b/DocDB/cgi/EventInstructions.pm
@@ -6,7 +6,7 @@
# Author: Eric Vaandering (ewv@fnal.gov)
# Modified:
-# Copyright 2001-2009 Eric Vaandering, Lynn Garren, Adam Bryant
+# Copyright 2001-2013 Eric Vaandering, Lynn Garren, Adam Bryant
# This file is part of DocDB.
diff --git a/DocDB/cgi/EventUtilities.pm b/DocDB/cgi/EventUtilities.pm
index 42cf87fe..22eea1c6 100644
--- a/DocDB/cgi/EventUtilities.pm
+++ b/DocDB/cgi/EventUtilities.pm
@@ -7,7 +7,7 @@
#
# Author: Eric Vaandering (ewv@fnal.gov)
-# Copyright 2001-2009 Eric Vaandering, Lynn Garren, Adam Bryant
+# Copyright 2001-2013 Eric Vaandering, Lynn Garren, Adam Bryant
# This file is part of DocDB.
diff --git a/DocDB/cgi/ExternalDocDBAdministerForm b/DocDB/cgi/ExternalDocDBAdministerForm
index 0170b727..0929a523 100755
--- a/DocDB/cgi/ExternalDocDBAdministerForm
+++ b/DocDB/cgi/ExternalDocDBAdministerForm
@@ -1,18 +1,18 @@
#! /usr/bin/env perl
#
# Name: ExternalDocDBAdministerForm
-# Description: Allows the administrator to add knowledge of other DocDBs.
+# Description: Allows the administrator to add knowledge of other DocDBs.
#
# Author: Eric Vaandering (ewv@fnal.gov)
-# Modified:
+# Modified:
#
-# Copyright 2001-2009 Eric Vaandering, Lynn Garren, Adam Bryant
+# Copyright 2001-2013 Eric Vaandering, Lynn Garren, Adam Bryant
# This file is part of DocDB.
# DocDB is free software; you can redistribute it and/or modify
-# it under the terms of version 2 of the GNU General Public License
+# it under the terms of version 2 of the GNU General Public License
# as published by the Free Software Foundation.
# DocDB is distributed in the hope that it will be useful,
@@ -26,6 +26,7 @@
use CGI qw(-nosticky);
+use CGI::Untaint;
use DBI;
require "DocDBGlobals.pm";
@@ -38,27 +39,28 @@ require "Sorts.pm";
require "DBUtilities.pm";
require "HTMLUtilities.pm";
+require "UntaintInput.pm";
require "SecuritySQL.pm";
require "XRefHTML.pm";
require "XRefSQL.pm";
$query = new CGI; # Global for subroutines
+$query -> autoEscape(0);
+my $Untaint = CGI::Untaint -> new($query -> Vars);
-%params = $query -> Vars;
+my $Password = $Untaint -> extract(-as_printable => "password") || "";
+my $Username = $Untaint -> extract(-as_printable => "admuser") || "";
+my $Action = $Untaint -> extract(-as_printable => "admaction") || "";
+my $Force = $Untaint -> extract(-as_printable => "admforce") || "";
-my $Password = $params{password};
-my $Username = $params{admuser};
-my $Action = $params{admaction};
-my $Force = $params{admforce};
+my $SubForm = $Untaint -> extract(-as_printable => "subform") || "";
-my $SubForm = $params{subform};
-
-my $ExternalDocDBID = $params{externaldocdbs};
-my $ProjectName = $params{project};
-my $Description = $params{desc};
-my $PublicURL = $params{puburl};
-my $PrivateURL = $params{privurl};
+my $ExternalDocDBID = $Untaint -> extract(-as_integer => "externaldocdbs") || 0;
+my $ProjectName = $Untaint -> extract(-as_safehtml => "project") || "";
+my $Description = $Untaint -> extract(-as_safehtml => "desc") || "";
+my $PublicURL = $Untaint -> extract(-as_safehtml => "puburl") || "";
+my $PrivateURL = $Untaint -> extract(-as_safehtml => "privurl") || "";
$query -> delete_all();
@@ -75,7 +77,7 @@ GetSecurityGroups();
print $query -> header( -charset => $HTTP_ENCODING );
DocDBHeader("Administer External DocDBs","",
- -scripts => ["PopUps","ExternalDocDBAdminDisable"]);
+ -scripts => ["PopUps","ExternalDocDBAdminDisable"]);
unless (CanAdminister()) {
push @ErrorStack,"You are not allowed to access administrative functions.";
@@ -95,40 +97,40 @@ if ($SubForm eq "externaldocdb") {
$Delete -> execute($ExternalDocDBID);
push @ActionStack,"Deleted reference to external DocDB";
} elsif ($Action eq "Modify") {
- if ($ProjectName) {
- push @ActionStack,"Updated project name of $ExternalDocDBs{$ExternalDocDBID}{Project}";
+ if ($ProjectName) {
+ push @ActionStack,"Updated the project name.";
my $Update = $dbh->prepare("update ExternalDocDB set Project=? where ExternalDocDBID=?");
$Update -> execute($ProjectName,$ExternalDocDBID);
}
- if ($Description) {
- push @ActionStack,"Updated description of $ExternalDocDBs{$ExternalDocDBID}{Project}";
+ if ($Description) {
+ push @ActionStack,"Updated the description.";
my $Update = $dbh->prepare("update ExternalDocDB set Description=? where ExternalDocDBID=?");
$Update -> execute($Description,$ExternalDocDBID);
}
- if ($PrivateURL) {
- push @ActionStack,"Updated private URL of $ExternalDocDBs{$ExternalDocDBID}{Project}";
+ if ($PrivateURL) {
+ push @ActionStack,"Updated the private URL.";
my $Update = $dbh->prepare("update ExternalDocDB set PrivateURL=? where ExternalDocDBID=?");
$Update -> execute($PrivateURL,$ExternalDocDBID);
}
- if ($PublicURL) {
- push @ActionStack,"Updated public URL of $ExternalDocDBs{$ExternalDocDBID}{Project}";
+ if ($PublicURL) {
+ push @ActionStack,"Updated the public URL.";
my $Update = $dbh->prepare("update ExternalDocDB set PublicURL=? where ExternalDocDBID=?");
$Update -> execute($PublicURL,$ExternalDocDBID);
}
- } elsif ($Action eq "New") {
- push @ActionStack,"New external DocDB for $ProjectName added";
- my $Insert = $dbh -> prepare("insert into ExternalDocDB (Project,Description,PrivateURL,PublicURL) values (?,?,?,?)");
+ } elsif ($Action eq "New") {
+ push @ActionStack,"New external DocDB for $ProjectName added";
+ my $Insert = $dbh -> prepare("insert into ExternalDocDB (Project,Description,PrivateURL,PublicURL) values (?,?,?,?)");
$Insert -> execute($ProjectName,$Description,$PrivateURL,$PublicURL);
} else {
push @WarnStack,"No valid action was specified.";
- }
+ }
}
-
-if (@ActionStack) {
+
+if (@ActionStack) {
ClearExternalDocDBs();
GetAllExternalDocDBs();
ActionReport();
-}
+}
EndPage();
@@ -157,7 +159,7 @@ print $query -> start_multipart_form('POST',"$ExternalDocDBAdministerForm",
"name=\"externaldocdb\" id=\"externaldocdb\"");
print "\n";
print "
\n";
@@ -119,7 +121,7 @@ sub JournalTable (;$) {
sub ReferenceForm {
require "MiscSQL.pm";
-
+
GetJournals();
my @JournalIDs = keys %Journals;
@@ -129,33 +131,33 @@ sub ReferenceForm {
}
@JournalIDs = sort @JournalIDs; #FIXME Sort by acronym
unshift @JournalIDs,0; $JournalLabels{0} = "----"; # Null Journal
- my $ElementTitle = FormElementTitle(-helplink => "reference",
+ my $ElementTitle = FormElementTitle(-helplink => "reference",
-helptext => "Journal References");
- print $ElementTitle,"\n";
+ print $ElementTitle,"\n";
my @ReferenceIDs = (@ReferenceDefaults,0);
-
+
print "\n";
-print " \n";
print "\n";
+print " \n";
AdministerActions(-form => "externaldocdb");
print $query -> hidden(-name => "subform", -default => "externaldocdb");
print " \n";
@@ -165,33 +167,33 @@ print "\n";
print " \n";
print "\n";
- ExternalDocDBSelect(-disabled => true, -format => "full");
-print " \n";
-print "\n";
+ ExternalDocDBSelect(-disabled => true, -format => "full");
+print " \n";
+print "\n";
TextField(-name => "project", -disabled => "true", -helptext => "Project", -helplink => "extdocdb");
print " \n";
print "\n";
-print " \n";
print "\n";
+print " \n";
TextField(-name => "desc", -disabled => "true", -helptext => "Description", -helplink => "extdocdb");
print " \n";
print "\n";
-print " \n";
print "\n";
+print " \n";
TextField(-name => "puburl", -disabled => "true", -helptext => "Public URL", -helplink => "extdocdb");
print " \n";
print "\n";
-print " \n";
print "\n";
+print " \n";
TextField(-name => "privurl", -disabled => "true", -helptext => "Private URL", -helplink => "extdocdb");
print " \n";
print "\n";
-print " \n";
diff --git a/DocDB/cgi/FSUtilities.pm b/DocDB/cgi/FSUtilities.pm
index fd98d3a0..db10e269 100644
--- a/DocDB/cgi/FSUtilities.pm
+++ b/DocDB/cgi/FSUtilities.pm
@@ -5,7 +5,7 @@
# Author: Eric Vaandering (ewv@fnal.gov)
# Modified:
-# Copyright 2001-2009 Eric Vaandering, Lynn Garren, Adam Bryant
+# Copyright 2001-2013 Eric Vaandering, Lynn Garren, Adam Bryant
# This file is part of DocDB.
@@ -162,6 +162,9 @@ sub ProtectDirectory { # Write (or delete) correct .htaccess file in directory
}
my $AuthName = join ' or ',@users;
+ if ($Preferences{Security}{AuthName}) {
+ $AuthName = $Preferences{Security}{AuthName};
+ }
my $directory = &GetDirectory($documentID,$version);
if (@users) {
@@ -257,7 +260,7 @@ sub ExtractArchive {
system ($Command);
} else {
print "Could not unpack the archive; contact an
- adminstrator. \n";
+print " \n";
AdminRegardless();
print " \n";
print "
\n";
+ administrator.
\n";
}
chdir $current_dir;
}
@@ -281,7 +284,7 @@ sub DownloadURLs (%) {
if ($Files{$FileKey}{URL}) {
my $URL = $Files{$FileKey}{URL};
unless (&ValidFileURL($URL)) {
- push @ErrorStack,"The URL $URL is not well formed. Don't forget ".
+ push @ErrorStack,"The URL $URL is not well formed. Don't forget ".
"http:// on the front and a file name after the last /.";
}
my @Options = ();
@@ -332,7 +335,7 @@ sub DownloadURLs (%) {
}
sub MakeTmpSubDir {
- my $TmpSubDir = $TmpDir."/".(time ^ $$ ^ unpack "%32L*", `ps axww`);
+ my $TmpSubDir = $TmpDir."/".(time ^ $$ ^ unpack "%32L*", `ps -eaf`);
mkdir $TmpSubDir, oct 755 or die "Could not make temporary directory";
return $TmpSubDir;
}
diff --git a/DocDB/cgi/FileHTML.pm b/DocDB/cgi/FileHTML.pm
index 4c999a79..653003ca 100644
--- a/DocDB/cgi/FileHTML.pm
+++ b/DocDB/cgi/FileHTML.pm
@@ -1,17 +1,17 @@
+# Name: FileHTML.pm
#
-# Description: Subroutines to provide links for files, groups of
+# Description: Subroutines to provide links for files, groups of
# files and archives.
#
# Author: Eric Vaandering (ewv@fnal.gov)
-# Modified:
-#
+# Modified: Eric Vaandering (ewv@fnal.gov)
-# Copyright 2001-2009 Eric Vaandering, Lynn Garren, Adam Bryant
+# Copyright 2001-2013 Eric Vaandering, Lynn Garren, Adam Bryant
# This file is part of DocDB.
# DocDB is free software; you can redistribute it and/or modify
-# it under the terms of version 2 of the GNU General Public License
+# it under the terms of version 2 of the GNU General Public License
# as published by the Free Software Foundation.
# DocDB is distributed in the hope that it will be useful,
@@ -23,6 +23,7 @@
# along with DocDB; if not, write to the Free Software
# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA
+require "HTMLUtilities.pm";
sub FileListByRevID {
require "MiscSQL.pm";
@@ -44,22 +45,22 @@ sub FileListByRevID {
push @RootFiles,$FileID;
} else {
push @OtherFiles,$FileID;
- }
+ }
}
if (@RootFiles) {
print "
\n";
}
@@ -90,14 +91,14 @@ sub ShortFileListByRevID {
sub FileListByFileID {
require "Sorts.pm";
-
+
my (@Files) = @_;
unless (@Files) {
return;
- }
-
+ }
+
@Files = sort FilesByDescription @Files;
-
+
print "\n";
foreach my $FileID (@Files) {
my $DocRevID = $DocFiles{$FileID}{DOCREVID};
@@ -107,31 +108,33 @@ sub FileListByFileID {
-shortname => $DocFiles{$FileID}{NAME},
-description => $DocFiles{$FileID}{DESCRIPTION}} );
print "
\n";
}
sub ShortFileListByFileID { # FIXME: Make special case of FileListByFileID
require "Sorts.pm";
-
- my (@Files) = @_;
-
+
+ my ($ArgRef) = @_;
+ my @Files = exists $ArgRef->{-files} ? @{$ArgRef->{-files}} : ();
+ my $SkipVersions = exists $ArgRef->{-skipversions} ? $ArgRef->{-skipversions} : $FALSE;
+
@Files = sort FilesByDescription @Files;
-
+
foreach my $FileID (@Files) {
my $DocRevID = $DocFiles{$FileID}{DOCREVID};
my $Version = $DocRevisions{$DocRevID}{VERSION};
my $DocumentID = $DocRevisions{$DocRevID}{DOCID};
my $Link = FileLink( {-maxlength => 20, -format => "short", -docid => $DocumentID, -version => $Version,
- -shortname => $DocFiles{$FileID}{NAME},
+ -shortname => $DocFiles{$FileID}{NAME}, -skipversions => $SkipVersions,
-description => $DocFiles{$FileID}{DESCRIPTION}} );
print "$Link
\n";
- }
+ }
}
sub FileLink ($) {
my ($ArgRef) = @_;
-
+
my $DocumentID = exists $ArgRef->{-docid} ? $ArgRef->{-docid} : 0;
my $Version = exists $ArgRef->{-version} ? $ArgRef->{-version} : 0;
my $ShortName = exists $ArgRef->{-shortname} ? $ArgRef->{-shortname} : "";
@@ -139,6 +142,7 @@ sub FileLink ($) {
my $MaxLength = exists $ArgRef->{-maxlength} ? $ArgRef->{-maxlength} : 60;
my $MaxExt = exists $ArgRef->{-maxext} ? $ArgRef->{-maxext} : 4;
my $Format = exists $ArgRef->{-format} ? $ArgRef->{-format} : "long";
+ my $SkipVersions = exists $ArgRef->{-skipversions} ? $ArgRef->{-skipversions} : $FALSE;
require "FSUtilities.pm";
require "FileUtilities.pm";
@@ -148,20 +152,28 @@ sub FileLink ($) {
my $FileSize = FileSize(FullFile($DocumentID,$Version,$ShortName));
$FileSize =~ s/^\s+//; # Chop off leading spaces
-
- my $PrintedName = $ShortName;
- if ($MaxLength) {
+
+ my $PrintedName = $ShortName;
+ if ($MaxLength) {
$PrintedName = AbbreviateFileName(-filename => $ShortName,
-maxlength => $MaxLength, -maxext => $MaxExt);
- }
+ }
my $URL = $BaseURL.$ShortFile;
- if ($UserValidation eq "certificate" || $Preferences{Options}{AlwaysRetrieveFile}) {
- $URL = $RetrieveFile."?docid=".$DocumentID."&version=".$Version."&filename=".$ShortFile;
+ if ($UserValidation eq "certificate" || $Preferences{Options}{AlwaysRetrieveFile}) {
+ $URL = $RetrieveFile."?docid=".$DocumentID.";filename=".$ShortFile;
+ unless ($SkipVersions) {
+ $URL .= ";version=".$Version;
+ }
}
-
+
my $Link = "";
-
+
+ # Sanitize output
+ $ShortName = SmartHTML( {-text => $ShortName, } );
+ $Description = SmartHTML( {-text => $Description, } );
+ $PrintedName = SmartHTML( {-text => $PrintedName, } );
+
if ($Format eq "short") {
if ($Description) {
return "$Description";
@@ -179,25 +191,25 @@ sub FileLink ($) {
sub ArchiveLink {
my ($DocumentID,$Version) = @_;
-
+
my @Types = ("tar.gz");
if ($Zip) {push @Types,"zip";}
-
+
@Types = sort @Types;
-
+
my $link = "Get all files as \n";
@LinkParts = ();
foreach my $Type (@Types) {
push @LinkParts,"$Type";
- }
+ }
$link .= join ', ',@LinkParts;
$link .= ".";
-
+
return $link;
}
sub FileUploadBox (%) {
- my (%Params) = @_;
+ my (%Params) = @_;
my $Type = $Params{-type} || "file";
my $DescOnly = $Params{-desconly} || 0;
@@ -208,16 +220,16 @@ sub FileUploadBox (%) {
my $Required = $Params{-required} || 0;
my $FileSize = $Params{-filesize} || 60;
my $FileMaxSize = $Params{-filemaxsize} || 250;
-
+
my @FileIDs = @{$Params{-fileids}};
-
+
require "Sorts.pm";
-
+
if ($DocRevID) {
require "MiscSQL.pm";
@FileIDs = &FetchDocFiles($DocRevID);
}
-
+
my @RootFiles = ();
my @OtherFiles = ();
@@ -226,9 +238,9 @@ sub FileUploadBox (%) {
push @RootFiles,$FileID;
} else {
push @OtherFiles,$FileID;
- }
+ }
}
-
+
@RootFiles = sort FilesByDescription @RootFiles;
@OtherFiles = sort FilesByDescription @OtherFiles;
@FileIDs = (@RootFiles,@OtherFiles);
@@ -236,22 +248,22 @@ sub FileUploadBox (%) {
unless ($MaxFiles) {
if (@FileIDs) {
$MaxFiles = @FileIDs + $AddFiles;
-
+
} elsif ($NumberUploads) {
- $MaxFiles = $NumberUploads;
+ $MaxFiles = $NumberUploads;
} elsif ($UserPreferences{NumFiles}) {
$MaxFiles = $UserPreferences{NumFiles};
} else {
- $MaxFiles = 1;
- }
- }
+ $MaxFiles = 1;
+ }
+ }
print "\n";
-
+
my ($HelpLink,$HelpText,$FileHelpLink,$FileHelpText,$DescHelpLink,$DescHelpText);
if ($Type eq "file") {
$HelpLink = "fileupload";
@@ -264,21 +276,21 @@ sub FileUploadBox (%) {
$FileHelpLink = "remoteurl";
$FileHelpText = "URL";
}
-
+
if ($DescOnly) {
$HelpLink = "filechar";
$HelpText = "Update File Characteristics";
}
-
+
$DescHelpLink = "description";
$DescHelpText = "Description";
-
+
my $BoxTitle = FormElementTitle(-helplink => $HelpLink, -helptext => $HelpText,
-required => $Required);
- print '
\n";
}
-
+
sub ArchiveUploadBox (%) {
- my (%Params) = @_;
-
+ my (%Params) = @_;
+
my $Required = $Params{-required} || 0; # short, long, full
print "';
+ print ' ';
print $BoxTitle;
print " \n";
print " \n";
-
+
if ($Type eq "http") {
print "Filename: ";
@@ -313,29 +325,29 @@ sub FileUploadBox (%) {
print $query -> filefield(-name => $ElementName, -size => $FileSize,
-maxlength => $FileMaxSize);
} elsif ($Type eq "http") {
- print $query -> textfield(-name => $URLName, -size => $FileSize,
+ print $query -> textfield(-name => $URLName, -size => $FileSize,
-maxlength => $FileMaxSize);
}
print "\n";
print "\n";
print $NewNameHelp;
print " \n";
print "\n";
- print $query -> textfield(-name => $NewName, -size => $FileSize,
+ print $query -> textfield(-name => $NewName, -size => $FileSize,
-maxlength => $FileMaxSize);
print " \n";
print "\n";
print $DescriptionHelp;
print " \n";
print "\n";
- print $query -> textfield (-name => $DescName, -size => 60,
+ print $query -> textfield (-name => $DescName, -size => 60,
-maxlength => 128, -default => $DefaultDesc);
if ($DocFiles{$FileID}{ROOT} || !$FileID) {
@@ -343,7 +355,7 @@ sub FileUploadBox (%) {
} else {
print $query -> checkbox(-name => $MainName, -label => '');
}
-
+
print $MainHelp;
print " ';
- print $query -> checkbox(-name => 'LessFiles', -label => '');
- print FormElementTitle(-helplink => "LessFiles", -helptext => "New version has fewer files",
+ print ' ';
+ print $query -> checkbox(-name => 'LessFiles', -label => '');
+ print FormElementTitle(-helplink => "LessFiles", -helptext => "New version has fewer files",
-nocolon => $TRUE, -nobold => $TRUE);;
print " \n";
diff --git a/DocDB/cgi/FileSQL.pm b/DocDB/cgi/FileSQL.pm
index 174e08f6..fb9660bd 100644
--- a/DocDB/cgi/FileSQL.pm
+++ b/DocDB/cgi/FileSQL.pm
@@ -1,6 +1,6 @@
# FIXME: Should grab stuff from MiscSQL.pm
-# Copyright 2001-2009 Eric Vaandering, Lynn Garren, Adam Bryant
+# Copyright 2001-2013 Eric Vaandering, Lynn Garren, Adam Bryant
# This file is part of DocDB.
diff --git a/DocDB/cgi/FileUtilities.pm b/DocDB/cgi/FileUtilities.pm
index edc9278c..146b1241 100644
--- a/DocDB/cgi/FileUtilities.pm
+++ b/DocDB/cgi/FileUtilities.pm
@@ -1,5 +1,5 @@
-# Copyright 2001-2009 Eric Vaandering, Lynn Garren, Adam Bryant
+# Copyright 2001-2013 Eric Vaandering, Lynn Garren, Adam Bryant
# This file is part of DocDB.
@@ -188,20 +188,34 @@ sub StreamFile (%) {
my $Size = (stat $File)[7];
$MimeType = mimetype($File); # Try Mime-info first
+
unless ($MimeType) {
- $MimeType = `$FileMagic -ib \"$File\"`; # Use magic as a backup
- chomp $MimeType;
- print STDERR "DocDB: MIME info not found, defaulting to \"magic\" which says: $MimeType\n";
+ # This is unsafe. Until we can figure out a way to do this, comment it out. Could use IPC::Run if we had it
+ # $MimeType = `$FileMagic -ib \"$File\"`; # Use magic as a backup
+ # chomp $MimeType;
+ # print STDERR "DocDB: MIME info not found, defaulting to \"magic\" which says: $MimeType\n";
+ $MimeType = 'binary/octet-stream';
+ print STDERR "DocDB: MIME info not found, defaulting to binary/octet-stream\n";
}
my @Parts = split /\//,$File;
my $ShortFile = pop @Parts;
- select STDOUT;
- $| = 1;
+ my $AttachmentString = "";
+ if (defined($Preferences{Options}{FileEndingsForAttachment})) {
+ my $Search = $ShortFile;
+ my $AttachRegex = join "|", @{$Preferences{Options}{FileEndingsForAttachment}};
+ if ($Search =~ m/\.($AttachRegex)$/i) {
+ $AttachmentString = "attachment;";
+ }
+ }
+
print "Content-Type: $MimeType\n", # Print header
- "Content-Disposition: filename=\"$ShortFile\"\n",
+ "Content-Disposition: $AttachmentString filename=\"$ShortFile\"\n",
"Content-Length: $Size\n\n";
+ select STDOUT;
+ $| = 1;
+
open OUT, "<$File" or die "Cannot open File\n";
binmode OUT if -B $File;
my $BlockSize = (stat OUT)[11] || 16384;
@@ -210,17 +224,21 @@ sub StreamFile (%) {
next unless defined $Length;
my $Offset = 0;
- while ($Length) {
- my $Written = syswrite STDOUT, $Buffer, $Length, $Offset;
+ my $Written= 1;
+ while ($Length && $Written > 0) {
+ print STDOUT $Buffer;
+ $Written = $Length;
+ last unless defined($Written);
$Length -= $Written;
$Offset += $Written;
}
+ last unless defined($Written);
}
close OUT;
} else {
print $query -> header( -charset => $HTTP_ENCODING );
print $query -> start_html,
- "There was a problem. File $File does not exist.",
+ "There was a problem. The file does not exist.",
$query -> end_html;
}
}
diff --git a/DocDB/cgi/FormElements.pm b/DocDB/cgi/FormElements.pm
index 615cf226..9c68bf60 100644
--- a/DocDB/cgi/FormElements.pm
+++ b/DocDB/cgi/FormElements.pm
@@ -1,19 +1,19 @@
#
# Name: FormElements.pm
-# Description: Various routines which supply input forms for document
-# addition, etc. This file is deprecated. Routines are
+# Description: Various routines which supply input forms for document
+# addition, etc. This file is deprecated. Routines are
# being moved out into the various *HTML.pm files.
#
# Author: Eric Vaandering (ewv@fnal.gov)
-# Modified:
+# Modified:
#
-# Copyright 2001-2009 Eric Vaandering, Lynn Garren, Adam Bryant
+# Copyright 2001-2013 Eric Vaandering, Lynn Garren, Adam Bryant
# This file is part of DocDB.
# DocDB is free software; you can redistribute it and/or modify
-# it under the terms of version 2 of the GNU General Public License
+# it under the terms of version 2 of the GNU General Public License
# as published by the Free Software Foundation.
# DocDB is distributed in the hope that it will be useful,
@@ -29,9 +29,9 @@ require "TopicHTML.pm";
sub DaysPulldown (;$) {
my ($DefaultDays) = @_;
- unless ($DefaultDays) {
+ unless ($DefaultDays) {
$DefaultDays = $LastDays;
- }
+ }
my @Days = (1,2,3,5,7,10,14,20,30,45,60,90,120,180 );
print $query -> popup_menu (-name => 'days', -values => \@Days,
-default => $DefaultDays, -onChange => "submit()");
@@ -39,7 +39,7 @@ sub DaysPulldown (;$) {
sub DateTimePulldown (%) { # Note capitalization
my (%Params) = @_;
-
+
my $Name = $Params{-name} || "date";
my $Disabled = $Params{-disabled} || 0;
my $DateOnly = $Params{-dateonly} || 0;
@@ -47,7 +47,7 @@ sub DateTimePulldown (%) { # Note capitalization
my $OneTime = $Params{-onetime} || 0;
my $OneLine = $Params{-oneline} || 0;
my $Granularity = $Params{-granularity} || 5;
-
+
my $Default = $Params{-default};
my $HelpLink = $Params{-helplink} || "";
@@ -55,13 +55,13 @@ sub DateTimePulldown (%) { # Note capitalization
my $Required = $Params{-required} || 0;
my $NoBreak = $Params{-nobreak} ;
my $ExtraText = $Params{-extratext};
-
+
my $Booleans = "";
-
+
if ($Disabled) {
$Booleans .= "-disabled";
- }
-
+ }
+
my ($Sec,$Min,$Hour,$Day,$Mon,$Year) = localtime(time);
$Year += 1900;
$Min = (int (($Min+($Granularity/2))/$Granularity))*$Granularity; # Nearest $Granularity minutes
@@ -69,13 +69,13 @@ sub DateTimePulldown (%) { # Note capitalization
my $DefaultHHMM;
if ($Default) {
my ($DefaultDate,$DefaultTime);
- if ($DateOnly) {
+ if ($DateOnly) {
$DefaultDate = $Default;
} elsif ($TimeOnly) {
$DefaultTime = $Default;
} else {
($DefaultDate,$DefaultTime) = split /\s+/,$Default;
- }
+ }
($Year,$Mon,$Day) = split /-/,$DefaultDate;
$Day = int($Day);
@@ -88,41 +88,41 @@ sub DateTimePulldown (%) { # Note capitalization
$Sec = int($Sec);
$DefaultHHMM = sprintf "%2.2d:%2.2d",$Hour,$Min;
}
-
+
my @Years = ();
for (my $i = $FirstYear; $i<=$Year+1; ++$i) { # $FirstYear - current year + 1
push @Years,$i;
- }
+ }
my @Days = ();
for (my $i = 1; $i<=31; ++$i) { # $FirstYear - current year
push @Days,$i;
- }
+ }
my @Hours = ();
for (my $i = 0; $i<24; ++$i) {
push @Hours,$i;
- }
+ }
my @Minutes = ();
for (my $i = 0; $i<=55; $i=$i+5) {
push @Minutes,(sprintf "%2.2d",$i);
- }
-
+ }
+
my @Times = ();
for (my $Hour = 0; $Hour<=23; ++$Hour) {
for (my $Min = 0; $Min<=59; $Min=$Min+$Granularity) {
push @Times,sprintf "%2.2d:%2.2d",$Hour,$Min;
- }
- }
-
- my $ElementTitle = &FormElementTitle(-helplink => $HelpLink ,
+ }
+ }
+
+ my $ElementTitle = &FormElementTitle(-helplink => $HelpLink ,
-helptext => $HelpText ,
-extratext => $ExtraText,
-text => $Text ,
-nobreak => $NoBreak ,
-required => $Required );
- print $ElementTitle,"\n";
+ print $ElementTitle,"\n";
unless ($DateOnly) {
if ($OneTime) {
@@ -135,10 +135,10 @@ sub DateTimePulldown (%) { # Note capitalization
}
unless ($OneLine || $DateOnly || $TimeOnly) {
print "
\n";
-}
+}
DocDBNavBar();
DocDBFooter($DBWebMasterEmail,$DBWebMasterName);
-
+
exit;
diff --git a/DocDB/cgi/GroupAdministerForm b/DocDB/cgi/GroupAdministerForm
index 0c932c72..07f45fbe 100755
--- a/DocDB/cgi/GroupAdministerForm
+++ b/DocDB/cgi/GroupAdministerForm
@@ -1,17 +1,17 @@
#! /usr/bin/env perl
#
-# Description: This script provides a form to administer groups in
+# Description: This script provides a form to administer groups in
# the DocDB and shows the relationships between groups.
#
# Author: Eric Vaandering (ewv@fnal.gov)
-# Modified:
+# Modified:
-# Copyright 2001-2009 Eric Vaandering, Lynn Garren, Adam Bryant
+# Copyright 2001-2013 Eric Vaandering, Lynn Garren, Adam Bryant
# This file is part of DocDB.
# DocDB is free software; you can redistribute it and/or modify
-# it under the terms of version 2 of the GNU General Public License
+# it under the terms of version 2 of the GNU General Public License
# as published by the Free Software Foundation.
# DocDB is distributed in the hope that it will be useful,
@@ -23,7 +23,7 @@
# along with DocDB; if not, write to the Free Software
# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA
-use CGI qw(-nosticky);
+use CGI qw(-nosticky);
use DBI;
require "DocDBGlobals.pm";
@@ -40,12 +40,13 @@ require "HTMLUtilities.pm";
require "Sorts.pm";
$query = new CGI; # Global for subroutines
+$query -> autoEscape(0);
$dbh = DBI -> connect('DBI:mysql:'.$db_name.':'.$db_host,$db_rouser,$db_ropass);
GetSecurityGroups();
print $query -> header( -charset => $HTTP_ENCODING );
-DocDBHeader("Group Administration","",-scripts => ["PopUps","GroupAdminDisable"]);
+DocDBHeader("Group Administration","",-scripts => ["PopUps","GroupAdminDisable"]);
@ErrorStack = ();
@WarnStack = ();
@@ -91,14 +92,14 @@ print "\n";
print "
\n";
@@ -274,7 +276,7 @@ sub UpdateButton {
# unless (&CanModify) {return;}
- $query -> param('mode','update');
+ $query -> param('mode','update');
$query -> param('docid',$DocumentID);
print $query -> startform('POST',$DocumentAddForm);
@@ -289,13 +291,13 @@ sub UpdateButton {
sub UpdateDBButton {
my ($DocumentID,$Version) = @_;
-
+
# unless (&CanModify) {return;}
$query -> param('mode', 'updatedb');
$query -> param('docid', $DocumentID);
$query -> param('version',$Version);
-
+
print $query -> startform('POST',$DocumentAddForm);
print "\n";
print " \n";
print "\n";
- my $ElementTitle = FormElementTitle(-helplink => "authorentry",
+ my $ElementTitle = FormElementTitle(-helplink => "authorentry",
-helptext => "First Name",
-required => $TRUE);
- print $ElementTitle,"\n";
- print $query -> textfield (-name => 'first',
+ print $ElementTitle,"\n";
+ print $query -> textfield (-name => 'first',
-size => 20, -maxlength => 32,$Booleans);
print " \n";
- $ElementTitle = FormElementTitle(-helplink => "authorentry",
+ $ElementTitle = FormElementTitle(-helplink => "authorentry",
-helptext => "Middle Initial(s)");
- print $ElementTitle,"\n";
- print $query -> textfield (-name => 'middle',
+ print $ElementTitle,"\n";
+ print $query -> textfield (-name => 'middle',
-size => 10, -maxlength => 16,$Booleans);
print " \n";
- $ElementTitle = FormElementTitle(-helplink => "authorentry",
+ $ElementTitle = FormElementTitle(-helplink => "authorentry",
-helptext => "Last Name",
-required => $TRUE);
- print $ElementTitle,"\n";
- print $query -> textfield (-name => 'lastname',
+ print $ElementTitle,"\n";
+ print $query -> textfield (-name => 'lastname',
-size => 20, -maxlength => 32,$Booleans);
print " \n";
print "
\n";
- }
-
+ }
+
return $TitleText;
}
diff --git a/DocDB/cgi/GeneralInstructions.pm b/DocDB/cgi/GeneralInstructions.pm
index 4514a69b..0bb7469d 100644
--- a/DocDB/cgi/GeneralInstructions.pm
+++ b/DocDB/cgi/GeneralInstructions.pm
@@ -6,7 +6,7 @@
# Author: Eric Vaandering (ewv@fnal.gov)
# Modified:
-# Copyright 2001-2009 Eric Vaandering, Lynn Garren, Adam Bryant
+# Copyright 2001-2013 Eric Vaandering, Lynn Garren, Adam Bryant
# Additional Text: Marcia Teckenbrock
# This file is part of DocDB.
@@ -335,7 +335,7 @@ HTML
When reserving a document, you must supply:
@@ -360,10 +360,14 @@ HTML
Copy filename from previous version:
+ If you want to drop a file from the new version, leave its box unchecked, and at the end of the
+ list of files click the box in front of New version has fewer files
.
Document Signoffs
\n";
- print "signed
+ print "signed
or approved
by a group of people before becoming approved.
People with Personal
Accounts can sign documents. The list of people needing to approve a
document is editable by the same groups that can edit the document itself.freeze
a document and its meta-information such that only
managers
can modify it or unfreeze it, ask the
DocDB
- administrators for the procedure.\n";
+ administrators for the procedure. The administrators can also add or subtract from the list of possible approvers.\n";
print "signed
'
+ (even if they were approved at some time). All information about who signed
each version of each document is kept.topologies.
- For instance, person A or person B might be allowed to sign at the first step,
- followed by person C at the second step. Or, person A and person B may both have to
- sign (but in parallel) before person C can sign. However, the current DocDB code only
- allows one topology (an ordered list). When a document under control is
- updated, the signoff list structure is preserved, but the approvals themselves
- are cleared.
\n";
- print "
-
\n";
- }
+ print <New Documents
+
+ Signoffs
.
+ There is also a link (Signoff Chooser
) to the list of all people that have
+ been enabled to be approvers for DocDB.Signoff Chooser
+ link and pick one or more individuals to approve the document. You can
+ do this by selecting the names on the pop-up window in the order in which
+ the approvals should occur. Approvers will be sent e-mail in that order.Unapproved
until signoffs are
+ completed. The list of selected approvers is at the bottom of the DocDB
+ page for the document, and includes the status of the signoff process.Updating Documents
+
+ Updating Metadata
+ Adding Files to a Document
+ Approvers
+ Approved
.\n";
print ' ';
-SecurityScroll(-name => 'parent', -disabled => $TRUE,
+SecurityScroll(-name => 'parent', -disabled => $TRUE,
-helplink => 'parent', -helptext => 'Group');
-print " \n";
+print "\n";
print '';
SecurityScroll(-name => 'child', -disabled => $TRUE, -multiple => $TRUE,
-helplink => 'child', -helptext => 'Subordinates');
print " \n";
@@ -131,7 +132,11 @@ my @GroupIDs = sort numerically keys %SecurityGroups;
print '
\n";
-print $query -> checkbox(-name => "removesubs", -value => 'removesubs',
+print $query -> checkbox(-name => "removesubs", -value => 'removesubs',
-label => '', -disabled => 'disabled');
print "Remove all";
print "';
foreach my $GroupID (@GroupIDs) {
print "
\n";
print "\n";
- print " \n";
-}
+}
print "$SecurityGroups{$GroupID}{NAME} \n";
+ print "
($SecurityGroups{$GroupID}{Description})";
+ print SmartHTML({-text => $SecurityGroups{$GroupID}{NAME}},);
+ print " \n";
print "
(";
+ print SmartHTML({-text => $SecurityGroups{$GroupID}{Description}},);
+ print ")\n";
print "Dominant groups:\n";
PrintGroupParents($GroupID);
@@ -145,7 +150,7 @@ foreach my $GroupID (@GroupIDs) {
PrintGroupPermissions($GroupID);
print " \n";
print "
\n";
diff --git a/DocDB/cgi/GroupHTML.pm b/DocDB/cgi/GroupHTML.pm
index ad6abb67..cf1bb378 100644
--- a/DocDB/cgi/GroupHTML.pm
+++ b/DocDB/cgi/GroupHTML.pm
@@ -1,5 +1,5 @@
-# Copyright 2001-2009 Eric Vaandering, Lynn Garren, Adam Bryant
+# Copyright 2001-2013 Eric Vaandering, Lynn Garren, Adam Bryant
# This file is part of DocDB.
diff --git a/DocDB/cgi/HTMLUtilities.pm b/DocDB/cgi/HTMLUtilities.pm
index 9274504c..2929212c 100644
--- a/DocDB/cgi/HTMLUtilities.pm
+++ b/DocDB/cgi/HTMLUtilities.pm
@@ -1,16 +1,16 @@
#
-# Description: Routines to output headers, footers, navigation bars, etc.
+# Description: Routines to output headers, footers, navigation bars, etc.
#
# Author: Eric Vaandering (ewv@fnal.gov)
-# Modified:
+# Modified:
#
-# Copyright 2001-2009 Eric Vaandering, Lynn Garren, Adam Bryant
+# Copyright 2001-2013 Eric Vaandering, Lynn Garren, Adam Bryant
# This file is part of DocDB.
# DocDB is free software; you can redistribute it and/or modify
-# it under the terms of version 2 of the GNU General Public License
+# it under the terms of version 2 of the GNU General Public License
# as published by the Free Software Foundation.
# DocDB is distributed in the hope that it will be useful,
@@ -22,24 +22,67 @@
# along with DocDB; if not, write to the Free Software
# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA
-
require "ProjectRoutines.pm";
+sub SmartHTML ($) {
+ my ($ArgRef) = @_;
+ my $Text = exists $ArgRef->{-text} ? $ArgRef->{-text} : "";
+ my $MakeURLs = exists $ArgRef->{-makeURLs} ? $ArgRef->{-makeURLs} : $FALSE;
+ my $AddLineBreaks = exists $ArgRef->{-addLineBreaks} ? $ArgRef->{-addLineBreaks} : $FALSE;
+
+ # Escape text into &x1234; format ignoring a alphanumerics and a few special characters
+ $Text =~ s{([^\:\/\.\-\?\=\+\w\s&#%;]|&(?!#?\w+;))}{"&#x".sprintf("%x", unpack(U,$1)).";"}ge;
+
+ # Turn found URLs into hyperlinks, adapted from Perl Cookbook, 6.21
+ if ($MakeURLs) {
+ my $urls = '(http|telnet|gopher|file|wais|ftp|https)';
+ my $ltrs = '\w';
+ my $gunk = '/#~:.?+=&%@!{};\-';
+ my $punc = '.:?\-';
+ my $any = "${ltrs}${gunk}${punc}";
+ $Text =~ s{
+ \b # start at word boundary
+ ( # begin $1 {
+ $urls : # need resource and a colon
+ [$any] +? # followed by on or more
+ # of any valid character, but
+ # be conservative and take only
+ # what you need to....
+ ) # end $1 }
+ (?= # look-ahead non-consumptive assertion
+ [$punc]* # either 0 or more punctuation
+ [^$any] # followed by a non-url char
+ | # or else
+ $ # then end of the string
+ )
+ }{$1}igox;
+ }
+
+ # Make two line-feeds into a paragraph break and one into a line break in HTML
+ if ($AddLineBreaks) {
+ $Text =~ s/\s*\n\s*\n\s*/
\n";
+ print "The institution has been deleted.
\n";
}
} elsif ($Action eq "Modify") { # Modify institutions
unless ($InstitutionID) {
@@ -89,16 +91,16 @@ if ($Action eq "Delete") { # Delete institutions
}
&EndPage(@ErrorStack);
-# Deal with name changes
+# Deal with name changes
- if ($ShortName) {
- print "Updating short topic name.
\n";
+ if ($ShortName) {
+ print "Updating short institution name.
\n";
my $InstitutionUpdate = $dbh->prepare(
"update Institution set ShortName=? where InstitutionID=?");
$InstitutionUpdate -> execute($ShortName,$InstitutionID);
}
- if ($LongName) {
- print "Updating long topic name.
\n";
+ if ($LongName) {
+ print "Updating long institution name.
\n";
my $InstitutionUpdate = $dbh->prepare(
"update Institution set LongName=? where InstitutionID=?");
$InstitutionUpdate -> execute($LongName,$InstitutionID);
@@ -113,17 +115,18 @@ if ($Action eq "Delete") { # Delete institutions
$InstitutionID = $InstitutionInsert -> {mysql_insertid}; # Works with MySQL only
} else {
push @ErrorStack,"No valid action was specified.";
-}
+}
# For modify or new fetch institution information and display.
+ClearInstitutions();
if ($Action eq "Modify" || $Action eq "New") {
&FetchInstitution($InstitutionID);
print "
\n";
- print "Short name: $Institutions{$InstitutionID}{SHORT}
\n";
- print "Long name: $Institutions{$InstitutionID}{LONG}
\n";
+ print "Short institution name: $Institutions{$InstitutionID}{SHORT}
\n";
+ print "Long institution name: $Institutions{$InstitutionID}{LONG}
\n";
print "
\n";
my $JournalUpdate = $dbh->prepare(
"update Journal set Name=? where JournalID=?");
$JournalUpdate -> execute($FullName,$JournalID);
}
- if ($Abbreviation) {
+ if ($Abbreviation) {
print "Updating journal abbreviation.
\n";
my $JournalUpdate = $dbh->prepare(
"update Journal set Abbreviation=? where JournalID=?");
$JournalUpdate -> execute($Abbreviation,$JournalID);
}
- if ($Acronym) {
+ if ($Acronym) {
print "Updating journal acronym.
\n";
my $JournalUpdate = $dbh->prepare(
"update Journal set Acronym=? where JournalID=?");
$JournalUpdate -> execute($Acronym,$JournalID);
}
- if ($Publisher) {
+ if ($Publisher) {
print "Updating journal publisher.
\n";
my $JournalUpdate = $dbh->prepare(
"update Journal set Publisher=? where JournalID=?");
$JournalUpdate -> execute($Publisher,$JournalID);
}
- if ($URL) {
+ if ($URL) {
print "Updating journal URL.
\n";
my $JournalUpdate = $dbh->prepare(
"update Journal set URL=? where JournalID=?");
@@ -129,7 +131,7 @@ if ($Action eq "Delete") { # Delete institutions
$JournalID = $JournalInsert -> {mysql_insertid}; # Works with MySQL only
} else {
push @ErrorStack,"No valid action was specified.";
-}
+}
# For modify or new fetch institution information and display.
@@ -142,7 +144,7 @@ if ($Action eq "Modify" || $Action eq "New") {
print "Publisher: $Journals{$JournalID}{Publisher}
\n";
print "URL: $Journals{$JournalID}{URL}
\n";
print "
\n";
@@ -107,11 +109,11 @@ sub JournalTable (;$) {
my @JournalIDs = sort keys %Journals; #FIXME Sort by abbreviation
foreach my $ID (@JournalIDs) {
print "\n";
print " \n";
print "\n";
print FormElementTitle(-helplink => "journalentry", -helptext => "Full Name");
- print $query -> textfield (-name => 'name',
+ print $query -> textfield (-name => 'name',
-size => 40, -maxlength => 128, $Booleans);
print " \n";
print "\n";
print FormElementTitle(-helplink => "journalentry", -helptext => "Publisher");
- print $query -> textfield (-name => 'pub',
+ print $query -> textfield (-name => 'pub',
-size => 40, -maxlength => 64, $Booleans);
print " \n";
print FormElementTitle(-helplink => "journalentry", -helptext => "Abbreviation");
- print $query -> textfield (-name => 'abbr',
+ print $query -> textfield (-name => 'abbr',
-size => 40, -maxlength => 64, $Booleans);
print " \n";
print "\n";
print FormElementTitle(-helplink => "journalentry", -helptext => "URL");
- print $query -> textfield (-name => 'url',
+ print $query -> textfield (-name => 'url',
-size => 40, -maxlength => 240, $Booleans);
print " \n";
print FormElementTitle(-helplink => "journalentry", -helptext => "Acronym");
- print $query -> textfield (-name => 'acronym',
+ print $query -> textfield (-name => 'acronym',
-size => 8, -maxlength => 8, $Booleans);
print " \n";
- print " \n";
}
print "$Journals{$ID}{Name} \n";
- print "$Journals{$ID}{Abbreviation} \n";
- print "$Journals{$ID}{Acronym} \n";
- print "$Journals{$ID}{Publisher} \n";
- print "$Journals{$ID}{URL} \n";
+ print "".SmartHTML({-text => $Journals{$ID}{Name}},)." \n";
+ print "".SmartHTML({-text => $Journals{$ID}{Abbreviation}},)." \n";
+ print "".SmartHTML({-text => $Journals{$ID}{Acronym}},)." \n";
+ print "".SmartHTML({-text => $Journals{$ID}{Publisher}},)." \n";
+ print "".SmartHTML({-text => $Journals{$ID}{URL}, -makeURLs => $TRUE},)." \n";
print "\n";
- foreach my $ReferenceID (@ReferenceIDs) {
+ foreach my $ReferenceID (@ReferenceIDs) {
print "
\n";
}
diff --git a/DocDB/cgi/KeywordAdministerForm b/DocDB/cgi/KeywordAdministerForm
index c8dd4820..89aeebfb 100755
--- a/DocDB/cgi/KeywordAdministerForm
+++ b/DocDB/cgi/KeywordAdministerForm
@@ -6,7 +6,7 @@
# Author: Lynn Garren (garren@fnal.gov)
# Modified: Eric Vaandering (ewv@fnal.gov)
-# Copyright 2001-2009 Eric Vaandering, Lynn Garren, Adam Bryant
+# Copyright 2001-2013 Eric Vaandering, Lynn Garren, Adam Bryant
# This file is part of DocDB.
@@ -41,6 +41,7 @@ require "HTMLUtilities.pm";
require "Sorts.pm";
$query = new CGI; # Global for subroutines
+$query -> autoEscape(0);
$dbh = DBI -> connect('DBI:mysql:'.$db_name.':'.$db_host,$db_rouser,$db_ropass);
&GetKeywords;
diff --git a/DocDB/cgi/KeywordGroupAdminister b/DocDB/cgi/KeywordGroupAdminister
index a495ef0b..bfb38b2c 100755
--- a/DocDB/cgi/KeywordGroupAdminister
+++ b/DocDB/cgi/KeywordGroupAdminister
@@ -3,17 +3,17 @@
# Description: This script is called by KeywordAdministerForm and does administration
# on Keyword Groups in the DB. This script adds, modifies and deletes
# these groups. It will not delete groups if there are associated
-# keywords.
+# keywords.
#
# Author: Lynn Garren (garren@fnal.gov)
-# Modified:
+# Modified:
-# Copyright 2001-2009 Eric Vaandering, Lynn Garren, Adam Bryant
+# Copyright 2001-2013 Eric Vaandering, Lynn Garren, Adam Bryant
# This file is part of DocDB.
# DocDB is free software; you can redistribute it and/or modify
-# it under the terms of version 2 of the GNU General Public License
+# it under the terms of version 2 of the GNU General Public License
# as published by the Free Software Foundation.
# DocDB is distributed in the hope that it will be useful,
@@ -26,38 +26,40 @@
# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA
use CGI;
+use CGI::Untaint;
use DBI;
require "DocDBGlobals.pm";
require "ResponseElements.pm";
require "Security.pm";
require "HTMLUtilities.pm";
+require "UntaintInput.pm";
require "KeywordSQL.pm";
require "KeywordHTML.pm";
require "Messages.pm";
$query = new CGI; # Global for subroutines
-
-%params = $query -> Vars;
+$query -> autoEscape(0);
+my $Untaint = CGI::Untaint -> new($query -> Vars);
@ErrorStack = ();
@WarnStack = ();
-# Parameters to script
+# Parameters to script
-$Password = $params{password};
-my $Username = $params{admuser};
-$Action = $params{admaction};
+my $Password = $Untaint -> extract(-as_printable => "password") || "";
+my $Username = $Untaint -> extract(-as_printable => "admuser") || "";
+my $Action = $Untaint -> extract(-as_printable => "admaction") || "";
-$KeywordGroupID = $params{keywordgroup};
-$LongName = $params{longdesc};
-$ShortName = $params{shortdesc};
+my $KeywordGroupID = $Untaint -> extract(-as_integer => "keywordgroup") || 0;
+my $LongName = $Untaint -> extract(-as_safehtml => "longdesc") || "";
+my $ShortName = $Untaint -> extract(-as_safehtml => "shortdesc") || "";
$dbh = DBI->connect('DBI:mysql:'.$db_name.':'.$db_host,$Username,$Password);
unless ($dbh) {
push @ErrorStack,$Msg_AdminNoConnect;
-}
+}
print $query -> header( -charset => $HTTP_ENCODING );
&DocDBHeader("Modified List of Keyword Groups");
@@ -66,13 +68,13 @@ print $query -> header( -charset => $HTTP_ENCODING );
unless (&CanAdminister) {
push @ErrorStack,$Msg_AdminNoLogin;
-}
+}
&EndPage(@ErrorStack);
&GetKeywords;
if ($Action eq "Delete") { # Delete keyword groups
- @KeywordListIDs = &GetKeywordsByKeywordGroupID($KeywordGroupID);
+ @KeywordListIDs = &GetKeywordsByKeywordGroupID($KeywordGroupID);
if (!$KeywordGroupID) {
push @ErrorStack,$Msg_ModKeyGrEmpty;
} elsif (@KeywordListIDs) { # Not sure we want this anymore
@@ -90,15 +92,15 @@ if ($Action eq "Delete") { # Delete keyword groups
}
&EndPage(@ErrorStack);
-# Deal with name changes
+# Deal with name changes
- if ($ShortName) {
+ if ($ShortName) {
print "Updating short description.\n";
my $JournalDefault = $RevisionReferences{$ReferenceID}{JournalID};
my $VolumeDefault = $RevisionReferences{$ReferenceID}{Volume} ;
my $PageDefault = $RevisionReferences{$ReferenceID}{Page} ;
print " \n";
+ print "\n";
}
print "Journal: \n";
- print $query -> popup_menu(-name => "journal", -values => \@JournalIDs,
+ print $query -> popup_menu(-name => "journal", -values => \@JournalIDs,
-labels => \%JournalLabels,
-default => $JournalDefault);
print " ";
print "Volume: \n";
- print $query -> textfield (-name => 'volume',
- -size => 8, -maxlength => 8,
+ print $query -> textfield (-name => 'volume',
+ -size => 8, -maxlength => 8,
-default => $VolumeDefault);
print " ";
print "Page: \n";
- print $query -> textfield (-name => 'page',
- -size => 8, -maxlength => 16,
+ print $query -> textfield (-name => 'page',
+ -size => 8, -maxlength => 16,
-default => $PageDefault);
- print "
\n";
my $KeywordGroupUpdate = $dbh->prepare(
"update KeywordGroup set ShortDescription=? where KeywordGroupID=?");
$KeywordGroupUpdate -> execute($ShortName,$KeywordGroupID);
}
- if ($LongName) {
+ if ($LongName) {
print "Updating long description.
\n";
my $KeywordGroupUpdate = $dbh->prepare(
"update KeywordGroup set LongDescription=? where KeywordGroupID=?");
@@ -114,7 +116,7 @@ if ($Action eq "Delete") { # Delete keyword groups
$KeywordGroupID = $KeywordGroupInsert -> {mysql_insertid}; # Works with MySQL only
} else {
push @ErrorStack,"No valid action was specified.";
-}
+}
# For modify or new fetch information and display.
@@ -124,7 +126,7 @@ if ($Action eq "Modify" || $Action eq "New") {
print "Short description: $KeywordGroups{$KeywordGroupID}{Short}
\n";
print "Long description: $KeywordGroups{$KeywordGroupID}{Long}
\n";
print "\n";
++$Row;
}
@@ -88,7 +97,7 @@ sub KeywordTable {
&KeywordsbyKeywordGroup($KeywordGroupID,$Mode);
print "\n";
++$Col;
- }
+ }
print " \n";
print "\n";
print " $KeywordGroup\n";
print " \n";
@@ -135,15 +144,15 @@ sub KeywordDetailedList {
print " $Link \n";
print " $Text \n";
print "
\n";
} elsif ($Action eq "Modify") {
unless ($KeywordID) {
@@ -89,29 +91,29 @@ if ($Action eq "Delete") {
}
&EndPage(@ErrorStack);
-# Deal with name changes
+# Deal with name changes
- if ($ShortName) {
+ if ($ShortName) {
print "Updating short keyword name.
\n";
my $KeywordUpdate = $dbh->prepare(
"update Keyword set ShortDescription=? where KeywordID=?");
$KeywordUpdate -> execute($ShortName,$KeywordID);
}
- if ($LongName) {
+ if ($LongName) {
print "Updating long keyword name.
\n";
my $KeywordUpdate = $dbh->prepare(
"update Keyword set LongDescription=? where KeywordID=?");
$KeywordUpdate -> execute($LongName,$KeywordID);
}
-# Deal with KeywordGroup changes
+# Deal with KeywordGroup changes
@KeywordGroupIDs = sort numerically @KeywordGroupIDs; # Want to get -1: remove first
foreach my $KeywordGroupID (@KeywordGroupIDs) {
if ($KeywordGroupID == -1) { # Remove existing KeywordGrouping entries
my $GroupingDelete = $dbh -> prepare("delete from KeywordGrouping where KeywordID=?");
$GroupingDelete -> execute($KeywordID);
- } elsif ($KeywordGroupID) {
+ } elsif ($KeywordGroupID) {
my $GroupingSelect = $dbh -> prepare(
"select KeywordGroupingID from KeywordGrouping where KeywordID=? and KeywordGroupID=?");
$GroupingSelect -> execute($KeywordID,$KeywordGroupID);
@@ -130,11 +132,11 @@ if ($Action eq "Delete") {
print "Adding a new keyword.
\n";
my $KeywordInsert = $dbh->prepare(
- "insert into Keyword (KeywordID, ShortDescription, LongDescription) ".
+ "insert into Keyword (KeywordID, ShortDescription, LongDescription) ".
"values (0,?,?)");
my $KeywordGroupingInsert = $dbh->prepare(
- "insert into KeywordGrouping (KeywordGroupingID, KeywordGroupID, KeywordID) ".
+ "insert into KeywordGrouping (KeywordGroupingID, KeywordGroupID, KeywordID) ".
"values (0,?,?)");
$KeywordInsert -> execute($ShortName,$LongName);
@@ -142,10 +144,10 @@ if ($Action eq "Delete") {
foreach my $KeywordGroupID (@KeywordGroupIDs) {
$KeywordGroupingInsert -> execute($KeywordGroupID,$KeywordID);
- }
+ }
} else {
push @ErrorStack,"No valid action was specified.";
-}
+}
# For modify or new fetch information and display.
@@ -158,7 +160,7 @@ if ($Action eq "Modify" || $Action eq "New") {
print "Short description: $ShortLink
\n";
print "Long description: $LongLink
\n";
print "
(List events on '.$Topics{$TopicID}{Long}.')';
+ $Message .= '
(List events on '.SmartHTML({-text=>$Topics{$TopicID}{Long}}).')';
}
} elsif ($AuthorID) {
@@ -144,11 +147,12 @@ if ($Days) {
my $Link = AuthorLink($AuthorID);
- $Message = "$Link of $Institutions{$Authors{$AuthorID}{InstitutionID}}{LONG}
- is listed as an author on the following documents:";
+ $Message = "$Link of ";
+ $Message .= SmartHTML( {-text => $Institutions{$Authors{$AuthorID}{InstitutionID}}{LONG}, } );
+ $Message .= " is listed as an author on the following documents:";
my %Hash = GetEventHashByModerator($AuthorID);
if (%Hash) {
- $Message .= '
(List events moderated by '.$Authors{$AuthorID}{FULLNAME}.')';
+ $Message .= '
(List events moderated by '.$Link.')';
}
@DocumentIDs = GetAuthorDocuments($AuthorID);
} elsif ($EventID) {
@@ -161,9 +165,11 @@ if ($Days) {
$FieldListOptions{-eventid} = $EventID;
$FieldListOptions{-eventgroupid} = $Conferences{$EventID}{EventGroupID};
$Title = "Document List by Event";
- $Message = "These documents from $Conferences{$EventID}{LongDescription} ";
+ $Message = "These documents from ";
+ $Message .= SmartHTML({-text => $Conferences{$EventID}{LongDescription}});
+ $Message .= " ";
if ($Conferences{$EventID}{URL}) {
- $Message .= "($Conferences{$EventID}{URL}) ";
+ $Message .= "(".SmartHTML({-text => $Conferences{$EventID}{URL}, -makeURLs=>$TRUE}).") ";
}
$Message .= "are available:";
$List = $dbh -> prepare("select DISTINCT(DocumentRevision.DocumentID) from ".
@@ -185,7 +191,9 @@ if ($Days) {
$FieldListOptions{-eventgroupid} = $EventGroupID;
$FieldListOptions{-default} = "Event Group Default";
$Title = "Document List by Event Group";
- $Message = "These documents from $EventGroups{$EventGroupID}{LongDescription} are available:";
+ $Message = "These documents from ";
+ $Message .= SmartHTML({-text => $EventGroups{$EventGroupID}{LongDescription},});
+ $Message .=" are available:";
$List = $dbh -> prepare("select DISTINCT(DocumentRevision.DocumentID) from ".
"DocumentRevision,RevisionEvent,Conference where DocumentRevision.DocRevID=RevisionEvent.DocRevID ".
"and DocumentRevision.Obsolete=0 and RevisionEvent.ConferenceID=Conference.ConferenceID and Conference.EventGroupID=?");
@@ -195,8 +203,10 @@ if ($Days) {
FetchDocType ($TypeID);
$FieldListOptions{-doctypeid} = $TypeID;
$Title = "Document List by Type";
- $Message = "These documents of type
- $DocumentTypes{$TypeID}{SHORT} are available:";
+
+ $Message = "These documents of type ";
+ $Message .= SmartHTML({-text => $DocumentTypes{$TypeID}{SHORT},});
+ $Message .= " are available:";
$List = $dbh -> prepare("select DISTINCT(DocumentRevision.DocumentID) from ".
"DocumentRevision where DocumentRevision.DocTypeID=?");
@@ -206,11 +216,13 @@ if ($Days) {
$GroupID = FetchSecurityGroupByName($Group);
}
$Title = "Document List by Group";
- $Message = "These documents for
- $SecurityGroups{$GroupID}{NAME} are available:";
+ $Message = "These documents for ";
+ $Message .= SmartHTML({-text => $SecurityGroups{$GroupID}{NAME},});
+ $Message .= " are available:";
$List = $dbh -> prepare("select DISTINCT(DocumentRevision.DocumentID) from ".
- "DocumentRevision,RevisionSecurity where DocumentRevision.DocRevID=RevisionSecurity.DocRevID and RevisionSecurity.GroupID=?");
+ "DocumentRevision,RevisionSecurity where DocumentRevision.DocRevID=RevisionSecurity.DocRevID ".
+ "and DocumentRevision.Obsolete=0 and RevisionSecurity.GroupID=?");
$List -> execute($GroupID);
} elsif ($AllPubs) {
$Title = "$Project Publications";
diff --git a/DocDB/cgi/ListEventsBy b/DocDB/cgi/ListEventsBy
index b7e0ce06..b3f3219c 100755
--- a/DocDB/cgi/ListEventsBy
+++ b/DocDB/cgi/ListEventsBy
@@ -9,7 +9,7 @@
#
# Author: Eric Vaandering (ewv@fnal.gov)
-# Copyright 2001-2009 Eric Vaandering, Lynn Garren, Adam Bryant
+# Copyright 2001-2013 Eric Vaandering, Lynn Garren, Adam Bryant
# This file is part of DocDB.
@@ -44,6 +44,7 @@ require "TopicHTML.pm";
require "CalendarHTML.pm";
$query = new CGI; # Global for subroutines
+$query -> autoEscape(0);
# Parameters to script
@@ -91,7 +92,9 @@ if ($TopicID) {
$EventHash{$ID} = $Hash{$ID};
}
}
- $HTML .= "Events for $Topics{$TopicID}{Long} ";
+ $HTML .= "
Events for ";
+ $HTML .= SmartHTML({-text=>$Topics{$TopicID}{Long}});
+ $HTML .= " ";
if (scalar(@ChildTopicIDs) > 1) {
$HTML .= " and its sub-topics";
}
@@ -105,8 +108,9 @@ if ($TopicID) {
my $Link = AuthorLink($AuthorID);
- $HTML .= "
Events moderated by $Link of
- $Institutions{$Authors{$AuthorID}{InstitutionID}}{LONG}";
+ $HTML .= "
Events moderated by $Link of ";
+ $HTML .= SmartHTML({-text=>$Institutions{$Authors{$AuthorID}{InstitutionID}}{LONG}});
+ $HTML .= "";
if ($Preferences{Components}{iCal}) {
$HTML .= ' '.ICalLink({ -authorid => $AuthorID });
}
@@ -170,8 +174,8 @@ if (@HashIDs) {
}
$Title = SessionLink(-sessionid => $SessionID, -format => "full");
- $Location = join '
',$Sessions{$SessionID}{Location},
- $Sessions{$SessionID}{AltLocation};
+ $Location = join '
',SmartHTML({-text=>$Sessions{$SessionID}{Location}}),
+ SmartHTML({-text=>$Sessions{$SessionID}{AltLocation}});
$Topics = TopicListByID({ -linktype => "event", -listformat => "br", -sortby => "name",
-topicids => $Sessions{$SessionID}{Topics}, });
@@ -192,8 +196,8 @@ if (@HashIDs) {
}
$Title = EventLink(-eventid => $EventID,);
- $Location = join '
',$Conferences{$EventID}{Location},
- $Conferences{$EventID}{AltLocation};
+ $Location = join '
',SmartHTML({-text=>$Conferences{$EventID}{Location}}),
+ SmartHTML({-text=>$Conferences{$EventID}{AltLocation}});
$Topics = TopicListByID({ -linktype => "event", -listformat => "br", -sortby => "name",
-topicids => $Conferences{$EventID}{Topics}, });
$Time = 'All day/no time';
diff --git a/DocDB/cgi/ListGroupUsers b/DocDB/cgi/ListGroupUsers
index 1d12505c..27bf7ee2 100755
--- a/DocDB/cgi/ListGroupUsers
+++ b/DocDB/cgi/ListGroupUsers
@@ -6,15 +6,15 @@
# receiving what.
#
# Author: Eric Vaandering (ewv@fnal.gov)
-# Modified:
+# Modified:
#
-# Copyright 2001-2009 Eric Vaandering, Lynn Garren, Adam Bryant
+# Copyright 2001-2013 Eric Vaandering, Lynn Garren, Adam Bryant
# This file is part of DocDB.
# DocDB is free software; you can redistribute it and/or modify
-# it under the terms of version 2 of the GNU General Public License
+# it under the terms of version 2 of the GNU General Public License
# as published by the Free Software Foundation.
# DocDB is distributed in the hope that it will be useful,
@@ -26,7 +26,7 @@
# along with DocDB; if not, write to the Free Software
# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA
-use CGI qw(-nosticky);
+use CGI qw(-nosticky);
use DBI;
require "DocDBGlobals.pm";
@@ -39,12 +39,13 @@ require "SecuritySQL.pm";
require "NotificationSQL.pm";
$query = new CGI; # Global for subroutines
+$query -> autoEscape(0);
$dbh = DBI -> connect('DBI:mysql:'.$db_name.':'.$db_host,$db_rouser,$db_ropass);
GetSecurityGroups();
print $query -> header( -charset => $HTTP_ENCODING );
-DocDBHeader("List of Groups and Users","");
+DocDBHeader("List of Groups and Users","");
@ErrorStack = ();
@WarnStack = ();
@@ -62,18 +63,19 @@ EndPage();
print "DocDB Security Groups
\n";
-print "'."\n";
+print '
'."\n";
print '
\n";
diff --git a/DocDB/cgi/ListKeywords b/DocDB/cgi/ListKeywords
index 9aaf669c..a0a8f8de 100755
--- a/DocDB/cgi/ListKeywords
+++ b/DocDB/cgi/ListKeywords
@@ -1,20 +1,20 @@
#! /usr/bin/env perl
#
# Name: ListKeywords
-# Description: Lists the managed keywords.
+# Description: Lists the managed keywords.
# In the first mode, links perform a search
-# In chooser mode, links insert the keyword into the
+# In chooser mode, links insert the keyword into the
# form on the calling page
#
# Author: Lynn Garren (garren@fnal.gov)
# Modified: Eric Vaandering (ewv@fnal.gov)
-# Copyright 2001-2009 Eric Vaandering, Lynn Garren, Adam Bryant
+# Copyright 2001-2013 Eric Vaandering, Lynn Garren, Adam Bryant
# This file is part of DocDB.
# DocDB is free software; you can redistribute it and/or modify
-# it under the terms of version 2 of the GNU General Public License
+# it under the terms of version 2 of the GNU General Public License
# as published by the Free Software Foundation.
# DocDB is distributed in the hope that it will be useful,
@@ -26,7 +26,8 @@
# along with DocDB; if not, write to the Free Software
# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA
-use CGI;
+use CGI;
+use CGI::Untaint;
use DBI;
require "DocDBGlobals.pm";
@@ -34,18 +35,19 @@ require "KeywordSQL.pm";
require "ResponseElements.pm";
require "KeywordHTML.pm";
require "HTMLUtilities.pm";
+require "UntaintInput.pm";
require "Messages.pm";
$query = new CGI; # Global for subroutines
-%params = $query -> Vars;
+$query -> autoEscape(0);
+my $Untaint = CGI::Untaint -> new($query -> Vars);
-my $Mode = $params{mode} || "display";
-my $Format = $params{format} || "short" ;
+my $Mode = $Untaint -> extract(-as_printable => "mode") || "display";
+my $Format = $Untaint -> extract(-as_printable => "format") || "short";
$dbh = DBI->connect('DBI:mysql:'.$db_name.':'.$db_host,$db_rouser,$db_ropass);
-
print $query -> header( -charset => $HTTP_ENCODING );
&DocDBHeader("List of Keywords","", -scripts => ["PopUps","InsertKeyword"]);
@@ -57,7 +59,7 @@ if ($Mode eq "chooser") {
print "Group Description Admin? Create? View? ';
- print ' '.
- $SecurityGroups{$SecurityGroupID}{NAME}.' ';
- print ''.$SecurityGroups{$SecurityGroupID}{Description}.' ';
+ print ''.$Name.' ';
+ print ''.$Description.' ';
print ''.('No','Yes')[$SecurityGroups{$SecurityGroupID}{CanAdminister}].' ';
print ''.('No','Yes')[$SecurityGroups{$SecurityGroupID}{CanCreate}]. ' ';
print ''.('No','Yes')[$SecurityGroups{$SecurityGroupID}{CanView}]. ' ';
@@ -87,19 +89,23 @@ my @EmailUserIDs = sort EmailUserIDsByName GetEmailUserIDs();
print "DocDB Users By Group
\n";
foreach my $SecurityGroupID (@SecurityGroupIDs) {
- my $GroupName = $SecurityGroups{$SecurityGroupID}{NAME};
+ my $GroupName = SmartHTML({-text => $SecurityGroups{$SecurityGroupID}{NAME}});
+
my @EmailUserIDs = sort EmailUserIDsByName FetchEmailUserIDsBySecurityGroup($SecurityGroupID);
if (@EmailUserIDs) {
print "\n\n";
foreach my $EmailUserID (@EmailUserIDs) {
- if ($EmailUser{$EmailUserID}{Name}) {
- print "
\n";
} else {
print "\n";
- }
+ }
}
DocDBNavBar();
diff --git a/DocDB/cgi/ListGroups b/DocDB/cgi/ListGroups
index 50afb95e..98237d4b 100755
--- a/DocDB/cgi/ListGroups
+++ b/DocDB/cgi/ListGroups
@@ -2,12 +2,12 @@
#
# Author Eric Vaandering (ewv@fnal.gov)
-# Copyright 2001-2009 Eric Vaandering, Lynn Garren, Adam Bryant
+# Copyright 2001-2013 Eric Vaandering, Lynn Garren, Adam Bryant
# This file is part of DocDB.
# DocDB is free software; you can redistribute it and/or modify
-# it under the terms of version 2 of the GNU General Public License
+# it under the terms of version 2 of the GNU General Public License
# as published by the Free Software Foundation.
# DocDB is distributed in the hope that it will be useful,
@@ -19,7 +19,7 @@
# along with DocDB; if not, write to the Free Software
# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA
-use CGI;
+use CGI;
use DBI;
require "DocDBGlobals.pm";
@@ -29,6 +29,7 @@ require "HTMLUtilities.pm";
require "DBUtilities.pm";
$query = new CGI; # Global for subroutines
+$query -> autoEscape(0);
CreateConnection(-type => "ro");
GetSecurityGroups();
@@ -42,10 +43,10 @@ print "Group Description \n";
print " \n";
-}
-
+}
+
print "",SecurityLink( {-groupid => $GroupID} )," \n";
- print "",$SecurityGroups{$GroupID}{Description}," \n";
+ print "",SmartHTML({-text=>$SecurityGroups{$GroupID}{Description}})," \n";
print "\n";
+ print "$Set notifications:\n";
+ print "
\n";
} elsif ($Always) {
- print "$Set notifications:\n";
- print "
\n";
}
sub EmailUserSelect (%) {
require "Sorts.pm";
my (%Params) = @_;
-
+
+ my $HelpText = $Params{-helptext} || "Username";
my $Disabled = $Params{-disabled} || "0";
- my @Defaults = @{$Params{-default}};
+ my @Defaults = @{$Params{-default}};
my %Options = ();
if ($Disabled) {
$Options{-disabled} = "disabled";
- }
-
+ }
+
my @EmailUserIDs = &GetEmailUserIDs;
foreach my $EmailUserID (@EmailUserIDs) {
- &FetchEmailUser($EmailUserID);
- $EmailUserLabels{$EmailUserID} = $EmailUser{$EmailUserID}{Username};
- }
-
+ &FetchEmailUser($EmailUserID);
+ my $Text = $EmailUser{$EmailUserID}{Name}.' ['.$EmailUser{$EmailUserID}{Username}.']';
+ $EmailUserLabels{$EmailUserID} = SmartHTML({-text => $Text});
+ }
+
@EmailUserIDs = sort EmailUserIDsByName @EmailUserIDs;
-
- print FormElementTitle(-helplink => "emailuser", -helptext => "Username");
- print $query -> scrolling_list(-name => 'emailuserid',
- -values => \@EmailUserIDs,
- -labels => \%EmailUserLabels,
- -size => 10, -default => \@Defaults,
+
+ print FormElementTitle(-helplink => "emailuser", -helptext => $HelpText);
+ print $query -> scrolling_list(-name => 'emailuserid',
+ -values => \@EmailUserIDs,
+ -labels => \%EmailUserLabels,
+ -size => 10, -default => \@Defaults,
%Options);
}
-
+
1;
diff --git a/DocDB/cgi/MeetingHTML.pm b/DocDB/cgi/MeetingHTML.pm
index 5b656a39..e1797b5c 100644
--- a/DocDB/cgi/MeetingHTML.pm
+++ b/DocDB/cgi/MeetingHTML.pm
@@ -7,7 +7,7 @@
# Author: Eric Vaandering (ewv@fnal.gov)
# Modified: Stephen Wood (saw@jlab.org), Eric Vaandering (ewv@fnal.gov)
-# Copyright 2001-2009 Eric Vaandering, Lynn Garren, Adam Bryant
+# Copyright 2001-2013 Eric Vaandering, Lynn Garren, Adam Bryant
# This file is part of DocDB.
@@ -24,6 +24,8 @@
# along with DocDB; if not, write to the Free Software
# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA
+require "HTMLUtilities.pm";
+
sub LocationBox (;%) {
require "FormElements.pm";
@@ -74,19 +76,21 @@ sub EventURLBox (;%) {
sub ConferencePreambleBox {
require "FormElements.pm";
+ my $SafePreamble = SmartHTML({-text=>$MeetingDefaultPreamble});
my $ElementTitle = &FormElementTitle(-helplink => "meetpreepi",
-helptext => "Event Preamble");
print $ElementTitle,"\n";
- print $query -> textarea (-name => 'meetpreamble', -default => $MeetingDefaultPreamble,
+ print $query -> textarea (-name => 'meetpreamble', -default => $SafePreamble,
-columns => 50, -rows => 7);
};
sub ConferenceEpilogueBox {
require "FormElements.pm";
+ my $SafeEpilogue = SmartHTML({-text=>$MeetingDefaultEpilogue});
my $ElementTitle = &FormElementTitle(-helplink => "meetpreepi",
-helptext => "Event Epilogue");
print $ElementTitle,"\n";
- print $query -> textarea (-name => 'meetepilogue', -default => $MeetingDefaultEpilogue,
+ print $query -> textarea (-name => 'meetepilogue', -default => $SafeEpilogue,
-columns => 50, -rows => 7);
};
@@ -202,12 +206,11 @@ sub SessionEntryForm (%) {
print "\n";
- print "
\n";
+
+ print "\n";
+ print "
\n";
return;
} else {
return;
}
-
- if (@AllDocuments) {
- print "";
if ($OffsetDays) { # We are copying, not modifiying the original
- $query -> param('meetingorderid',"n$SessionOrder"); #FIXME: Try to remove
- print $query -> hidden(-name => 'meetingorderid', -default => "n$SessionOrder");
- } else {
- $query -> param('meetingorderid',$MeetingOrderID); #FIXME: Try to remove
- print $query -> hidden(-name => 'meetingorderid', -default => $MeetingOrderID);
+ $MeetingOrderID = "n$SessionOrder";
}
+ $query -> param('meetingorderid',$MeetingOrderID); #FIXME: Try to remove
+ print $query -> hidden(-name => 'meetingorderid', -default => $MeetingOrderID);
+
SessionOrder(); print "
\n";
SessionModifyLink($MeetingOrderID); print "
\n";
SessionDelete($MeetingOrderID); print "
\n";
@@ -277,6 +280,7 @@ sub SessionSeparator ($) {
if ($SessionSeparatorDefault eq "Yes") {
print "Break\n";
+ print $query -> hidden(-name => "sessionseparator", -default => "$MeetingOrderID");
} elsif ($SessionSeparatorDefault eq "No") {
print "\n";
} else {
@@ -335,33 +339,36 @@ sub SessionLink (%) {
my $Text;
my $ToolTip;
+ my $EventTitle = SmartHTML({-text=>$Conferences{$EventID}{Title}});
+ my $SessionTitle = SmartHTML({-text=>$Sessions{$SessionID}{Title}});
+ my $Location = SmartHTML({-text=>$Sessions{$SessionID}{Location}});
if ($ToolTipMode eq "TimeAndLoc") {
$ToolTip = EuroTimeHM($Sessions{$SessionID}{StartTime})." ".
EuroDate($Sessions{$SessionID}{StartTime});
} else {
if ($Conferences{$EventID}{Title} eq $Sessions{$SessionID}{Title}) {
- $ToolTip = $Sessions{$SessionID}{Title};
+ $ToolTip = $SessionTitle;
} else {
- $ToolTip = $Conferences{$EventID}{Title}." - ".$Sessions{$SessionID}{Title};
+ $ToolTip = $EventTitle." - ".$SessionTitle;
}
}
if ($Sessions{$SessionID}{Location}) {
- $ToolTip .= " - ".$Sessions{$SessionID}{Location};
+ $ToolTip .= " - ".$Location;
}
# Would like to use newlines instead of -. See mozilla bugs Bug 67127 and 45375
if ($Format eq "full") {
if ($Conferences{$EventID}{Title} && $Sessions{$SessionID}{Title} &&
$Conferences{$EventID}{Title} ne $Sessions{$SessionID}{Title}) {
- $Text = $Conferences{$EventID}{Title}.":".$Sessions{$SessionID}{Title};
+ $Text = $EventTitle.":".$SessionTitle;
} else {
- $Text = $Conferences{$EventID}{Title};
+ $Text = $EventTitle;
}
} else {
if ($Text = $Sessions{$SessionID}{Title}) {
- $Text = $Sessions{$SessionID}{Title};
+ $Text = $SessionTitle;
} else {
- $Text = $Conferences{$EventID}{Title};
+ $Text = $EventTitle;
}
}
@@ -383,24 +390,25 @@ sub SessionSeparatorLink ($) {
my $Text;
my $ToolTip;
+ my $EventTitle = SmartHTML({-text=>$Conferences{$SessionSeparators{$SessionSeparatorID}{ConferenceID}}{Title}});
+ my $SeparatorTitle = SmartHTML({-text=>$SessionSeparators{$SessionSeparatorID}{Title}});
+ my $Location = SmartHTML({-text=>$SessionSeparators{$SessionSeparatorID}{Location}});
if ($ToolTipMode eq "TimeAndLoc") {
$ToolTip = EuroTimeHM($SessionSeparators{$SessionSeparatorID}{StartTime})." ".
EuroDate($SessionSeparators{$SessionSeparatorID}{StartTime});
} else {
- $ToolTip = $Conferences{$SessionSeparators{$SessionSeparatorID}{ConferenceID}}{Title}
- ." - ".$SessionSeparators{$SessionSeparatorID}{Title};
+ $ToolTip = $EventTitle." - ".$SeparatorTitle;
}
if ($SessionSeparators{$SessionSeparatorID}{Location}) {
- $ToolTip .= " - ".$SessionSeparators{$SessionSeparatorID}{Location};
+ $ToolTip .= " - ".$Location;
}
# Would like to use newlines instead of -. See mozilla bugs Bug 67127 and 45375
if ($Format eq "full") {
- $Text = $Conferences{$SessionSeparators{$SessionSeparatorID}{ConferenceID}}{Title}
- .":".$SessionSeparators{$SessionSeparatorID}{Title};
+ $Text = $EventTitle.":".$SeparatorTitle;
} else {
- $Text = $SessionSeparators{$SessionSeparatorID}{Title};
+ $Text = $SeparatorTitle;
}
my $Link = "$Text";
@@ -455,7 +463,7 @@ sub PrintSession (%) {
if (@SessionOrderIDs) {
my %FieldListOptions = (-default => "Event Agenda", -eventid => $EventID, -eventgroupid => $EventGroupID);
my %FieldList = PrepareFieldList(%FieldListOptions);
- DocumentTable(-sessionorderids => \@SessionOrderIDs, -fieldlist => \%FieldList);
+ DocumentTable(-sessionorderids => \@SessionOrderIDs, -fieldlist => \%FieldList, -skipversions => $TRUE);
} else {
if ($OnlyTalks) {
print "No agenda yet\n";
@@ -523,8 +531,9 @@ sub PrintSessionHeader ($) {
}
if ($Sessions{$SessionID}{Description}) {
- my $Description = AddLineBreaks($Sessions{$SessionID}{Description});
- print "';
print '
\n";
}
}
@@ -841,6 +851,9 @@ sub SessionInfo ($) {
require "SQLUtilities.pm";
FetchSessionByID($SessionID);
+ my $Title = SmartHTML({-text=>$Sessions{$SessionID}{Title}});
+ my $Description = SmartHTML({-text=>$Sessions{$SessionID}{Description}, -addLineBreaks=>$TRUE, -makeURLs=>$TRUE});
+ my $Location = SmartHTML({-text=>$Sessions{$SessionID}{Location}});
# DocumentList puts a class on every cell, this only on Date
@@ -848,9 +861,9 @@ sub SessionInfo ($) {
$HTML .= "Event Wrapup: ';
print "\n";
- print URLify(AddLineBreaks($Conferences{$ConferenceID}{Epilogue}));
+ print SmartHTML({-text=>$Conferences{$ConferenceID}{Epilogue}, -addLineBreaks=>$TRUE, -makeURLs=>$TRUE});
print " ";
$HTML .= ' '.EuroDateHM($Sessions{$SessionID}{StartTime}).' ';
$HTML .= "";
- $HTML .= "$Sessions{$SessionID}{Title} ";
- $HTML .= ''.URLify(AddLineBreaks($Sessions{$SessionID}{Description})).' ';
- $HTML .= ''.$Sessions{$SessionID}{Location} .' ';
+ $HTML .= "$Title";
+ $HTML .= ''.$Description.' ';
+ $HTML .= ''.$Location.' ';
$HTML .= ''.TopicListByID({
-linktype => "event", -topicids => $Sessions{$SessionID}{Topics},
-listformat => "br", -listelement => "short", -sortby => "name",
@@ -872,13 +885,15 @@ sub PrintSessionSeparatorInfo ($) {
FetchSessionSeparatorByID($SessionSeparatorID);
my $Link = SessionSeparatorLink( {-sessionseparatorid => $SessionSeparatorID} );
+ my $Description = SmartHTML({-text=>$SessionSeparators{$SessionSeparatorID}{Description}, -addLineBreaks=>$TRUE, -makeURLs=>$TRUE});
+ my $Location = SmartHTML({-text=>$SessionSeparators{$SessionSeparatorID}{Location}});
# DocumentList puts a class on every cell, this only on Date
print " ",EuroDateHM($SessionSeparators{$SessionSeparatorID}{StartTime})," \n";
print "$Link \n";
- print "",URLify(AddLineBreaks($SessionSeparators{$SessionSeparatorID}{Description}))," \n";
- print "",$SessionSeparators{$SessionSeparatorID}{Location}," \n";
+ print "",$Description," \n";
+ print "",$Location," \n";
print ' '; # Topics and Moderators
}
@@ -895,9 +910,9 @@ sub EventGroupLink (%) {
$Link .= $ListAllMeetings."?eventgroupid=".$EventGroupID;
$Link .= "\">";
if ($Format eq "short") {
- $Link .= $EventGroups{$EventGroupID}{ShortDescription};
+ $Link .= SmartHTML( {-text => $EventGroups{$EventGroupID}{ShortDescription}, } );
} else {
- $Link .= $EventGroups{$EventGroupID}{LongDescription};
+ $Link .= SmartHTML( {-text => $EventGroups{$EventGroupID}{LongDescription}, } );
}
$Link .= "";
return $Link;
@@ -931,14 +946,14 @@ sub EventLink (%) {
if ($ToolTipMode eq "Date") {
$ToolTip = EuroDate($Conferences{$EventID}{StartDate});
} else {
- $ToolTip = $Conferences{$EventID}{Full};
+ $ToolTip = SmartHTML( {-text => $Conferences{$EventID}{Full}, } );
}
my $Link = "";
if ($Format eq "long") {
- $Link .= $Conferences{$EventID}{LongDescription};
+ $Link .= SmartHTML( {-text => $Conferences{$EventID}{LongDescription}, } );
} else {
- $Link .= $Conferences{$EventID}{Title};
+ $Link .= SmartHTML( {-text => $Conferences{$EventID}{Title}, } );
}
$Link .= "";
@@ -964,8 +979,8 @@ sub ModifyEventLink ($) {
$URL = "$MeetingModify?conferenceid=$EventID";
}
- my $Title = $Conferences{$EventID}{Title};
- my $ToolTip = $Conferences{$EventID}{Full};
+ my $Title = SmartHTML( {-text => $Conferences{$EventID}{Title}, } );
+ my $ToolTip = SmartHTML( {-text => $Conferences{$EventID}{Full}, } );
my $Link = "";
$Link .= $Title;
@@ -1033,11 +1048,11 @@ sub EventsByGroup (%) {
}
print "";
print "
\n";
diff --git a/DocDB/cgi/SelectGroups b/DocDB/cgi/SelectGroups
index ee76be83..4701c876 100755
--- a/DocDB/cgi/SelectGroups
+++ b/DocDB/cgi/SelectGroups
@@ -3,15 +3,15 @@
# Author: Eric Vaandering
# Date: 22 May 2005
#
-# Allow a user to choose to limit their membership to certain groups
+# Allow a user to choose to limit their membership to certain groups
# for a period of time
-# Copyright 2001-2009 Eric Vaandering, Lynn Garren, Adam Bryant
+# Copyright 2001-2013 Eric Vaandering, Lynn Garren, Adam Bryant
# This file is part of DocDB.
# DocDB is free software; you can redistribute it and/or modify
-# it under the terms of version 2 of the GNU General Public License
+# it under the terms of version 2 of the GNU General Public License
# as published by the Free Software Foundation.
# DocDB is distributed in the hope that it will be useful,
@@ -36,7 +36,7 @@ require "Scripts.pm";
# Start page
$query = new CGI;
-%params = $query -> Vars;
+$query -> autoEscape(0);
$dbh = DBI -> connect('DBI:mysql:'.$db_name.':'.$db_host,$db_rouser,$db_ropass);
print $query -> header( -charset => $HTTP_ENCODING );
@@ -45,7 +45,7 @@ print $query -> header( -charset => $HTTP_ENCODING );
&EndPage(@ErrorStack);
print "\n";
-
+ my $ShortGroup = SmartHTML( {-text => $EventGroups{$EventGroupID}{ShortDescription}, } );
if ($Mode eq "display") {
- print "$Big$EventGroups{$EventGroupID}{ShortDescription}$EBig\n";
+ print "$Big$ShortGroup$EBig\n";
} else {
- print "$Big$EventGroups{$EventGroupID}{ShortDescription}$EBig\n";
+ print "$Big$ShortGroup$EBig\n";
}
if ($Preferences{Components}{iCal}) {
print ' '.ICalLink({ -eventgroupid => $EventGroupID });
@@ -1134,10 +1149,10 @@ sub EventGroupSelect ($) {
my %Labels = ();
foreach my $EventGroupID (@EventGroupIDs) {
if ($Format eq "full") {
- $Labels{$EventGroupID} = $EventGroups{$EventGroupID}{ShortDescription}.
- ":".$EventGroups{$EventGroupID}{LongDescription};
+ $Labels{$EventGroupID} = SmartHTML({-text => $EventGroups{$EventGroupID}{ShortDescription}},).
+ ":".SmartHTML({-text => $EventGroups{$EventGroupID}{LongDescription}},);
} else {
- $Labels{$EventGroupID} = $EventGroups{$EventGroupID}{ShortDescription};
+ $Labels{$EventGroupID} = SmartHTML({-text => $EventGroups{$EventGroupID}{ShortDescription}},);
}
}
@@ -1176,8 +1191,8 @@ sub EventSelect ($) {
my %Labels = ();
foreach my $ConferenceID (@ConferenceIDs) {
if ($Format eq "full") {
- $Labels{$ConferenceID} = $EventGroups{$Conferences{$ConferenceID}{EventGroupID}}{ShortDescription}.":".
- $Conferences{$ConferenceID}{Title} .
+ $Labels{$ConferenceID} = SmartHTML({-text => $EventGroups{$Conferences{$ConferenceID}{EventGroupID}}{ShortDescription}},).":".
+ SmartHTML({-text => $Conferences{$ConferenceID}{Title}},).
" (".EuroDate($Conferences{$ConferenceID}{StartDate}).")";
}
}
diff --git a/DocDB/cgi/MeetingModify b/DocDB/cgi/MeetingModify
index 28722c24..cd5872ca 100755
--- a/DocDB/cgi/MeetingModify
+++ b/DocDB/cgi/MeetingModify
@@ -7,7 +7,7 @@
#
# Author: Eric Vaandering (ewv@fnal.gov)
-# Copyright 2001-2009 Eric Vaandering, Lynn Garren, Adam Bryant
+# Copyright 2001-2013 Eric Vaandering, Lynn Garren, Adam Bryant
# This file is part of DocDB.
@@ -25,6 +25,7 @@
# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA
use CGI qw(-nosticky);
+use CGI::Untaint;
use DBI;
use Time::Local;
@@ -32,6 +33,7 @@ require "DocDBGlobals.pm";
require "Messages.pm";
require "HTMLUtilities.pm";
+require "UntaintInput.pm";
require "ResponseElements.pm";
require "FormElements.pm";
require "Sorts.pm";
@@ -47,51 +49,57 @@ require "TopicSQL.pm";
require "WebUtilities.pm";
$query = new CGI; # Global for subroutines
-
-%params = $query -> Vars;
+$query -> autoEscape(0);
+my $Untaint = CGI::Untaint -> new($query -> Vars);
$query -> delete_all(); # Stop program from caching variable from script to script
-my $Mode = $params{mode};
-my $NoSessions = $params{nosessions};
-
-my $EventGroupID = $params{eventgroups};
-my $Short = $params{shortdesc};
-my $Long = $params{long};
-
-my $ConferenceID = $params{conferenceid};
-my $OffsetDays = $params{offsetdays};
-
-my $StartYear = $params{startyear};
-my $StartMonth = $params{startmonth};
-my $StartDay = $params{startday};
-my $EndYear = $params{endyear};
-my $EndMonth = $params{endmonth};
-my $EndDay = $params{endday};
-my $MeetPreamble = $params{meetpreamble};
-my $MeetEpilogue = $params{meetepilogue};
-my $Location = $params{location};
-my $AltLocation = $params{altlocation};
-my $URL = $params{url};
-my $ShowAllTalks = $params{meetshowall};
-
-my @MeetingViewGroupIDs = split /\0/,$params{meetingviewgroups};
-my @MeetingModifyGroupIDs = split /\0/,$params{meetingmodifygroups};
-my @MeetingTopicIDs = split /\0/,$params{topics};
-my @MeetingModeratorIDs = split /\0/,$params{moderators};
-
-my @SessionYears = split /\0/,$params{sessionyear};
-my @SessionMonths = split /\0/,$params{sessionmonth};
-my @SessionDays = split /\0/,$params{sessionday};
-my @SessionHours = split /\0/,$params{sessiontime};
-my @SessionOrders = split /\0/,$params{sessionorder};
-my @RawSessionSeparators = split /\0/,$params{sessionseparator};
-my @SessionLocations = split /\0/,$params{sessionlocation};
-my @SessionAltLocations = split /\0/,$params{sessionaltlocation};
-my @SessionTitles = split /\0/,$params{sessiontitle};
-my @SessionDescriptions = split /\0/,$params{sessiondescription};
-my @MeetingOrderIDs = split /\0/,$params{meetingorderid};
-my @SessionDeletes = split /\0/,$params{sessiondelete};
-my @SessionShowAlls = split /\0/,$params{sessionshowall};
+my $print = $Untaint -> extract(-as_printable => "subform") || "";
+my $int = $Untaint -> extract(-as_integer => "eventgroups") || 0;
+my $html = $Untaint -> extract(-as_safehtml => "longdesc") || "";
+
+my $Mode = $Untaint -> extract(-as_safehtml => "mode") || "";
+my $NoSessions = $Untaint -> extract(-as_safehtml => "nosessions") || "";
+
+my $EventGroupID = $Untaint -> extract(-as_integer => "eventgroups") || 0;
+my $Short = $Untaint -> extract(-as_safehtml => "shortdesc") || "";
+my $Long = $Untaint -> extract(-as_safehtml => "long") || "";
+
+my $ConferenceID = $Untaint -> extract(-as_integer => "conferenceid") || 0;
+my $OffsetDays = $Untaint -> extract(-as_integer => "offsetdays") || 0;
+
+my $StartYear = $Untaint -> extract(-as_integer => "startyear") || 0;
+my $StartMonth = $Untaint -> extract(-as_safehtml => "startmonth") || "";
+my $StartDay = $Untaint -> extract(-as_integer => "startday") || 0;
+my $EndYear = $Untaint -> extract(-as_integer => "endyear") || 0;
+my $EndMonth = $Untaint -> extract(-as_safehtml => "endmonth") || "";
+my $EndDay = $Untaint -> extract(-as_integer => "endday") || 0;
+
+my $MeetPreamble = $Untaint -> extract(-as_safehtml => "meetpreamble") || "";
+my $MeetEpilogue = $Untaint -> extract(-as_safehtml => "meetepilogue") || "";
+my $Location = $Untaint -> extract(-as_safehtml => "location") || "";
+my $AltLocation = $Untaint -> extract(-as_safehtml => "altlocation") || "";
+my $URL = $Untaint -> extract(-as_safehtml => "url") || "";
+my $ShowAllTalks = $Untaint -> extract(-as_safehtml => "meetshowall") || "";
+
+my @MeetingViewGroupIDs = @{ $Untaint -> extract(-as_listofint => "meetingviewgroups") || undef };
+my @MeetingModifyGroupIDs = @{ $Untaint -> extract(-as_listofint => "meetingmodifygroups") || undef };
+my @MeetingTopicIDs = @{ $Untaint -> extract(-as_listofint => "topics") || undef };
+my @MeetingModeratorIDs = @{ $Untaint -> extract(-as_listofint => "moderators") || undef };
+
+my @SessionYears = @{ $Untaint -> extract(-as_listofint => "sessionyear") || undef };
+my @SessionMonths = @{ $Untaint -> extract(-as_listofhtml => "sessionmonth") || undef };
+my @SessionDays = @{ $Untaint -> extract(-as_listofint => "sessionday") || undef };
+my @SessionHours = @{ $Untaint -> extract(-as_listofhtml => "sessiontime") || undef };
+my @SessionOrders = @{ $Untaint -> extract(-as_listofhtml => "sessionorder") || undef };
+my @RawSessionSeparators = @{ $Untaint -> extract(-as_listofwords => "sessionseparator") || undef };
+
+my @SessionLocations = @{ $Untaint -> extract(-as_listofhtml => "sessionlocation") || undef };
+my @SessionAltLocations = @{ $Untaint -> extract(-as_listofhtml => "sessionaltlocation") || undef };
+my @SessionTitles = @{ $Untaint -> extract(-as_listofhtml => "sessiontitle") || undef };
+my @SessionDescriptions = @{ $Untaint -> extract(-as_listofhtml => "sessiondescription") || undef };
+my @MeetingOrderIDs = @{ $Untaint -> extract(-as_listofwords => "meetingorderid") || undef };
+my @SessionDeletes = @{ $Untaint -> extract(-as_listofwords => "sessiondelete") || undef };
+my @SessionShowAlls = @{ $Untaint -> extract(-as_listofwords => "sessionshowall") || undef };
my $StartDate = "$StartYear-$ReverseAbrvMonth{$StartMonth}-$StartDay";
my $EndDate = "$EndYear-$ReverseAbrvMonth{$EndMonth}-$EndDay";
@@ -206,6 +214,8 @@ foreach my $CheckTitle (@CheckTitles) { # Check session times
}
}
+GetTopics();
+
EndPage();
my $SessionsModified = 0;
@@ -293,34 +303,34 @@ if ($Mode eq "create" || $Mode eq "modify") {
my $SessionSeparatorID = 0;
my $SessionID = 0;
- my @TopicIDs = split /\0/,$params{"sessiontopics-$MeetingOrderID"};
- my @ModeratorIDs = split /\0/,$params{"moderators-$MeetingOrderID"};
+ my @TopicIDs = @{ $Untaint -> extract(-as_listofint => "sessiontopics-$MeetingOrderID") || undef };
+ my @ModeratorIDs = @{ $Untaint -> extract(-as_listofint => "moderators-$MeetingOrderID") || undef };
# Key on MeetingOrderID to see if we are going to insert or update.
if (grep /n/,$MeetingOrderID) {
if ($SessionTitle || $SessionDescription) {
- if ($SessionSeparatorFlags{$MeetingOrderID}) {
- # Create a new separator
- my $SessionSeparatorInsert = $dbh -> prepare(
- "insert into SessionSeparator ".
- "(SessionSeparatorID, ConferenceID, StartTime, Location, Title, Description) ".
- "values (0,?,?,?,?,?)");
- $SessionSeparatorInsert -> execute($ConferenceID,$SessionDate,$SessionLocation,$SessionTitle,$SessionDescription);
- $SessionSeparatorID = $SessionSeparatorInsert -> {mysql_insertid}; # Works with MySQL only
- push @ActionStack,"Created break: $SessionTitle";
- ++$SessionsModified;
- } else {
- # Create a new session
- $SessionID = InsertSession({
- -eventid => $ConferenceID, -date => $SessionDate,
- -title => $SessionTitle, -description => $SessionDescription,
- -location => $SessionLocation, -altlocation => $SessionAltLocation,
- -moderatorids => \@ModeratorIDs, -topicids => \@TopicIDs,
- -showalltalks => $SessionShowAllFlags{$MeetingOrderID},
- });
- push @ActionStack,"Created session: $SessionTitle";
- ++$SessionsModified;
- }
+ if ($SessionSeparatorFlags{$MeetingOrderID}) {
+ # Create a new separator
+ my $SessionSeparatorInsert = $dbh -> prepare(
+ "insert into SessionSeparator ".
+ "(SessionSeparatorID, ConferenceID, StartTime, Location, Title, Description) ".
+ "values (0,?,?,?,?,?)");
+ $SessionSeparatorInsert -> execute($ConferenceID,$SessionDate,$SessionLocation,$SessionTitle,$SessionDescription);
+ $SessionSeparatorID = $SessionSeparatorInsert -> {mysql_insertid}; # Works with MySQL only
+ push @ActionStack,"Created break: $SessionTitle";
+ ++$SessionsModified;
+ } else {
+ # Create a new session
+ $SessionID = InsertSession({
+ -eventid => $ConferenceID, -date => $SessionDate,
+ -title => $SessionTitle, -description => $SessionDescription,
+ -location => $SessionLocation, -altlocation => $SessionAltLocation,
+ -moderatorids => \@ModeratorIDs, -topicids => \@TopicIDs,
+ -showalltalks => $SessionShowAllFlags{$MeetingOrderID},
+ });
+ push @ActionStack,"Created session: $SessionTitle";
+ ++$SessionsModified;
+ }
# Insert the order of the session or separator
my $MeetingOrderInsert = $dbh -> prepare(
"insert into MeetingOrder ".
diff --git a/DocDB/cgi/MeetingSQL.pm b/DocDB/cgi/MeetingSQL.pm
index be8c6776..a309d87f 100644
--- a/DocDB/cgi/MeetingSQL.pm
+++ b/DocDB/cgi/MeetingSQL.pm
@@ -7,7 +7,7 @@
#
# Author: Eric Vaandering (ewv@fnal.gov)
-# Copyright 2001-2009 Eric Vaandering, Lynn Garren, Adam Bryant
+# Copyright 2001-2013 Eric Vaandering, Lynn Garren, Adam Bryant
# This file is part of DocDB.
@@ -255,6 +255,9 @@ sub FetchEventByEventID { # Fetches an event by EventID
unless ($LimitInfo) {
push @DebugStack,"Getting all info for event $EventID.";
}
+ unless ($EventID) {
+ return 0;
+ }
if ($Conferences{$EventID}{EventGroupID}) { # We already have this one
if ($Conferences{$EventID}{HaveAllInfo} || $LimitInfo) {
return $EventID;
@@ -319,6 +322,9 @@ sub FetchEventByEventID { # Fetches an event by EventID
sub FetchSessionsByConferenceID ($) {
my ($ConferenceID) = @_;
+ unless ($ConferenceID) {
+ return undef;
+ }
my $SessionID;
my @SessionIDs = ();
my $SessionList = $dbh -> prepare(
@@ -366,6 +372,9 @@ sub ClearSessions () {
sub FetchSessionByID ($) {
my ($SessionID) = @_;
+ unless ($SessionID) {
+ return undef;
+ }
if ($Sessions{$SessionID}{TimeStamp}) {
return $SessionID;
}
@@ -631,7 +640,7 @@ sub DeleteEventGroup (%) {
my $Delete = $dbh -> prepare("delete from EventGroup where EventGroupID=?");
$Delete -> execute($EventGroupID);
- push @ActionStack,"Event group $EventGroups{$EventGroupID}{LongDescription} deleted";
+ push @ActionStack,"Event group $EventGroups{$EventGroupID}{LongDescription} deleted";
return 1;
}
@@ -681,7 +690,7 @@ sub DeleteEvent (%) {
$Delete -> execute($EventID);
$DeleteTopic -> execute($EventID);
$DeleteModerator -> execute($EventID);
- push @ActionStack,"Event $Conferences{$EventID}{Title} deleted";
+ push @ActionStack,"Event $Conferences{$EventID}{Title} deleted";
if (@DocRevIDs) {
my $Delete = $dbh -> prepare("delete from RevisionEvent where ConferenceID=?");
$Delete -> execute($EventID);
diff --git a/DocDB/cgi/MeetingSecuritySQL.pm b/DocDB/cgi/MeetingSecuritySQL.pm
index e2dc1fbc..f4a086a3 100644
--- a/DocDB/cgi/MeetingSecuritySQL.pm
+++ b/DocDB/cgi/MeetingSecuritySQL.pm
@@ -4,7 +4,7 @@
# Author: Eric Vaandering (ewv@fnal.gov)
# Modified:
-# Copyright 2001-2009 Eric Vaandering, Lynn Garren, Adam Bryant
+# Copyright 2001-2013 Eric Vaandering, Lynn Garren, Adam Bryant
# This file is part of DocDB.
diff --git a/DocDB/cgi/MeetingSecurityUtilities.pm b/DocDB/cgi/MeetingSecurityUtilities.pm
index eceac78f..fde0cec8 100644
--- a/DocDB/cgi/MeetingSecurityUtilities.pm
+++ b/DocDB/cgi/MeetingSecurityUtilities.pm
@@ -4,7 +4,7 @@
# Author: Eric Vaandering (ewv@fnal.gov)
# Modified:
-# Copyright 2001-2009 Eric Vaandering, Lynn Garren, Adam Bryant
+# Copyright 2001-2013 Eric Vaandering, Lynn Garren, Adam Bryant
# This file is part of DocDB.
diff --git a/DocDB/cgi/Messages.pm b/DocDB/cgi/Messages.pm
index 6484633d..7c820237 100644
--- a/DocDB/cgi/Messages.pm
+++ b/DocDB/cgi/Messages.pm
@@ -1,17 +1,17 @@
#
-# Description: Central location for many of the error messages for the DocDB
-# since many programs return the same errors.
+# Description: Central location for many of the error messages for the DocDB
+# since many programs return the same errors.
#
# Author: Eric Vaandering (ewv@fnal.gov)
# Modified: Lynn Garren (garren@fnal.gov)
#
-# Copyright 2001-2009 Eric Vaandering, Lynn Garren, Adam Bryant
+# Copyright 2001-2013 Eric Vaandering, Lynn Garren, Adam Bryant
# This file is part of DocDB.
# DocDB is free software; you can redistribute it and/or modify
-# it under the terms of version 2 of the GNU General Public License
+# it under the terms of version 2 of the GNU General Public License
# as published by the Free Software Foundation.
# DocDB is distributed in the hope that it will be useful,
@@ -26,7 +26,7 @@
$Msg_NoConnect = "Unable to connect to the database. Please alert an administrator.";
$Msg_AdminNoConnect = "Unable to connect to the database. Make sure you use the correct password.";
-$Msg_AdminNoLogin = "You must be logged in as the adminstrator to perform this action.";
+$Msg_AdminNoLogin = "You must be logged in as the administrator to perform this action.";
$Msg_AdminNoPass = "You must supply a username and password to perform administration actions.";
$Msg_ModInstEmpty = "You must select an institution to modify or delete.";
@@ -48,8 +48,8 @@ $Msg_DelFullEvent = "This event has associated documents. Not deleted.";
# Messages for document creation, modification, display
-$Msg_DocNoAccess = "Either you are not authorized to view this document
- (with the username and password you supplied)
+$Msg_DocNoAccess = "Either you are not authorized to view this document
+ (with the username and password you supplied)
or the document does not exist.";
@@ -91,6 +91,6 @@ $Msg_WarnModManaged = "Warning: You are about to modify a managed document. This
if (-e "ProjectMessages.pm") {
require "ProjectMessages.pm";
push @DebugStack,"Included Project Messages";
-}
+}
1;
diff --git a/DocDB/cgi/MiscSQL.pm b/DocDB/cgi/MiscSQL.pm
index 7b8a9992..d979fe91 100644
--- a/DocDB/cgi/MiscSQL.pm
+++ b/DocDB/cgi/MiscSQL.pm
@@ -7,7 +7,7 @@
# Modified:
#
-# Copyright 2001-2009 Eric Vaandering, Lynn Garren, Adam Bryant
+# Copyright 2001-2013 Eric Vaandering, Lynn Garren, Adam Bryant
# This file is part of DocDB.
diff --git a/DocDB/cgi/ModifyHome b/DocDB/cgi/ModifyHome
index ef919f25..b412deba 100755
--- a/DocDB/cgi/ModifyHome
+++ b/DocDB/cgi/ModifyHome
@@ -1,14 +1,14 @@
#! /usr/bin/env perl
#
# Author: Eric Vaandering (ewv@fnal.gov)
-# Modified:
+# Modified:
-# Copyright 2001-2009 Eric Vaandering, Lynn Garren, Adam Bryant
+# Copyright 2001-2013 Eric Vaandering, Lynn Garren, Adam Bryant
# This file is part of DocDB.
# DocDB is free software; you can redistribute it and/or modify
-# it under the terms of version 2 of the GNU General Public License
+# it under the terms of version 2 of the GNU General Public License
# as published by the Free Software Foundation.
# DocDB is distributed in the hope that it will be useful,
@@ -20,7 +20,7 @@
# along with DocDB; if not, write to the Free Software
# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA
-use CGI qw(-nosticky);
+use CGI qw(-nosticky);
use DBI;
require "DocDBGlobals.pm";
@@ -37,6 +37,7 @@ require "SecurityHTML.pm";
require "MeetingSecurityUtilities.pm";
$query = new CGI; # Global for subroutines
+$query -> autoEscape(0);
$dbh = DBI->connect('DBI:mysql:'.$db_name.':'.$db_host,$db_rouser,$db_ropass);
GetSecurityGroups();
@@ -66,7 +67,7 @@ print "\n";
print "\n";
if ($PersonalAccountLink) {
print " \n";
-print "
\n";
@@ -174,34 +175,34 @@ if (CanCreateMeeting()) {
### Full meeting form
- print "
\n";
-
-### Customized Add/Update form creation form
+
+### Customized Add/Update form creation form
print "\n";
-
+
print $query -> startform('POST',$DocumentAddForm);
#print "
'.
+ push @ErrorStack,'You must check the box near with this statement: \n'.
$Preferences{Options}{SubmitAgree}.
- '
to submit the document.';
+ '\nto submit the document.';
}
### Final checks
@@ -314,13 +361,13 @@ if ($mode eq "add" || $mode eq "update") {
}
}
-@securities = split ("\0",$params{security});
+@securities = @ViewGroupIDs;
if ($EnhancedSecurity) {
- @ModifyGroups = split ("\0",$params{modify});
+ @ModifyGroups = @ModifyGroupIDs;
}
if ($mode eq "add" || $mode eq "update" || $mode eq "updatedb") {
- unless (@authorIDs) {
+ unless (@AuthorIDs) {
push @ErrorStack,"You must supply at least one author for this document.";
}
}
@@ -334,6 +381,10 @@ if ($#securities > 0) {
}
}
+if ($#securities < 0) {
+ @securities = FindUsersGroups();
+}
+
my $ViewCheck = "create"; # Create/view are the same, check for more restrictive
if ($EnhancedSecurity) {
$ViewCheck = "view";
@@ -382,7 +433,7 @@ my $documentID;
if ($mode eq "reserve" || $mode eq "add") {
$documentID = &InsertDocument(-requesterid => $RequesterID, -datetime => $SQL_NOW, -dochash => $UniqueID);
} else {
- $documentID = $params{docid};
+ $documentID = $DocumentID;
}
### Set version number. For reservations, it is "0", for new documents "1". For
@@ -399,8 +450,8 @@ if ($mode eq "reserve") {
$version = $Documents{$documentID}{NVersions} + 1;
} elsif ($mode eq "updatedb") {
&FetchDocument($documentID);
- if (defined $params{version}) {
- $version = $params{version};
+ if (defined $UserVersion) {
+ $version = $UserVersion;
} else {
$version = $Documents{$documentID}{NVersions};
}
@@ -452,7 +503,7 @@ if (@XRefs) {
### Add to authors, topics and securities
my $Count;
-$Count = InsertAuthors( -docrevid => $DocRevID, -authorids => \@authorIDs, -order => $OrderAuthors);
+$Count = InsertAuthors( -docrevid => $DocRevID, -authorids => \@AuthorIDs, -order => $OrderAuthors);
$Count = InsertTopics( -docrevid => $DocRevID, -topicids => \@TopicIDs);
$Count = InsertSecurity(-docrevid => $DocRevID,
-viewids => \@securities,
diff --git a/DocDB/cgi/ProjectGlobals.pm.template b/DocDB/cgi/ProjectGlobals.pm.template
index 708c0dc6..3167fcec 100644
--- a/DocDB/cgi/ProjectGlobals.pm.template
+++ b/DocDB/cgi/ProjectGlobals.pm.template
@@ -9,7 +9,7 @@
# Author: Eric Vaandering (ewv@fnal.gov)
# Modified:
-# Copyright 2001-2009 Eric Vaandering, Lynn Garren, Adam Bryant
+# Copyright 2001-2013 Eric Vaandering, Lynn Garren, Adam Bryant
# This file is part of DocDB.
diff --git a/DocDB/cgi/ProjectMessages.pm.template b/DocDB/cgi/ProjectMessages.pm.template
index f45c49c2..5bffbb9d 100644
--- a/DocDB/cgi/ProjectMessages.pm.template
+++ b/DocDB/cgi/ProjectMessages.pm.template
@@ -5,7 +5,7 @@
# project.
-# Copyright 2001-2009 Eric Vaandering, Lynn Garren, Adam Bryant
+# Copyright 2001-2013 Eric Vaandering, Lynn Garren, Adam Bryant
# This file is part of DocDB.
diff --git a/DocDB/cgi/ProjectRoutines.pm.template b/DocDB/cgi/ProjectRoutines.pm.template
index ca1172a3..28303c80 100644
--- a/DocDB/cgi/ProjectRoutines.pm.template
+++ b/DocDB/cgi/ProjectRoutines.pm.template
@@ -13,7 +13,7 @@
# Author: Eric Vaandering (ewv@fnal.gov)
# Modified:
-# Copyright 2001-2009 Eric Vaandering, Lynn Garren, Adam Bryant
+# Copyright 2001-2013 Eric Vaandering, Lynn Garren, Adam Bryant
# This file is part of DocDB.
diff --git a/DocDB/cgi/ReferenceLinks.pm b/DocDB/cgi/ReferenceLinks.pm
index f6b952dd..4085e0e5 100644
--- a/DocDB/cgi/ReferenceLinks.pm
+++ b/DocDB/cgi/ReferenceLinks.pm
@@ -1,5 +1,5 @@
-# Copyright 2001-2009 Eric Vaandering, Lynn Garren, Adam Bryant
+# Copyright 2001-2013 Eric Vaandering, Lynn Garren, Adam Bryant
# This file is part of DocDB.
diff --git a/DocDB/cgi/ResponseElements.pm b/DocDB/cgi/ResponseElements.pm
index ba55bc7c..4ffe3f2b 100644
--- a/DocDB/cgi/ResponseElements.pm
+++ b/DocDB/cgi/ResponseElements.pm
@@ -7,7 +7,7 @@
# Author: Eric Vaandering (ewv@fnal.gov)
# Modified:
-# Copyright 2001-2009 Eric Vaandering, Lynn Garren, Adam Bryant
+# Copyright 2001-2013 Eric Vaandering, Lynn Garren, Adam Bryant
# This file is part of DocDB.
@@ -24,6 +24,7 @@
# along with DocDB; if not, write to the Free Software
# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA
+require "HTMLUtilities.pm";
require "AuthorHTML.pm"; #FIXME: Remove, move references to correct place
require "TopicHTML.pm"; #FIXME: Remove, move references to correct place
require "FileHTML.pm"; #FIXME: Remove, move references to correct place
@@ -31,11 +32,14 @@ require "RevisionHTML.pm"; #FIXME: Remove, move references to correct place
sub PrintTitle {
my ($Title) = @_;
+ my $HTML = "";
if ($Title) {
- print "
\n";
+ print $HTML;
}
sub WarnPage () { # Non-fatal errors
@@ -49,7 +53,7 @@ sub WarnPage () { # Non-fatal errors
request: \n";
}
foreach $message (@WarnStack) {
- print "$Title
\n";
+ $HTML .= SmartHTML( {-text => $Title, } );
} else {
- print "Title: none
\n";
+ $HTML .= "Title: none";
}
+ $HTML .= "\n";
print "
\n";
} elsif ($CheckPoint && $DebugOutput) {
@@ -102,7 +106,7 @@ sub ErrorPage { # Fatal errors, continues page
request:\n";
}
foreach $message (@ErrorStack) {
- print "\n";
print "
\n";
}
@@ -211,9 +215,9 @@ sub TypeLink {
$link .= "";
}
if ($mode eq "short") {
- $link .= $DocumentTypes{$TypeID}{SHORT};
+ $link .= SmartHTML({-text => $DocumentTypes{$TypeID}{SHORT}});
} else {
- $link .= $DocumentTypes{$TypeID}{LONG};
+ $link .= SmartHTML({-text => $DocumentTypes{$TypeID}{LONG}});
}
unless ($Public) {
$link .= "";
diff --git a/DocDB/cgi/RetrieveArchive b/DocDB/cgi/RetrieveArchive
index 482bb784..76a5765f 100755
--- a/DocDB/cgi/RetrieveArchive
+++ b/DocDB/cgi/RetrieveArchive
@@ -7,7 +7,7 @@
# Modified:
#
-# Copyright 2001-2009 Eric Vaandering, Lynn Garren, Adam Bryant
+# Copyright 2001-2013 Eric Vaandering, Lynn Garren, Adam Bryant
# This file is part of DocDB.
@@ -27,6 +27,7 @@
# FIXME: No links ask for .tar (might change)
use CGI;
+use CGI::Untaint;
use DBI;
require "DocDBGlobals.pm";
@@ -35,15 +36,17 @@ require "SecuritySQL.pm";
require "DocumentSQL.pm";
require "FSUtilities.pm";
require "HTMLUtilities.pm";
+require "UntaintInput.pm";
require "FileUtilities.pm";
require "Security.pm";
$query = new CGI; # Global for subroutines
+$query -> autoEscape(0);
+my $Untaint = CGI::Untaint -> new($query -> Vars);
-%params = $query -> Vars;
-
-my $Type = $params{type} ;
-my $DocumentID = $params{docid};
+my $Type = $Untaint -> extract(-as_printable => "type") || "";
+my $DocumentID = $Untaint -> extract(-as_integer => "docid") || 0;
+my $InputVersion = $Untaint -> extract(-as_integer => "version") || undef;
unless ($DocumentID) {
push @ErrorStack,"You are must supply a document number!";
@@ -57,8 +60,8 @@ $dbh = DBI->connect('DBI:mysql:'.$db_name.':'.$db_host,$db_rouser,$db_ropass);
&GetSecurityGroups;
&FetchDocument($DocumentID);
-if (defined $params{version}) {
- $Version = $params{version};
+if (defined $InputVersion) {
+ $Version = $InputVersion;
} else {
$Version = $Documents{$DocumentID}{NVersions};
}
@@ -103,14 +106,14 @@ unless (@ErrorStack) {
if ($Type eq "tar.gz") {
if ($GTar) {
- $Status = system("$GTar czf $TmpFile -C $Directory .");
+ $Status = system("$GTar czf $TmpFile --exclude='.htaccess' -C $Directory .");
} elsif ($Tar && $GZip) {
- $Status = system("$Tar cf - $Directory | $GZip > $TmpFile");
+ $Status = system("$Tar cf - --exclude='.htaccess' $Directory | $GZip > $TmpFile");
}
} elsif ($Type eq "tar") {
- $Status = system("$Tar cf $TmpFile $Directory");
+ $Status = system("$Tar cf --exclude='.htaccess' $TmpFile $Directory");
} elsif ($Type eq "zip") {
- $Status = system("$Zip $TmpFile $Directory/*");
+ $Status = system("$Zip $TmpFile $Directory/* -x .htaccess ");
}
if ($Status) {
push @ErrorStack,"There was a problem creating the archive. Please contact an administrator.";
@@ -126,5 +129,6 @@ if (@ErrorStack || @WarnStack) { # There was a problem. Warn the user.
DocDBFooter($DBWebMasterEmail,$DBWebMasterName);
} else {
StreamFile(-file => $TmpFile);
+ unlink($TmpFile);
}
diff --git a/DocDB/cgi/RetrieveFile b/DocDB/cgi/RetrieveFile
index c9cb821a..0f9fad48 100755
--- a/DocDB/cgi/RetrieveFile
+++ b/DocDB/cgi/RetrieveFile
@@ -3,12 +3,12 @@
# Author Eric Vaandering (ewv@fnal.gov)
#
-# Copyright 2001-2009 Eric Vaandering, Lynn Garren, Adam Bryant
+# Copyright 2001-2013 Eric Vaandering, Lynn Garren, Adam Bryant
# This file is part of DocDB.
# DocDB is free software; you can redistribute it and/or modify
-# it under the terms of version 2 of the GNU General Public License
+# it under the terms of version 2 of the GNU General Public License
# as published by the Free Software Foundation.
# DocDB is distributed in the hope that it will be useful,
@@ -21,6 +21,7 @@
# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA
use CGI;
+use CGI::Untaint;
use DBI;
require "DocDBGlobals.pm";
@@ -31,26 +32,25 @@ require "RevisionSQL.pm";
require "MiscSQL.pm";
require "FSUtilities.pm";
require "HTMLUtilities.pm";
+require "UntaintInput.pm";
require "Security.pm";
require "SQLChecks.pm";
require "RevisionHTML.pm";
$query = new CGI; # Global for subroutines
+$query -> autoEscape(0);
+my $Untaint = CGI::Untaint -> new($query -> Vars);
-%params = $query -> Vars;
-
-my $DocumentID = $params{docid};
- $DocumentID =~ s/^\s+//; # Remove leading and trailing spaces
- $DocumentID =~ s/\s+$//;
-my $Version = $params{version};
-my $AsOf = $params{asof};
-my $FileName = $params{filename};
-my $Extension = $params{extension};
+my $DocumentID = $Untaint -> extract(-as_integer => "docid") || 0;
+my $Version = $Untaint -> extract(-as_integer => "version") || undef;
+my $AsOf = $Untaint -> extract(-as_safehtml => "asof") || undef;
+my $FileName = $Untaint -> extract(-as_printable => "filename") || "";
+my $Extension = $Untaint -> extract(-as_safehtml => "extension") || "";
unless ($DocumentID) {
push @ErrorStack,"You are must supply a document number!";
-}
+}
$dbh = DBI->connect('DBI:mysql:'.$db_name.':'.$db_host,$db_rouser,$db_ropass);
@@ -58,16 +58,16 @@ GetSecurityGroups();
FetchDocument($DocumentID);
-if (defined $Version && defined $AsOf) {
+if ($Version && $AsOf) {
push @ErrorStack,"You may not specify both a version and date.";
}
if (grep /\//,$FileName) {
push @ErrorStack,"File names with / are not allowed for security reasons.";
-}
+}
if (@ErrorStack) { # The user made one or more mistakes, warn and exit
print $query -> header( -charset => $HTTP_ENCODING );
- DocDBHeader("File Retrieve Results");
+ DocDBHeader("File Retrieve Results");
EndPage();
}
@@ -90,12 +90,8 @@ if (defined $Version) {
}
unless (&CanAccess($DocumentID,$Version)) {
- if ($remote_user) {
- push @ErrorStack,"The $remote_user group is not authorized to view this document (or it does not exist).";
- } else {
- push @ErrorStack,"This document is not publicly accessible.";
- }
-}
+ push @ErrorStack,"You are not authorized to view this document (or it does not exist).";
+}
unless ($DocRevID) {
push @ErrorStack,"This document does not exist.";
@@ -103,7 +99,7 @@ unless ($DocRevID) {
if (@ErrorStack) { # The user made one or more mistakes, warn and exit
print $query -> header( -charset => $HTTP_ENCODING );
- &DocDBHeader("File Retrieve Results");
+ &DocDBHeader("File Retrieve Results");
EndPage();
}
@@ -119,14 +115,14 @@ if ($FileName) {
grep /$Extension$/i,$DocFiles{$DocFileID}{NAME}) {
++$NFiles;
$LastFile = $DocFiles{$DocFileID}{NAME};
- }
+ }
}
if ($NFiles == 1) {
$FullFile = &FullFile($DocumentID,$Version,$LastFile);
$FullURL = &GetURLDir($DocumentID,$Version).CGI::escape($LastFile);
} elsif ($NFiles > 1) {
push @WarnStack,"More than one file was found. Please select one below.";
- }
+ }
} else {
&FetchDocFiles($DocRevID);
my $NFiles = 0;
@@ -136,7 +132,7 @@ if ($FileName) {
$DocFiles{$DocFileID}{ROOT}) {
++$NFiles;
$LastFile = $DocFiles{$DocFileID}{NAME};
- }
+ }
}
if ($NFiles == 1) {
$FullFile = &FullFile($DocumentID,$Version,$LastFile);
@@ -145,8 +141,8 @@ if ($FileName) {
push @WarnStack,"More than one file was found. Please select one below.";
} else {
push @WarnStack,"No files were found. Document info is below.";
- }
-}
+ }
+}
unless (-e $FullFile) {
push @WarnStack,"No appropriate file was found.";
@@ -159,7 +155,7 @@ if ($FullFile && ($UserValidation eq "certificate" || $Preferences{Options}{Alwa
print $query -> redirect(-location => $FullURL, -method => 'GET');
} else {
print $query -> header( -charset => $HTTP_ENCODING );
- DocDBHeader("File Retrieve Results");
+ DocDBHeader("File Retrieve Results");
EndPage(@ErrorStack);
PrintRevisionInfo($DocRevID);
diff --git a/DocDB/cgi/RevisionHTML.pm b/DocDB/cgi/RevisionHTML.pm
index ff1cfbd9..06a1e5f4 100644
--- a/DocDB/cgi/RevisionHTML.pm
+++ b/DocDB/cgi/RevisionHTML.pm
@@ -1,12 +1,12 @@
# Name: $RCSfile$
-# Description:
+# Description:
+#
# Revision: $Revision$
# Modified: $Author$ on $Date$
#
# Author: Eric Vaandering (ewv@fnal.gov)
-#
-# Copyright 2001-2009 Eric Vaandering, Lynn Garren, Adam Bryant
+# Copyright 2001-2013 Eric Vaandering, Lynn Garren, Adam Bryant
# This file is part of DocDB.
@@ -23,6 +23,8 @@
# along with DocDB; if not, write to the Free Software
# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA
+require "HTMLUtilities.pm";
+
sub TitleBox (%) {
my (%Params) = @_;
#FIXME: Get rid of global default
@@ -33,7 +35,8 @@ sub TitleBox (%) {
-helptext => "Title" ,
-required => $Required );
print $ElementTitle,"\n";
- print $query -> textfield (-name => 'title', -default => $TitleDefault,
+ my $SafeDefault = SmartHTML({-text => $TitleDefault},);
+ print $query -> textfield (-name => 'title', -default => $SafeDefault,
-size => 70, -maxlength => 240);
};
@@ -52,14 +55,17 @@ sub AbstractBox (%) {
-helptext => $HelpText ,
-required => $Required );
print $ElementTitle,"\n";
- print $query -> textarea (-name => $Name, -default => $AbstractDefault,
+ my $SafeDefault = SmartHTML({-text => $AbstractDefault},);
+ print $query -> textarea (-name => $Name, -default => $SafeDefault,
-rows => $Rows, -columns => $Columns);
};
sub RevisionNoteBox {
+ # FIXME: Make Javascript OK with SmartHTML
my (%Params) = @_;
my $Default = $Params{-default} || "";
my $JSInsert = $Params{-jsinsert} || "";
+ my $Required = $Params{-required} || 0;
print "";
my $ExtraText = "";
@@ -80,7 +86,8 @@ sub RevisionNoteBox {
-extratext => $ExtraText,
-required => $Required );
print $ElementTitle,"\n";
- print $query -> textarea (-name => 'revisionnote', -default => $Default,
+ my $SafeDefault = SmartHTML({-text => $Default},);
+ print $query -> textarea (-name => 'revisionnote', -default => $SafeDefault,
-columns => 60, -rows => 6);
};
@@ -95,7 +102,7 @@ sub DocTypeButtons (%) {
my %ShortTypes = ();
foreach my $DocTypeID (@DocTypeIDs) {
- $ShortTypes{$DocTypeID} = $DocumentTypes{$DocTypeID}{SHORT};
+ $ShortTypes{$DocTypeID} = SmartHTML({-text=>$DocumentTypes{$DocTypeID}{SHORT}});
}
my $ElementTitle = &FormElementTitle(-helplink => "doctype" ,
@@ -233,9 +240,7 @@ sub PrintAbstract ($;$) {
my $Format = exists $ArgRef->{-format} ? $ArgRef->{-format} : "div";
if ($Abstract) {
- $Abstract = &URLify($Abstract);
- $Abstract =~ s/\n\n/\n";
print "
/g;
+ $pubinfo = SmartHTML( {-text => $pubinfo, -makeURLs => $TRUE, -addLineBreaks => $TRUE} );
print "\n";
print "
\n";
- } else {
+ } else {
print "Accessible by:
\n";
- }
-
+ }
+
print "\n";
if (@GroupIDs) {
foreach $GroupID (@GroupIDs) {
@@ -105,11 +107,11 @@ sub SecurityListByID {
sub ModifyListByID {
my (@GroupIDs) = @_;
-
+
unless ($EnhancedSecurity) {
return;
}
-
+
print "
\n";
print "\n";
@@ -147,22 +149,23 @@ sub SecurityLink ($) {
my $Check = exists $ArgRef->{-check} ? $ArgRef->{-check} : "";
require "Security.pm";
-
+
my %Message = ("view" => "Can't view now", "create" => "Can't modify now");
unless ($GroupID) {
return;
}
-
+
my $Link = " $SecurityGroups{$GroupID}{Description}},);
+ $Link .= '">';
+ $Link .= SmartHTML({-text => $SecurityGroups{$GroupID}{NAME}},);
$Link .= "";
if ($Check && !GroupCan({ -groupid => $GroupID, -action => $Check }) ) {
$Link .= "
(".$Message{$Check}.")";
- }
-
+ }
+
return $Link;
}
diff --git a/DocDB/cgi/SecuritySQL.pm b/DocDB/cgi/SecuritySQL.pm
index 72e24bab..4bb30536 100644
--- a/DocDB/cgi/SecuritySQL.pm
+++ b/DocDB/cgi/SecuritySQL.pm
@@ -1,4 +1,4 @@
-# Copyright 2001-2009 Eric Vaandering, Lynn Garren, Adam Bryant
+# Copyright 2001-2013 Eric Vaandering, Lynn Garren, Adam Bryant
# This file is part of DocDB.
diff --git a/DocDB/cgi/SelectEmailPrefs b/DocDB/cgi/SelectEmailPrefs
index 5dd32082..67d79e89 100755
--- a/DocDB/cgi/SelectEmailPrefs
+++ b/DocDB/cgi/SelectEmailPrefs
@@ -4,15 +4,15 @@
# changes in e-mail.
#
# Author: Eric Vaandering (ewv@fnal.gov)
-# Modified:
+# Modified:
#
-# Copyright 2001-2009 Eric Vaandering, Lynn Garren, Adam Bryant
+# Copyright 2001-2013 Eric Vaandering, Lynn Garren, Adam Bryant
# This file is part of DocDB.
# DocDB is free software; you can redistribute it and/or modify
-# it under the terms of version 2 of the GNU General Public License
+# it under the terms of version 2 of the GNU General Public License
# as published by the Free Software Foundation.
# DocDB is distributed in the hope that it will be useful,
@@ -24,9 +24,10 @@
# along with DocDB; if not, write to the Free Software
# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA
-use CGI qw(-nosticky);
+use CGI qw(-nosticky);
+use CGI::Untaint;
use DBI;
-
+
require "DocDBGlobals.pm";
require "ResponseElements.pm";
require "EmailSecurity.pm";
@@ -36,6 +37,7 @@ require "Sorts.pm";
require "SearchFormElements.pm";
require "HTMLUtilities.pm";
+require "UntaintInput.pm";
require "DocumentUtilities.pm";
require "AuthorSQL.pm";
@@ -48,51 +50,56 @@ require "MeetingHTML.pm";
require "TopicHTML.pm";
$query = new CGI; # Global for subroutines
+$query -> autoEscape(0);
$dbh = DBI->connect('DBI:mysql:'.$db_name.':'.$db_host,$db_rwuser,$db_rwpass);
GetTopics();
GetAuthors();
-%params = $query -> Vars;
+my $Untaint = CGI::Untaint -> new($query -> Vars);
# Collect parameters
-my $Mode = $params{mode};
-my $UserName = $params{username};
-my $Password = $params{password};
-my $NewPass = $params{newpass};
-my $ConfNewPass = $params{confnewpass};
- $Digest = $params{digest};
+my $Mode = $Untaint -> extract(-as_safehtml => "mode") || "";
+my $UserName = $Untaint -> extract(-as_safehtml => "username") || "";
+my $Password = $Untaint -> extract(-as_printable => "password") || "";
+my $NewPass = $Untaint -> extract(-as_printable => "newpass") || "";
+my $ConfNewPass = $Untaint -> extract(-as_printable => "confnewpass") || "";
+my $Digest = $Untaint -> extract(-as_safehtml => "digest") || "";
+
+my $Name = $Untaint -> extract(-as_safehtml => "name") || "";
+my $Email = $Untaint -> extract(-as_safehtml => "email") || "";
+my $HTML = $Untaint -> extract(-as_safehtml => "html") || "";
-my @ImmediateEventGroupIDs = split /\0/,$params{immediate_eventgroups};
-my @DailyEventGroupIDs = split /\0/,$params{daily_eventgroups};
-my @WeeklyEventGroupIDs = split /\0/,$params{weekly_eventgroups};
+my @ImmediateEventGroupIDs = @{ $Untaint -> extract(-as_listofint => "immediate_eventgroups") || undef };
+my @DailyEventGroupIDs = @{ $Untaint -> extract(-as_listofint => "daily_eventgroups") || undef };
+my @WeeklyEventGroupIDs = @{ $Untaint -> extract(-as_listofint => "weekly_eventgroups") || undef };
-my @ImmediateEventIDs = split /\0/,$params{immediate_events};
-my @DailyEventIDs = split /\0/,$params{daily_events};
-my @WeeklyEventIDs = split /\0/,$params{weekly_events};
+my @ImmediateEventIDs = @{ $Untaint -> extract(-as_listofint => "immediate_events") || undef };
+my @DailyEventIDs = @{ $Untaint -> extract(-as_listofint => "daily_events") || undef };
+my @WeeklyEventIDs = @{ $Untaint -> extract(-as_listofint => "weekly_events") || undef };
-my @ImmediateTopicIDs = split /\0/,$params{immediate_topics};
-my @DailyTopicIDs = split /\0/,$params{daily_topics};
-my @WeeklyTopicIDs = split /\0/,$params{weekly_topics};
+my @ImmediateTopicIDs = @{ $Untaint -> extract(-as_listofint => "immediate_topics") || undef };
+my @DailyTopicIDs = @{ $Untaint -> extract(-as_listofint => "daily_topics") || undef };
+my @WeeklyTopicIDs = @{ $Untaint -> extract(-as_listofint => "weekly_topics") || undef };
-my @ImmediateAuthorIDs = split /\0/,$params{immediate_authors};
-my @DailyAuthorIDs = split /\0/,$params{daily_authors};
-my @WeeklyAuthorIDs = split /\0/,$params{weekly_authors};
+my @ImmediateAuthorIDs = @{ $Untaint -> extract(-as_listofint => "immediate_authors") || undef };
+my @DailyAuthorIDs = @{ $Untaint -> extract(-as_listofint => "daily_authors") || undef };
+my @WeeklyAuthorIDs = @{ $Untaint -> extract(-as_listofint => "weekly_authors") || undef };
-my $ImmediateAll = $params{immediate_all};
-my $DailyAll = $params{daily_all};
-my $WeeklyAll = $params{weekly_all};
+my $ImmediateAll = $Untaint -> extract(-as_safehtml => "immediate_all") || "";
+my $DailyAll = $Untaint -> extract(-as_safehtml => "daily_all") || "";
+my $WeeklyAll = $Untaint -> extract(-as_safehtml => "weekly_all") || "";
-my $ImmediateKeywords = $params{immediate_keywords};
-my $DailyKeywords = $params{daily_keywords};
-my $WeeklyKeywords = $params{weekly_keywords};
+my $ImmediateKeywords = $Untaint -> extract(-as_safehtml => "immediate_keywords") || "";
+my $DailyKeywords = $Untaint -> extract(-as_safehtml => "daily_keywords") || "";
+my $WeeklyKeywords = $Untaint -> extract(-as_safehtml => "weekly_keywords") || "";
$ImmediateKeywords =~ s/,/ /g; my @ImmediateKeywords = split /\s+/,$ImmediateKeywords;
$DailyKeywords =~ s/,/ /g; my @DailyKeywords = split /\s+/,$DailyKeywords ;
$WeeklyKeywords =~ s/,/ /g; my @WeeklyKeywords = split /\s+/,$WeeklyKeywords ;
-my $ImmediateDocuments = $params{immediate_documents};
+my $ImmediateDocuments = $Untaint -> extract(-as_safehtml => "immediate_documents") || "";
$ImmediateDocuments =~ s/,/ /g; my @ImmediateDocuments = split /\s+/,$ImmediateDocuments;
$UserName =~ s/\s+//g;
@@ -104,7 +111,7 @@ if (($NewPass || $ConfNewPass) && ($NewPass ne $ConfNewPass)) {
}
if ($Mode eq "newuser") {
- my $PassConf = $params{passconf};
+ my $PassConf = $Untaint -> extract(-as_printable => "passconf") || "";
$PassConf =~ s/\s+//g;
# Do the passwords match, is there a password
@@ -128,7 +135,7 @@ if ($Mode eq "newuser") {
}
# Start the page
-
+
print $query -> header( -charset => $HTTP_ENCODING );
DocDBHeader("Update Notification Preferences","",-scripts => ["PopUps"]); # Prob need specialized header
@@ -143,7 +150,7 @@ if ($Mode eq "newuser") {
print "\n";
EndPage();
} else { # Everything OK, lets create the user
- srand (time ^ $$ ^ unpack "%32L*", `ps axww`);
+ srand (time ^ $$ ^ unpack "%32L*", `ps -eaf`);
my $Salt = ((0..9,'a'..'z','A'..'Z','.','/')[(int rand (64))]).
((0..9,'a'..'z','A'..'Z','.','/')[(int rand (64))]);
@@ -159,13 +166,13 @@ if ($Mode eq "newuser") {
# Make the user part of the group who's httpd password they've used.
my $EmailUserID = $UserInsert -> {mysql_insertid}; # Works with MySQL only
- my $GroupID = FetchSecurityGroupByName($remote_user);
- my $EmailUserInsert = $dbh -> prepare("insert into UsersGroup (UsersGroupID,EmailUserID,GroupID) values (0,?,?)");
+ my $GroupID = FetchSecurityGroupByName($remote_user);
+ my $EmailUserInsert = $dbh -> prepare("insert into UsersGroup (UsersGroupID,EmailUserID,GroupID) values (0,?,?)");
$EmailUserInsert -> execute($EmailUserID,$GroupID);
- print "User $UserName created as a member of $remote_user group.
- Do not forget your password, there is no way to retrieve it.
\n";
print "\n";
-print " You are watching these individual documents:
\n";
}
my %FieldList = PrepareFieldList(-default => "Default");
-my $NDocs = DocumentTable(-fieldlist => \%FieldList, -docids => \@WatchDocumentIDs, -sortby => 'docid');
+my $NDocs = DocumentTable(-fieldlist => \%FieldList, -docids => \@WatchDocumentIDs, -sortby => 'docid');
print "\n";
print "
\n";
print "";
@@ -363,53 +366,53 @@ print " Notification by Topics
\n";
print "
\n";
print "\n";
-TopicScroll({ -helptext => "Immediate", -helplink => "notifytopic",
- -itemformat => "short", -multiple => $TRUE,
+TopicScroll({ -helptext => "Immediate", -helplink => "notifytopic",
+ -itemformat => "short", -multiple => $TRUE,
-name => "immediate_topics",
-default => $Notifications{$EmailUserID}{Topic_Immediate},
- });
-print " \n";
-TopicScroll({ -helptext => "Daily", -helplink => "notifytopic",
- -itemformat => "short", -multiple => $TRUE,
+ });
+print " \n";
+TopicScroll({ -helptext => "Daily", -helplink => "notifytopic",
+ -itemformat => "short", -multiple => $TRUE,
-name => "daily_topics",
-default => $Notifications{$EmailUserID}{Topic_Daily},
- });
-print " \n";
-TopicScroll({ -helptext => "Weekly", -helplink => "notifytopic",
- -itemformat => "short", -multiple => $TRUE,
+ });
+print " \n";
+TopicScroll({ -helptext => "Weekly", -helplink => "notifytopic",
+ -itemformat => "short", -multiple => $TRUE,
-name => "weekly_topics",
-default => $Notifications{$EmailUserID}{Topic_Weekly},
- });
-print " \n";
+ });
+print " \n";
EmailAllForm({ -name => "immediate_all", -default => $Notifications{$EmailUserID}{AllDocuments_Immediate} });
-print " ";
+print " ";
EmailAllForm({ -name => "daily_all", -default => $Notifications{$EmailUserID}{AllDocuments_Daily} });
-print " ";
+print " ";
EmailAllForm({ -name => "weekly_all", -default => $Notifications{$EmailUserID}{AllDocuments_Weekly} });
print " Notification by Authors
\n";
print "
\n";
@@ -417,28 +420,28 @@ print "\n";
-print " ";
-AuthorScroll(-helptext => "Immediate", -helplink => "notifyauthor",
- -multiple => $TRUE,
+print " ";
+AuthorScroll(-helptext => "Immediate", -helplink => "notifyauthor",
+ -multiple => $TRUE,
-name => "immediate_authors",
-default => $Notifications{$EmailUserID}{Author_Immediate},
- );
+ );
print " \n";
-print "";
-AuthorScroll(-helptext => "Daily", -helplink => "notifyauthor",
- -multiple => $TRUE,
+print " ";
+AuthorScroll(-helptext => "Daily", -helplink => "notifyauthor",
+ -multiple => $TRUE,
-name => "daily_authors",
-default => $Notifications{$EmailUserID}{Author_Daily},
- );
+ );
print " \n";
-print "";
-AuthorScroll(-helptext => "Weekly", -helplink => "notifyauthor",
- -multiple => $TRUE,
+print " ";
+AuthorScroll(-helptext => "Weekly", -helplink => "notifyauthor",
+ -multiple => $TRUE,
-name => "weekly_authors",
-default => $Notifications{$EmailUserID}{Author_Weekly},
- );
+ );
print " \n";
print "Notification by Events
\n";
print "
\n";
@@ -447,13 +450,13 @@ print "\n";\
print " ",FormElementTitle(-helptext => "Immediate", -helplink => "notifyevent")," ";
print "";
-EventGroupSelect( {-multiple => $TRUE, -name => "immediate_eventgroups",
+EventGroupSelect( {-multiple => $TRUE, -name => "immediate_eventgroups",
-helplink => "", -default => $Notifications{$EmailUserID}{EventGroup_Immediate}} );
print " ";
-EventSelect( {-multiple => $TRUE, -name => "immediate_events",
+EventSelect( {-multiple => $TRUE, -name => "immediate_events",
-helplink => "", -default => $Notifications{$EmailUserID}{Event_Immediate}} );
print " ";
print "";
print " ",FormElementTitle(-helptext => "Daily", -helplink => "notifyevent")," ";
print "";
-EventGroupSelect( {-multiple => $TRUE, -name => "daily_eventgroups",
+EventGroupSelect( {-multiple => $TRUE, -name => "daily_eventgroups",
-helplink => "", -default => $Notifications{$EmailUserID}{EventGroup_Daily}} );
print " ";
-EventSelect( {-multiple => $TRUE, -name => "daily_events",
+EventSelect( {-multiple => $TRUE, -name => "daily_events",
-helplink => "", -default => $Notifications{$EmailUserID}{Event_Daily}} );
print " ";
print "";
print " ",FormElementTitle(-helptext => "Weekly", -helplink => "notifyevent")," ";
print "";
-EventGroupSelect( {-multiple => $TRUE, -name => "weekly_eventgroups",
+EventGroupSelect( {-multiple => $TRUE, -name => "weekly_eventgroups",
-helplink => "", -default => $Notifications{$EmailUserID}{EventGroup_Weekly}} );
print " ";
-EventSelect( {-multiple => $TRUE, -name => "weekly_events",
+EventSelect( {-multiple => $TRUE, -name => "weekly_events",
-helplink => "", -default => $Notifications{$EmailUserID}{Event_Weekly}} );
print " ";
print "Notification by Keywords
\n";
print "\n";
print "
\n";
@@ -461,7 +464,7 @@ print "\n";
-EmailKeywordForm({ -name => "immediate_keywords", -period => "Immediate",
+EmailKeywordForm({ -name => "immediate_keywords", -period => "Immediate",
-default => $Notifications{$EmailUserID}{Keyword_Immediate}, });
print " \n";
-EmailKeywordForm({ -name => "daily_keywords", -period => "Daily",
+EmailKeywordForm({ -name => "daily_keywords", -period => "Daily",
-default => $Notifications{$EmailUserID}{Keyword_Daily}, });
print " \n";
-EmailKeywordForm({ -name => "weekly_keywords", -period => "Weekly",
+EmailKeywordForm({ -name => "weekly_keywords", -period => "Weekly",
-default => $Notifications{$EmailUserID}{Keyword_Weekly}, });
print " Notification for Individual Documents
\n";
print "\n";
-TextArea(-name => "immediate_documents", -helptext => "Immediate", -helplink => "notifydocument",
+TextArea(-name => "immediate_documents", -helptext => "Immediate", -helplink => "notifydocument",
-columns => 80, -default => join ' ',sort numerically @{$Notifications{$EmailUserID}{Document_Immediate}});
print " Using this page, you can remove groups whose permissions you don't want to use
\n";
-
+
print $query -> startform('POST',$SetGroups);
print "\n";
@@ -57,15 +57,15 @@ my @RawGroupIDs = &FindUsersGroups(-ignorecookie => $TRUE);
print "
';
print $query -> end_multipart_form;
@@ -163,9 +163,9 @@ WarnPage();
%XSearchDocs = %FoundDocuments; # Make global for search
my @Documents = reverse sort XSearchDocsByRelevance keys %FoundDocuments;
-%XSearchDocs = ();
+%XSearchDocs = ();
-# Print document table
+# Print document table
if (@Documents) {
print '\n";
my @Times = ("session",1,7,30,365);
-my %Labels = ("session" => "This session",
+my %Labels = ("session" => "This session",
1 => "One day",
7 => "One week",
30 => "One month",
365 => "One year");
print "Limit for:
\n";
-
-print $query -> popup_menu (-name => 'duration',
+
+print $query -> popup_menu (-name => 'duration',
-values => \@Times,
-labels => \%Labels);
print "\n";
diff --git a/DocDB/cgi/SelectPrefs b/DocDB/cgi/SelectPrefs
index 6b58fd06..55e49bad 100755
--- a/DocDB/cgi/SelectPrefs
+++ b/DocDB/cgi/SelectPrefs
@@ -3,12 +3,12 @@
# Author: Adam Bryant
#
-# Copyright 2001-2009 Eric Vaandering, Lynn Garren, Adam Bryant
+# Copyright 2001-2013 Eric Vaandering, Lynn Garren, Adam Bryant
# This file is part of DocDB.
# DocDB is free software; you can redistribute it and/or modify
-# it under the terms of version 2 of the GNU General Public License
+# it under the terms of version 2 of the GNU General Public License
# as published by the Free Software Foundation.
# DocDB is distributed in the hope that it will be useful,
@@ -38,6 +38,7 @@ require "AuthorHTML.pm";
# Start page
$query = new CGI;
+$query -> autoEscape(0);
$dbh = DBI->connect('DBI:mysql:'.$db_name.':'.$db_host,$db_rouser,$db_ropass);
GetAuthors();
print $query -> header( -charset => $HTTP_ENCODING );
diff --git a/DocDB/cgi/SessionModify b/DocDB/cgi/SessionModify
index c3daad42..620c955d 100755
--- a/DocDB/cgi/SessionModify
+++ b/DocDB/cgi/SessionModify
@@ -8,7 +8,7 @@
#
# Author: Eric Vaandering (ewv@fnal.gov)
-# Copyright 2001-2009 Eric Vaandering, Lynn Garren, Adam Bryant
+# Copyright 2001-2013 Eric Vaandering, Lynn Garren, Adam Bryant
# This file is part of DocDB.
@@ -26,6 +26,7 @@
# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA
use CGI qw(-nosticky);
+use CGI::Untaint;
use DBI;
require "DocDBGlobals.pm";
@@ -40,6 +41,7 @@ require "Utilities.pm";
require "EventUtilities.pm";
require "HTMLUtilities.pm";
+require "UntaintInput.pm";
require "MeetingSecurityUtilities.pm";
require "TalkHintUtilities.pm";
require "WebUtilities.pm";
@@ -54,58 +56,61 @@ require "MeetingSQL.pm";
require "TalkHintSQL.pm";
require "TalkSQL.pm";
+require "TopicSQL.pm";
+
$query = new CGI; # Global for subroutines
+$query -> autoEscape(0);
&GetPrefsCookie;
&SetAuthorMode;
### Gather parameters
-%params = $query -> Vars;
+my $Untaint = CGI::Untaint -> new($query -> Vars);
$query -> delete_all(); # Stop program from caching variable from script to script
-my $SessionID = $params{sessionid};
-my $Mode = $params{mode};
-my $SingleSession = $params{singlesession};
+my $SessionID = $Untaint -> extract(-as_integer => "sessionid") || 0;
+my $Mode = $Untaint -> extract(-as_safehtml => "mode") || "";
+my $SingleSession = $Untaint -> extract(-as_safehtml => "singlesession") || "";
-my $SessionTitle = $params{sessiontitle};
-my $SessionDescription = $params{sessiondescription};
-my $SessionLocation = $params{sessionlocation};
-my $SessionAltLocation = $params{sessionaltlocation};
-my $ShowAllTalks = $params{meetshowall};
+my $SessionTitle = $Untaint -> extract(-as_safehtml => "sessiontitle") || "";
+my $SessionDescription = $Untaint -> extract(-as_safehtml => "sessiondescription") || "";
+my $SessionLocation = $Untaint -> extract(-as_safehtml => "sessionlocation") || "";
+my $SessionAltLocation = $Untaint -> extract(-as_safehtml => "sessionaltlocation") || "";
+my $ShowAllTalks = $Untaint -> extract(-as_safehtml => "meetshowall") || "";
if ($ShowAllTalks) {
$ShowAllTalks = $TRUE;
}
-my $SessionDay = $params{sessionday};
-my $SessionMonth = $params{sessionmonth};
-my $SessionYear = $params{sessionyear};
-my $SessionHour = $params{sessiontime};
-
-my @SessionOrderIDs = split /\0/,$params{sessionorderid};
-my @TalkOrders = split /\0/,$params{talkorder};
-my @TalkTitles = split /\0/,$params{talktitle};
-my @TalkNotes = split /\0/,$params{talknote};
-my @TalkTimes = split /\0/,$params{talktime};
-my @TalkSeparators = split /\0/,$params{talkseparator};
-my @TalkDeletes = split /\0/,$params{talkdelete};
-my @TalkConfirms = split /\0/,$params{talkconfirm};
-my @TalkReserves = split /\0/,$params{talkreserve};
-my @TimeStamps = split /\0/,$params{timestamp};
+my $SessionDay = $Untaint -> extract(-as_integer => "sessionday") || 0;
+my $SessionMonth = $Untaint -> extract(-as_safehtml => "sessionmonth") || "";
+my $SessionYear = $Untaint -> extract(-as_integer => "sessionyear") || 0;
+my $SessionHour = $Untaint -> extract(-as_safehtml => "sessiontime") || 0;
+
+my @SessionOrderIDs = @{ $Untaint -> extract(-as_listofhtml => "sessionorderid") || undef };
+my @TalkOrders = @{ $Untaint -> extract(-as_listofhtml => "talkorder") || undef };
+my @TalkTitles = @{ $Untaint -> extract(-as_listofhtml => "talktitle") || undef };
+my @TalkNotes = @{ $Untaint -> extract(-as_listofhtml => "talknote") || undef };
+my @TalkTimes = @{ $Untaint -> extract(-as_listofhtml => "talktime") || undef };
+my @TalkSeparators = @{ $Untaint -> extract(-as_listofhtml => "talkseparator") || undef };
+my @TalkDeletes = @{ $Untaint -> extract(-as_listofhtml => "talkdelete") || undef };
+my @TalkConfirms = @{ $Untaint -> extract(-as_listofhtml => "talkconfirm") || undef };
+my @TalkReserves = @{ $Untaint -> extract(-as_listofhtml => "talkreserve") || undef };
+my @TimeStamps = @{ $Untaint -> extract(-as_listofhtml => "timestamp") || undef };
# For single session mode
-my $EventID = $params{eventid};
-my $Location = $params{location};
-my $AltLocation = $params{altlocation};
-my $URL = $params{url};
-my $EventGroupID = $params{eventgroups};
-my $Short = $params{shortdesc};
-my $Long = $params{long};
-my @MeetingViewGroupIDs = split /\0/,$params{meetingviewgroups};
-my @MeetingModifyGroupIDs = split /\0/,$params{meetingmodifygroups};
-my @TopicIDs = split /\0/,$params{topics};
-my @ModeratorIDs = split /\0/,$params{moderators};
+my $EventID = $Untaint -> extract(-as_integer => "eventid") || 0;
+my $Location = $Untaint -> extract(-as_safehtml => "location") || "";
+my $AltLocation = $Untaint -> extract(-as_safehtml => "altlocation") || "";
+my $URL = $Untaint -> extract(-as_safehtml => "url") || "";
+my $EventGroupID = $Untaint -> extract(-as_integer => "eventgroups") || 0;
+my $Short = $Untaint -> extract(-as_safehtml => "shortdesc") || "";
+my $Long = $Untaint -> extract(-as_safehtml => "long") || "";
+my @MeetingViewGroupIDs = @{ $Untaint -> extract(-as_listofint => "meetingviewgroups") || undef };
+my @MeetingModifyGroupIDs = @{ $Untaint -> extract(-as_listofint => "meetingmodifygroups") || undef };
+my @TopicIDs = @{ $Untaint -> extract(-as_listofint => "topics") || undef };
+my @ModeratorIDs = @{ $Untaint -> extract(-as_listofint => "moderators") || undef };
unless ($Long) {$Long = $Short;}
@@ -194,6 +199,9 @@ if ($SessionID) {
push @ErrorStack,"You must specify a session or event to modify. You probably arrived
here by error.";
}
+
+GetTopics();
+
EndPage();
if ($SingleSession && $EventID) { # Grab single session ID in single session mode
@@ -290,16 +298,14 @@ if ($Mode eq "modify" || $Mode eq "create") {
my $TalkConfirmed = $TalkConfirmFlags{$SessionOrderID};
my $TalkReserve = $TalkReserveFlags{$SessionOrderID};
- my $TalkDocID = $params{"talkdocid-$SessionOrderID"};
- my $NewSessionID = $params{"newsessionid-$SessionOrderID"};
-
- my @TopicHints = split /\0/,$params{"topics-$SessionOrderID"};
- my @AuthorHints = ();
- if ($params{"authors-$SessionOrderID"}) {
- @AuthorHints = split /\0/,$params{"authors-$SessionOrderID"};
- } elsif ($params{"authortext-$SessionOrderID"}) {
+ my $TalkDocID = $Untaint -> extract(-as_integer => "talkdocid-$SessionOrderID") || 0;
+ my $NewSessionID = $Untaint -> extract(-as_integer => "newsessionid-$SessionOrderID") || 0;
+
+ my @TopicHints = @{ $Untaint -> extract(-as_listofint => "topics-$SessionOrderID") || undef };
+ my @AuthorHints = @{ $Untaint -> extract(-as_listofint => "authors-$SessionOrderID") || undef };
+ my $AuthorText = $Untaint -> extract(-as_safehtml => "authortext-$SessionOrderID") || "";
+ if (!@AuthorHints && $AuthorText) {
require "AuthorSQL.pm";
- my $AuthorText = $params{"authortext-$SessionOrderID"};
@AuthorHints = ProcessManualAuthors($AuthorText);
}
diff --git a/DocDB/cgi/SetGroups b/DocDB/cgi/SetGroups
index 05eaae4f..9989ef7b 100755
--- a/DocDB/cgi/SetGroups
+++ b/DocDB/cgi/SetGroups
@@ -6,7 +6,7 @@
# Allow a user to choose to limit their membership to certain groups
# for a period of time
-# Copyright 2001-2009 Eric Vaandering, Lynn Garren, Adam Bryant
+# Copyright 2001-2013 Eric Vaandering, Lynn Garren, Adam Bryant
# This file is part of DocDB.
@@ -25,22 +25,25 @@
use CGI qw(-nosticky);
+use CGI::Untaint;
use DBI;
require "DocDBGlobals.pm";
require "HTMLUtilities.pm";
+require "UntaintInput.pm";
require "ResponseElements.pm";
require "Cookies.pm";
# Start page
-$query = new CGI;
-%params = $query -> Vars;
+$query = new CGI; # Global for subroutines
+$query -> autoEscape(0);
+my $Untaint = CGI::Untaint -> new($query -> Vars);
my @cookies = ();
-my $Duration = $params{duration};
-my @GroupIDs = split /\0/,$params{groups};
+my $Duration = $Untaint -> extract(-as_safehtml => "duration") || "";
+my @GroupIDs = @{ $Untaint -> extract(-as_listofint => "groups") || undef };
unless (@GroupIDs) {
@GroupIDs = (-1);
}
diff --git a/DocDB/cgi/SetPrefs b/DocDB/cgi/SetPrefs
index 7a3bc249..511db715 100755
--- a/DocDB/cgi/SetPrefs
+++ b/DocDB/cgi/SetPrefs
@@ -9,7 +9,7 @@
# Author: Adam Bryant
# Date: 24 March 2002
-# Copyright 2001-2009 Eric Vaandering, Lynn Garren, Adam Bryant
+# Copyright 2001-2013 Eric Vaandering, Lynn Garren, Adam Bryant
# This file is part of DocDB.
diff --git a/DocDB/cgi/ShowCalendar b/DocDB/cgi/ShowCalendar
index dd0b6acf..b6a3a31d 100755
--- a/DocDB/cgi/ShowCalendar
+++ b/DocDB/cgi/ShowCalendar
@@ -9,7 +9,7 @@
#
# Author: Eric Vaandering (ewv@fnal.gov)
-# Copyright 2001-2009 Eric Vaandering, Lynn Garren, Adam Bryant
+# Copyright 2001-2013 Eric Vaandering, Lynn Garren, Adam Bryant
# This file is part of DocDB.
@@ -32,12 +32,14 @@
use Benchmark; $StartTime = new Benchmark;
use CGI;
+use CGI::Untaint;
use DBI;
use DateTime;
require "DocDBGlobals.pm";
require "DBUtilities.pm";
require "HTMLUtilities.pm";
+require "UntaintInput.pm";
require "ResponseElements.pm";
require "MeetingSecurityUtilities.pm";
@@ -48,13 +50,13 @@ require "MeetingHTML.pm";
require "MeetingSQL.pm";
$query = new CGI; # Global for subroutines
+$query -> autoEscape(0);
+my $Untaint = CGI::Untaint -> new($query -> Vars);
-my %Params = $query -> Vars;
-
-my $Day = $Params{day} || 0;
-my $Month = $Params{month} || 0;
-my $Year = $Params{year} || 0;
-my $TodayOnly = $Params{todayonly} || 0;
+my $Day = $Untaint -> extract(-as_integer => "day") || 0;
+my $Month = $Untaint -> extract(-as_integer => "month") || 0;
+my $Year = $Untaint -> extract(-as_integer => "year") || 0;
+my $TodayOnly = $Untaint -> extract(-as_safehtml => "todayonly") || "";
CreateConnection();
@@ -69,7 +71,7 @@ my $WindowStart;
my $WindowEnd;
my $WindowDays;
my $EventTableStart;
-my $Today = DateTime -> now(time_zone => 'local');
+my $Today = DateTime -> now(time_zone => $LocalTimezone);
push @DebugStack, "Today is ".$Today -> iso8601;
diff --git a/DocDB/cgi/ShowDocument b/DocDB/cgi/ShowDocument
index 27e37875..ea66b792 100755
--- a/DocDB/cgi/ShowDocument
+++ b/DocDB/cgi/ShowDocument
@@ -1,14 +1,17 @@
#! /usr/bin/env perl
#
-# Author Eric Vaandering (ewv@fnal.gov)
+# Name: ShowDocument
+# Description: Display a document, its metadata, links to other versions and links to the files
#
+# Author: Eric Vaandering (ewv@fnal.gov)
+# Modified: Eric Vaandering (ewv@fnal.gov)
-# Copyright 2001-2009 Eric Vaandering, Lynn Garren, Adam Bryant
+# Copyright 2001-2013 Eric Vaandering, Lynn Garren, Adam Bryant
# This file is part of DocDB.
# DocDB is free software; you can redistribute it and/or modify
-# it under the terms of version 2 of the GNU General Public License
+# it under the terms of version 2 of the GNU General Public License
# as published by the Free Software Foundation.
# DocDB is distributed in the hope that it will be useful,
@@ -21,6 +24,7 @@
# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA
use CGI;
+use CGI::Untaint;
use DBI;
require "DocDBGlobals.pm";
@@ -30,6 +34,7 @@ require "DocumentSQL.pm";
require "RevisionSQL.pm";
require "FSUtilities.pm";
require "HTMLUtilities.pm";
+require "UntaintInput.pm";
require "Security.pm";
require "Scripts.pm";
require "SQLChecks.pm";
@@ -37,21 +42,18 @@ require "SQLChecks.pm";
require "RevisionHTML.pm";
$query = new CGI; # Global for subroutines
+$query -> autoEscape(0);
+my $Untaint = CGI::Untaint -> new($query -> Vars);
-%params = $query -> Vars;
-
- $DocumentID = $params{docid};
- $DocumentID =~ s/^\s+//; # Remove leading and trailing spaces
- $DocumentID =~ s/\s+$//;
- $Version = $params{version};
- $AsOf = $params{asof};
-my $OutFormat = $params{outformat} || "HTML";
+ $DocumentID = $Untaint -> extract(-as_typedint => "docid") || 0;
+ $Version = $Untaint -> extract(-as_typedint => "version") || undef;
+ $AsOf = $Untaint -> extract(-as_safehtml => "asof") || undef;
+my $OutFormat = $Untaint -> extract(-as_safehtml => "outformat") || "HTML";
$OutFormat =~ tr/[a-z]/[A-Z]/;
-
unless ($DocumentID) {
push @ErrorStack,"You are must supply a document number!";
-}
+}
$dbh = DBI->connect('DBI:mysql:'.$db_name.':'.$db_host,$db_rouser,$db_ropass);
@@ -89,8 +91,8 @@ if (&CanAccess($DocumentID,$Version)) {
push @ErrorStack,"The $remote_user group is not authorized to view this document (or it does not exist).";
} else {
push @ErrorStack,"This document is not publicly accessible.";
- }
-}
+ }
+}
# Print appropriate header
@@ -98,7 +100,7 @@ if ($OutFormat eq 'XML') {
require "XMLOutput.pm";
unless ($NoXMLHead) {
print XMLHeader();
- }
+ }
NewXMLOutput();
} else {
print $query -> header( -charset => $HTTP_ENCODING );
@@ -113,13 +115,13 @@ unless ($DocRevID) { # Probably never executed since CanAccess fails.
if ($OutFormat eq 'XML') {
my %XMLDisplay = ("All" => $TRUE);
- my $DocumentXML = DocumentXMLOut( {-docid => $DocRevisions{$DocRevID}{DOCID},
- -version => $DocRevisions{$DocRevID}{Version},
- -display => \%XMLDisplay,
+ my $DocumentXML = DocumentXMLOut( {-docid => $DocRevisions{$DocRevID}{DOCID},
+ -version => $DocRevisions{$DocRevID}{Version},
+ -display => \%XMLDisplay,
} );
if ($DocumentXML) {
$DocumentXML -> paste(last_child => $DocDBXML);
- }
+ }
} else {
EndPage();
PrintRevisionInfo($DocRevID, -showversions => 1);
diff --git a/DocDB/cgi/ShowTalkNote b/DocDB/cgi/ShowTalkNote
index 5b350cd6..ac11b989 100755
--- a/DocDB/cgi/ShowTalkNote
+++ b/DocDB/cgi/ShowTalkNote
@@ -7,12 +7,12 @@
# Revision: $Revision$
# Modified: $Author$ on $Date$
#
-# Copyright 2001-2009 Eric Vaandering, Lynn Garren, Adam Bryant
+# Copyright 2001-2013 Eric Vaandering, Lynn Garren, Adam Bryant
# This file is part of DocDB.
# DocDB is free software; you can redistribute it and/or modify
-# it under the terms of version 2 of the GNU General Public License
+# it under the terms of version 2 of the GNU General Public License
# as published by the Free Software Foundation.
# DocDB is distributed in the hope that it will be useful,
@@ -26,7 +26,8 @@
# FIXME: XHTML
-use CGI qw(-nosticky);
+use CGI qw(-nosticky);
+use CGI::Untaint;
use DBI;
require "DocDBGlobals.pm";
@@ -36,6 +37,7 @@ require "ResponseElements.pm";
require "Security.pm";
require "MeetingSecurityUtilities.pm";
require "HTMLUtilities.pm";
+require "UntaintInput.pm";
require "DocumentSQL.pm";
require "RevisionSQL.pm";
@@ -51,16 +53,17 @@ require "TalkHTML.pm";
require "AuthorHTML.pm";
require "TopicHTML.pm";
-$query = new CGI;
-%params = $query -> Vars;
+$query = new CGI; # Global for subroutines
+$query -> autoEscape(0);
+my $Untaint = CGI::Untaint -> new($query -> Vars);
-my $SessionOrderID = $params{sessionorderid};
+my $SessionOrderID = $Untaint -> extract(-as_integer => "sessionorderid") || 0;
$dbh = DBI -> connect('DBI:mysql:'.$db_name.':'.$db_host,$db_rouser,$db_ropass);
unless ($dbh) {
push @ErrorStack,$Msg_NoConnect;
-}
+}
EndPage();
# FIXME: XHTML
@@ -85,7 +88,7 @@ if ($SessionOrders{$SessionOrderID}{SessionTalkID}) {
$Confirmed = $SessionTalks{$SessionTalkID}{Confirmed} ;
$SessionID = $SessionTalks{$SessionTalkID}{SessionID};
# Get hints and convert to format accepted by scrolling lists
-
+
my @TopicHintIDs = &FetchTopicHintsBySessionTalkID($SessionTalkID);
foreach my $TopicHintID (@TopicHintIDs) {
push @TalkDefaultTopicHints,$TopicHints{$TopicHintID}{TopicID};
@@ -97,7 +100,7 @@ if ($SessionOrders{$SessionOrderID}{SessionTalkID}) {
} elsif ($SessionOrders{$SessionOrderID}{TalkSeparatorID}) {
$TalkSeparatorID = $SessionOrders{$SessionOrderID}{TalkSeparatorID};
FetchTalkSeparatorByID($TalkSeparatorID);
-
+
$TalkDefaultConfirmed = "";
$TalkDefaultTime = $TalkSeparators{$TalkSeparatorID}{Time} || "00:30";
$TalkDefaultTitle = $TalkSeparators{$TalkSeparatorID}{Title} || "";
@@ -126,31 +129,31 @@ if ($Confirmed && $DocumentID) {
$BestTitle = $DocRevisions{$DocRevID}{Title};
$UpdateLink = $DocumentAddForm."?mode=update&docid=$DocumentID";
} else {
- $BestTitle = $SessionTalks{$SessionTalkID}{HintTitle};
+ $BestTitle = $SessionTalks{$SessionTalkID}{HintTitle};
}
-
+
# Start page
print $query -> header( -charset => $HTTP_ENCODING );
DocDBHeader("Notes for $BestTitle","",-nobody => $TRUE, -scripts => ["PopUps"]);
EndPage();
-print " Use this form to edit the agenda information for a single talk or break.
+print "
Use this form to edit the agenda information for a single talk or break.
This does not change the information for the associated document, if any. ";
if ($UpdateLink) {
- print "You may change that info also.";
-}
+ print "You may change that info also.";
+}
print "
\n";
-### Form to change Agenda Info
-
+### Form to change Agenda Info
+
print $query -> start_multipart_form('POST',$EditTalkInfo);
print '';
print "
\n";
# Print Search Table
@@ -136,7 +136,7 @@ print $Table;
print '\n";
print " ",FormElementTitle(-helplink => "talkinfo", -helptext => "Title")," \n";
-print '';
-$query -> param('sessionorderid',$SessionOrderID);
+print ' ';
+my $SessionOrderID = $Untaint -> extract(-as_integer => "sessionorderid") || $SessionOrderID;
print $query -> hidden(-name => 'sessionorderid', -default => $SessionOrderID),"\n";
TalkTitle($TalkDefaultTitle);
print " \n";
@@ -159,23 +162,23 @@ print "\n";
if ($SessionTalkID) {
print " ",FormElementTitle(-helplink => "talkdocid", -helptext => "Document #")," \n";
print '';
- TextField(-name => "docid", -size => 6, -maxlength => 6, -default => $DocumentID);
- TalkConfirm($SessionOrderID);
- print " \n";
+ TextField(-name => "docid", -size => 6, -maxlength => 6, -default => $DocumentID);
+ TalkConfirm($SessionOrderID);
+ print " \n";
}
print " ",FormElementTitle(-helplink => "talktime", -helptext => "Time")," \n";
-print '';
-TalkTimePullDown();
+print ' ';
+TalkTimePullDown();
print " \n";
-print "\n";
+print " \n";
print " \n";
-
+
if ($SessionTalkID) {
print "",FormElementTitle(-helplink => "talkinfo" , -helptext => "Notes")," \n";
print '';
-TextArea(-name => 'talknote', -columns => 50, -rows => 8, -default => $TalkDefaultNote);
+TextArea(-name => 'talknote', -columns => 50, -rows => 8, -default => $TalkDefaultNote);
print " \n";
print "",FormElementTitle(-helplink => "authorhint", -helptext => "Author Hints", -nocolon => $TRUE);
print " & ",FormElementTitle(-helplink => "topichint" , -helptext => "Topic Hints")," \n";
@@ -198,7 +201,7 @@ if ($SessionTalkID) { # Don't do this for seperators
print "
\n";
+ shown below:\n";
+print "
\n";
# Get revision number and print updated info
diff --git a/DocDB/cgi/SignatureReport b/DocDB/cgi/SignatureReport
index 87dd1b65..c3c7dd9a 100755
--- a/DocDB/cgi/SignatureReport
+++ b/DocDB/cgi/SignatureReport
@@ -2,12 +2,12 @@
#
# Author Eric Vaandering (ewv@fnal.gov)
#
-# Copyright 2001-2009 Eric Vaandering, Lynn Garren, Adam Bryant
+# Copyright 2001-2013 Eric Vaandering, Lynn Garren, Adam Bryant
# This file is part of DocDB.
# DocDB is free software; you can redistribute it and/or modify
-# it under the terms of version 2 of the GNU General Public License
+# it under the terms of version 2 of the GNU General Public License
# as published by the Free Software Foundation.
# DocDB is distributed in the hope that it will be useful,
@@ -33,6 +33,7 @@
use Benchmark;
use CGI;
+use CGI::Untaint;
use DBI;
$StartTime = new Benchmark;
@@ -46,16 +47,17 @@ require "ResponseElements.pm";
require "DocumentHTML.pm";
require "HTMLUtilities.pm";
+require "UntaintInput.pm";
require "RevisionUtilities.pm";
require "SignoffUtilities.pm";
require "Utilities.pm";
require "DocumentUtilities.pm";
$query = new CGI; # Global for subroutines
+$query -> autoEscape(0);
+my $Untaint = CGI::Untaint -> new($query -> Vars);
-%params = $query -> Vars;
-
-my $EmailUserID = $params{emailuserid};
+my $EmailUserID = $Untaint -> extract(-as_integer => "emailuserid") || 0;
$dbh = DBI->connect('DBI:mysql:'.$db_name.':'.$db_host,$db_rouser,$db_ropass);
@@ -87,20 +89,20 @@ foreach my $SignoffID (@SignoffIDs) {
my $Status = &SignoffStatus ($SignoffID);
if ($Status eq "Ready") {
push @ReadyDocumentIDs,$DocumentID;
- } elsif ($Status eq "NotReady") {
+ } elsif ($Status eq "NotReady") {
push @NotReadyDocumentIDs,$DocumentID;
- } elsif ($Status eq "Signed") {
+ } elsif ($Status eq "Signed") {
my ($RevisionStatus) = &RevisionStatus($DocRevID);
if ($RevisionStatus eq "Approved") {
push @ApprovedDocumentIDs,$DocumentID;
} elsif ($RevisionStatus eq "Unapproved") {
push @SignedDocumentIDs,$DocumentID;
- }
+ }
}
}
- }
+ }
}
-
+
my @CurrentDocumentIDs = (@ReadyDocumentIDs ,@NotReadyDocumentIDs,@ApprovedDocumentIDs,@SignedDocumentIDs);
@OldSignatureDocumentIDs = RemoveArray(\@DocumentIDs,@CurrentDocumentIDs);
@@ -109,7 +111,7 @@ if (@ReadyDocumentIDs) {
my %FieldList = PrepareFieldList(-fields => ["Docid","Title","Author","Updated"]);
DocumentTable(-fieldlist => \%FieldList,
- -docids => \@ReadyDocumentIDs,
+ -docids => \@ReadyDocumentIDs,
-sortby => "date", -reverse => 1);
}
@@ -118,7 +120,7 @@ if (@NotReadyDocumentIDs) {
my %FieldList = PrepareFieldList(-fields => ["Docid","Title","CanSign","Updated"]);
DocumentTable(-fieldlist => \%FieldList,
- -docids => \@NotReadyDocumentIDs,
+ -docids => \@NotReadyDocumentIDs,
-sortby => "date", -reverse => 1);
}
@@ -127,7 +129,7 @@ if (@SignedDocumentIDs) {
my %FieldList = PrepareFieldList(-fields => ["Docid","Title","CanSign","Updated"]);
DocumentTable(-fieldlist => \%FieldList,
- -docids => \@SignedDocumentIDs,
+ -docids => \@SignedDocumentIDs,
-sortby => "date", -reverse => 1);
}
@@ -136,7 +138,7 @@ if (@ApprovedDocumentIDs) {
my %FieldList = PrepareFieldList(-fields => ["Docid","Title","Author","Updated"]);
DocumentTable(-fieldlist => \%FieldList,
- -docids => \@ApprovedDocumentIDs,
+ -docids => \@ApprovedDocumentIDs,
-sortby => "date", -reverse => 1);
}
@@ -145,7 +147,7 @@ if (@OldSignatureDocumentIDs) {
my %FieldList = PrepareFieldList(-fields => ["Docid","Title","Author","Updated"]);
DocumentTable(-fieldlist => \%FieldList,
- -docids => \@OldSignatureDocumentIDs,
+ -docids => \@OldSignatureDocumentIDs,
-sortby => "date", -reverse => 1);
}
diff --git a/DocDB/cgi/SignoffChooser b/DocDB/cgi/SignoffChooser
index 1ddd03e9..35ef75c3 100755
--- a/DocDB/cgi/SignoffChooser
+++ b/DocDB/cgi/SignoffChooser
@@ -10,7 +10,7 @@
#
# Author: Eric Vaandering (ewv@fnal.gov)
-# Copyright 2001-2009 Eric Vaandering, Lynn Garren, Adam Bryant
+# Copyright 2001-2013 Eric Vaandering, Lynn Garren, Adam Bryant
# This file is part of DocDB.
@@ -41,8 +41,7 @@ require "EmailSecurity.pm";
require "Scripts.pm";
$query = new CGI; # Global for subroutines
-%params = $query -> Vars;
-
+$query -> autoEscape(0);
$dbh = DBI->connect('DBI:mysql:'.$db_name.':'.$db_host,$db_rouser,$db_ropass);
print $query -> header( -charset => $HTTP_ENCODING );
diff --git a/DocDB/cgi/SignoffHTML.pm b/DocDB/cgi/SignoffHTML.pm
index fe117784..83a36efa 100644
--- a/DocDB/cgi/SignoffHTML.pm
+++ b/DocDB/cgi/SignoffHTML.pm
@@ -6,7 +6,7 @@
#
# Author: Eric Vaandering (ewv@fnal.gov)
-# Copyright 2001-2009 Eric Vaandering, Lynn Garren, Adam Bryant
+# Copyright 2001-2013 Eric Vaandering, Lynn Garren, Adam Bryant
# This file is part of DocDB.
@@ -47,12 +47,17 @@ sub PrintRevisionSignoffInfo ($) { # FIXME: Handle more complicated topologies?
my $DocumentID = $DocRevisions{$DocRevID}{DOCID};
my $Version = $DocRevisions{$DocRevID}{Version};
- # Don't display anything unless the user is logged into a group that can
- # modify the DB. Maybe we want to display but not provide signature boxes?
+ # Don't display anything if the user is logged in as public.
+ # If the user can't modify the document, only show signatures,
+ # don't provide the ability to sign.
- unless (&CanModify($DocumentID,$Version)) {
+ if ($Public) {
return;
}
+ my $UserCanSign = $FALSE;
+ if (CanModify($DocumentID,$Version)) {
+ $UserCanSign = $TRUE;
+ }
my @RootSignoffIDs = &GetRootSignoffs($DocRevID);
if (@RootSignoffIDs) {
@@ -63,7 +68,7 @@ sub PrintRevisionSignoffInfo ($) { # FIXME: Handle more complicated topologies?
print "\n";
foreach my $RootSignoffID (@RootSignoffIDs) {
- &PrintSignoffInfo($RootSignoffID);
+ PrintSignoffInfo($RootSignoffID,$UserCanSign);
}
print "
\n";
print "\n";
@@ -73,17 +78,17 @@ sub PrintRevisionSignoffInfo ($) { # FIXME: Handle more complicated topologies?
sub PrintSignoffInfo ($) {
require "SignoffSQL.pm";
- my ($SignoffID) = @_;
+ my ($SignoffID,$UserCanSign) = @_;
if ($Public) { return; }
my @SubSignoffIDs = &GetSubSignoffs($SignoffID);
print "\n";
foreach my $SubSignoffID (@SubSignoffIDs) {
- &PrintSignoffInfo($SubSignoffID);
+ PrintSignoffInfo($SubSignoffID,$UserCanSign);
}
print "
\n";
}
@@ -96,7 +101,7 @@ sub PrintSignatureInfo ($) {
require "SignoffUtilities.pm";
require "NotificationSQL.pm";
- my ($SignoffID) = @_;
+ my ($SignoffID,$UserCanSign) = @_;
if ($Public) { return; }
@@ -118,50 +123,62 @@ sub PrintSignatureInfo ($) {
# Otherwise, note that it's waiting
my $SignatureText = "";
- my $SignatureLink = &SignatureLink($EmailUserID);
- if ($Status eq "Ready" || $Status eq "Signed") {
- if ($Status eq "Ready") {
- $Action = "sign";
- $ActionText = "Sign Document"
- } else {
- $Action = "unsign";
- $ActionText = "Remove Signature"
- }
- if ($UserValidation eq "certificate") {
- if (FetchEmailUserIDByCert() == $EmailUserID) {
+ my $SignatureLink = &SignatureLink($EmailUserID,$SignatureID);
+ if ($UserCanSign) {
+ if ($Status eq "Ready" || $Status eq "Signed") {
+ if ($Status eq "Ready") {
+ $Action = "sign";
+ $ActionText = "Sign Document"
+ } else {
+ $Action = "unsign";
+ $ActionText = "Remove Signature"
+ }
+ if ($UserValidation eq "certificate") {
+ if (FetchEmailUserIDByCert() == $EmailUserID) {
+ $SignatureText .= $query -> start_multipart_form('POST',"$SignRevision");
+ $SignatureText .= "\n";
print "\n";
-print "
\n";
diff --git a/DocDB/cgi/TalkHTML.pm b/DocDB/cgi/TalkHTML.pm
index d749eaa7..b133e0c2 100644
--- a/DocDB/cgi/TalkHTML.pm
+++ b/DocDB/cgi/TalkHTML.pm
@@ -4,7 +4,7 @@
# Author: Eric Vaandering (ewv@fnal.gov)
# Modified: Stephen Wood (saw@jlab.org)
-# Copyright 2001-2009 Eric Vaandering, Lynn Garren, Adam Bryant
+# Copyright 2001-2013 Eric Vaandering, Lynn Garren, Adam Bryant
# This file is part of DocDB.
diff --git a/DocDB/cgi/TalkHintSQL.pm b/DocDB/cgi/TalkHintSQL.pm
index 1334e642..67defa21 100644
--- a/DocDB/cgi/TalkHintSQL.pm
+++ b/DocDB/cgi/TalkHintSQL.pm
@@ -5,7 +5,7 @@
# Author: Eric Vaandering (ewv@fnal.gov)
# Modified:
-# Copyright 2001-2009 Eric Vaandering, Lynn Garren, Adam Bryant
+# Copyright 2001-2013 Eric Vaandering, Lynn Garren, Adam Bryant
# This file is part of DocDB.
diff --git a/DocDB/cgi/TalkHintUtilities.pm b/DocDB/cgi/TalkHintUtilities.pm
index beef355f..4bafdda4 100644
--- a/DocDB/cgi/TalkHintUtilities.pm
+++ b/DocDB/cgi/TalkHintUtilities.pm
@@ -2,15 +2,15 @@
# Description: Routines to deal with Talk Hints
#
# Author: Eric Vaandering (ewv@fnal.gov)
-# Modified:
+# Modified:
#
-# Copyright 2001-2009 Eric Vaandering, Lynn Garren, Adam Bryant
+# Copyright 2001-2013 Eric Vaandering, Lynn Garren, Adam Bryant
# This file is part of DocDB.
# DocDB is free software; you can redistribute it and/or modify
-# it under the terms of version 2 of the GNU General Public License
+# it under the terms of version 2 of the GNU General Public License
# as published by the Free Software Foundation.
# DocDB is distributed in the hope that it will be useful,
@@ -26,13 +26,15 @@ sub ReHintTalksBySessionID ($) {
require "MeetingSQL.pm";
require "TalkSQL.pm";
my ($SessionID) = @_;
-
+ unless ($SessionID) {
+ return;
+ }
if ($Public) { # Can't write to DB
return;
- }
+ }
# Get valid Document IDs in the window
-
+
&FetchSessionByID($SessionID);
my @SessionTalkIDs = &FetchSessionTalksBySessionID($SessionID);
my %DocumentIDs = &GetHintDocuments($SessionID,$TalkHintWindow);
@@ -41,39 +43,39 @@ sub ReHintTalksBySessionID ($) {
# Loop over all session talk IDs
- foreach my $SessionTalkID (@SessionTalkIDs) {
+ foreach my $SessionTalkID (@SessionTalkIDs) {
if($SessionTalks{$SessionTalkID}{Confirmed}) {next;}
my @MatchedDocumentIDs = &TalkMatches($SessionTalkID,$TalkMatchThreshold,%DocumentIDs);
my $BestDocumentID = shift @MatchedDocumentIDs;
if ($BestDocumentID) {
- my $BestDocUpdate = $dbh_w -> prepare("update SessionTalk set DocumentID=? where SessionTalkID=?");
+ my $BestDocUpdate = $dbh_w -> prepare("update SessionTalk set DocumentID=? where SessionTalkID=?");
$BestDocUpdate -> execute($BestDocumentID,$SessionTalkID); # Update database
} else {
- my $BestDocUpdate = $dbh_w -> prepare("update SessionTalk set DocumentID=? where SessionTalkID=?");
+ my $BestDocUpdate = $dbh_w -> prepare("update SessionTalk set DocumentID=? where SessionTalkID=?");
$BestDocUpdate -> execute(0,$SessionTalkID); # Update database
- }
+ }
}
}
sub FuzzyStringMatch ($$) {
# use String::Approx qw(amatch);
-
+
# FIXME: Look at soundex and fuzzy matching, cookbook 1.16 and 6.13
-
+
my ($String1,$String2) = @_;
-
+
$String1 =~ s/\W//g; # FIXME: Should be better way to ignore ()'s
$String2 =~ s/\W//g;
-
+
$String1 =~ tr/[A-Z]/[a-z]/;
$String2 =~ tr/[A-Z]/[a-z]/;
-
+
my @Words1 = split /\s+/,$String1;
my @Words2 = split /\s+/,$String2;
-
- @Words1 = &RemoveArray(\@Words1,@MatchIgnoreWords);
- @Words2 = &RemoveArray(\@Words2,@MatchIgnoreWords);
-
+
+ @Words1 = &RemoveArray(\@Words1,@MatchIgnoreWords);
+ @Words2 = &RemoveArray(\@Words2,@MatchIgnoreWords);
+
my $Matches = 0;
foreach my $Word (@Words1) {
my $WordLength = length $Word;
@@ -83,31 +85,31 @@ sub FuzzyStringMatch ($$) {
$Matches += $WordLength/6;
} else {
++$Matches;
- }
- }
+ }
+ }
}
-
+
my $NWords1 = @Words1;
my $NWords2 = @Words2;
-
+
# Use NWords to calculate a "fraction" of matches, restrict to 3 - 10
-
+
$NWords = 3;
-
+
if ($NWords1 > $NWords) {$NWords = $NWords1;}
if ($NWords2 > $NWords) {$NWords = $NWords2;}
if ($NWords > 10) {$NWords = 10;}
-
+
my $MatchScore = 0;
if ($Matches >= 1.1) {
$MatchScore = $Matches/$NWords * 10;
}
- return $MatchScore;
+ return $MatchScore;
}
sub GetHintDocuments ($$) {
my ($SessionID,$SearchDays) = @_;
-
+
require "MeetingSQL.pm";
require "TalkSQL.pm";
require "DocumentSQL.pm";
@@ -116,7 +118,7 @@ sub GetHintDocuments ($$) {
require "AuthorSQL.pm";
require "TalkHintSQL.pm";
require "Utilities.pm";
-
+
&FetchSessionByID($SessionID);
my @SessionTalkIDs = &FetchSessionTalksBySessionID($SessionID);
my $ConferenceID = $Sessions{$SessionID}{ConferenceID};
@@ -126,21 +128,21 @@ sub GetHintDocuments ($$) {
my $EndDate = $Conferences{$ConferenceID}{EndDate};
# Get list of documents already confirmed with any conference
-
+
my @ConfirmedDocumentIDs = &ConfirmedDocuments();
my %ConfirmedDocumentIDs = ();
foreach my $ConfirmedDocumentID (@ConfirmedDocumentIDs) {
$ConfirmedDocumentIDs{$ConfirmedDocumentID} = 1;
}
-
- my $DocumentList = $dbh -> prepare("select DocumentID from DocumentRevision where DocRevID=? and Obsolete=0");
+
+ my $DocumentList = $dbh -> prepare("select DocumentID from DocumentRevision where DocRevID=? and Obsolete=0");
# Find documents in a time window
my $TimedList = $dbh -> prepare("select DocRevID from DocumentRevision where ".
"(RevisionDate>=? and RevisionDate<=?) or ".
"(ABS(TO_DAYS(?)-TO_DAYS(RevisionDate))<=?) or ".
- "(ABS(TO_DAYS(?)-TO_DAYS(RevisionDate))<=?)");
+ "(ABS(TO_DAYS(?)-TO_DAYS(RevisionDate))<=?)");
$TimedList -> execute($StartDate,$EndDate,$StartDate,$SearchDays,$EndDate,$SearchDays);
$TimedList -> bind_columns(undef, \($DocRevID));
@@ -149,10 +151,10 @@ sub GetHintDocuments ($$) {
($DocumentID) = $DocumentList -> fetchrow_array;
if ($DocumentID && !$ConfirmedDocumentIDs{$DocumentID}) {
$DocumentIDs{$DocumentID} = "Timed";
- }
+ }
}
- my $RevisionList = $dbh -> prepare("select DocRevID from RevisionEvent where ConferenceID=?");
+ my $RevisionList = $dbh -> prepare("select DocRevID from RevisionEvent where ConferenceID=?");
$RevisionList -> execute($ConferenceID);
$RevisionList -> bind_columns(undef, \($DocRevID));
@@ -170,22 +172,22 @@ sub GetHintDocuments ($$) {
sub TalkMatches ($$@) {
my ($SessionTalkID,$Threshold,%DocumentIDs) = @_;
-
+
require "Sorts.pm";
require "DocumentSQL.pm";
require "RevisionSQL.pm";
require "TalkHintSQL.pm";
require "AuthorUtilities.pm";
-
+
my @DocumentIDs = keys %DocumentIDs;
-
+
%TalkMatches = ();
FetchSessionTalkByID($SessionTalkID);
my $HintTitle = $SessionTalks{$SessionTalkID}{HintTitle};
my @TopicHintIDs = FetchTopicHintsBySessionTalkID($SessionTalkID);
- my @AuthorHintIDs = FetchAuthorHintsBySessionTalkID($SessionTalkID);
+ my @AuthorHintIDs = FetchAuthorHintsBySessionTalkID($SessionTalkID);
foreach my $DocumentID (@DocumentIDs) { # Check each document in the list
FetchDocument($DocumentID);
@@ -202,7 +204,7 @@ sub TalkMatches ($$@) {
my $HintTopic = $TopicHints{$TopicHintID}{TopicID};
if ($HintTopic == $RevTopic) {
++$TopicMatches;
- }
+ }
}
}
@@ -212,7 +214,7 @@ sub TalkMatches ($$@) {
my $HintAuthor = $AuthorHints{$AuthorHintID}{AuthorID};
if ($HintAuthor == $RevAuthor) {
++$AuthorMatches;
- }
+ }
}
}
@@ -225,7 +227,7 @@ sub TalkMatches ($$@) {
$MethodScore = 1;
} elsif ($DocumentIDs{$DocumentID} eq "Event") {
$MethodScore = 3;
- }
+ }
my $FuzzyScore1 = FuzzyStringMatch($DocumentTitle,$HintTitle);
my $FuzzyScore2 = FuzzyStringMatch($HintTitle,$DocumentTitle);
@@ -233,23 +235,23 @@ sub TalkMatches ($$@) {
if ($FuzzyScore1 > $FuzzyScore2) { # Can be different since "test" matches "testbeam," not vvs.
$FuzzyScore = $FuzzyScore1;
- } else {
+ } else {
$FuzzyScore = $FuzzyScore2;
}
my $Score = $MethodScore*($AuthorMatches+1)*(2*$TopicMatches+1)*($FuzzyScore+1);
- push @DebugStack,"Checking $HintTitle vs. $DocumentID Method: $MethodScore Words: $FuzzyScore Authors: $AuthorMatches Topics: $TopicMatches Score: $Score";
+ push @DebugStack,"Checking $HintTitle vs. $DocumentID Method: $MethodScore Words: $FuzzyScore Authors: $AuthorMatches Topics: $TopicMatches Score: $Score";
my $NoMatchScore = 1*(0+1)*(2*0+1)*(2*0+1);
if ($Score > $Threshold && $Score > $NoMatchScore) { # Might loosen
$TalkMatches{$DocumentID}{Score} = $Score;
}
- }
-
+ }
+
my @MatchDocumentIDs = keys %TalkMatches;
- @MatchDocumentIDs = reverse sort DocIDsByScore @MatchDocumentIDs;
-
- return @MatchDocumentIDs;
+ @MatchDocumentIDs = reverse sort DocIDsByScore @MatchDocumentIDs;
+
+ return @MatchDocumentIDs;
}
sub ConfirmedDocuments (;%) {
@@ -257,8 +259,8 @@ sub ConfirmedDocuments (;%) {
# FIXME: Add parameters for ConferenceID, SessionID
# Get list of documents already confirmed with a conference
-
- my $ConfirmedList = $dbh -> prepare("select DocumentID from SessionTalk where Confirmed=1");
+
+ my $ConfirmedList = $dbh -> prepare("select DocumentID from SessionTalk where Confirmed=1");
my %ConfirmedDocumentIDs = ();
$ConfirmedList -> execute();
$ConfirmedList -> bind_columns(undef, \($DocumentID));
@@ -268,6 +270,6 @@ sub ConfirmedDocuments (;%) {
my @ConfirmedDocumentIDs = sort keys %ConfirmedDocumentIDs;
return @ConfirmedDocumentIDs;
-}
+}
1;
diff --git a/DocDB/cgi/TalkSQL.pm b/DocDB/cgi/TalkSQL.pm
index d9dc8f68..a1f30435 100644
--- a/DocDB/cgi/TalkSQL.pm
+++ b/DocDB/cgi/TalkSQL.pm
@@ -1,17 +1,17 @@
#
-# Name: TalkSQL.pm
-# Description: Routines to access SQL tables related to talks for meetings
+# Name: TalkSQL.pm
+# Description: Routines to access SQL tables related to talks for meetings
#
# Author: Eric Vaandering (ewv@fnal.gov)
-# Modified:
+# Modified:
#
-# Copyright 2001-2009 Eric Vaandering, Lynn Garren, Adam Bryant
+# Copyright 2001-2013 Eric Vaandering, Lynn Garren, Adam Bryant
# This file is part of DocDB.
# DocDB is free software; you can redistribute it and/or modify
-# it under the terms of version 2 of the GNU General Public License
+# it under the terms of version 2 of the GNU General Public License
# as published by the Free Software Foundation.
# DocDB is distributed in the hope that it will be useful,
@@ -32,6 +32,10 @@ sub FetchSessionTalksByConferenceID ($) {
my ($ConferenceID) = @_;
my $SessionTalkID;
my @SessionTalkIDs = ();
+ unless ($ConferenceID) {
+ return @SessionTalkIDs;
+ }
+
my $SessionTalkList = $dbh -> prepare(
"select SessionTalk.SessionTalkID from SessionTalk,Session ".
"where Session.SessionID=SessionTalk.SessionID and Session.ConferenceID=?");
@@ -41,13 +45,17 @@ sub FetchSessionTalksByConferenceID ($) {
$SessionTalkID = &FetchSessionTalkByID($SessionTalkID);
push @SessionTalkIDs,$SessionTalkID;
}
- return @SessionTalkIDs;
+ return @SessionTalkIDs;
}
sub FetchSessionTalksBySessionID ($) {
my ($SessionID) = @_;
my $SessionTalkID;
my @SessionTalkIDs = ();
+ unless ($SessionID) {
+ return @SessionTalkIDs;
+ }
+
my $SessionTalkList = $dbh -> prepare(
"select SessionTalkID from SessionTalk where SessionID=?");
$SessionTalkList -> execute($SessionID);
@@ -56,12 +64,12 @@ sub FetchSessionTalksBySessionID ($) {
$SessionTalkID = &FetchSessionTalkByID($SessionTalkID);
push @SessionTalkIDs,$SessionTalkID;
}
- return @SessionTalkIDs;
+ return @SessionTalkIDs;
}
sub FetchSessionTalkByID ($) {
my ($SessionTalkID) = @_;
- my ($SessionID,$DocumentID,$Confirmed,$Time,$HintTitle,$Note,$TimeStamp);
+ my ($SessionID,$DocumentID,$Confirmed,$Time,$HintTitle,$Note,$TimeStamp);
my $SessionTalkFetch = $dbh -> prepare(
"select SessionID,DocumentID,Confirmed,Time,HintTitle,Note,TimeStamp ".
"from SessionTalk where SessionTalkID=?");
@@ -69,7 +77,7 @@ sub FetchSessionTalkByID ($) {
return $SessionTalkID;
}
$SessionTalkFetch -> execute($SessionTalkID);
- ($SessionID,$DocumentID,$Confirmed,$Time,$HintTitle,$Note,$TimeStamp) = $SessionTalkFetch -> fetchrow_array;
+ ($SessionID,$DocumentID,$Confirmed,$Time,$HintTitle,$Note,$TimeStamp) = $SessionTalkFetch -> fetchrow_array;
if ($TimeStamp) {
$SessionTalks{$SessionTalkID}{SessionID} = $SessionID;
$SessionTalks{$SessionTalkID}{DocumentID} = $DocumentID;
@@ -79,7 +87,7 @@ sub FetchSessionTalkByID ($) {
$SessionTalks{$SessionTalkID}{Note} = $Note;
$SessionTalks{$SessionTalkID}{TimeStamp} = $TimeStamp;
}
- return $SessionTalkID;
+ return $SessionTalkID;
}
sub FetchTalkSeparatorsBySessionID ($) {
@@ -94,12 +102,12 @@ sub FetchTalkSeparatorsBySessionID ($) {
$TalkSeparatorID = &FetchTalkSeparatorByID($TalkSeparatorID);
push @TalkSeparatorIDs,$TalkSeparatorID;
}
- return @TalkSeparatorIDs;
+ return @TalkSeparatorIDs;
}
sub FetchTalkSeparatorByID ($) {
my ($TalkSeparatorID) = @_;
- my ($SessionID,$Time,$Title,$Note,$TimeStamp);
+ my ($SessionID,$Time,$Title,$Note,$TimeStamp);
my $TalkSeparatorFetch = $dbh -> prepare(
"select SessionID,Time,Title,Note,TimeStamp ".
"from TalkSeparator where TalkSeparatorID=?");
@@ -107,7 +115,7 @@ sub FetchTalkSeparatorByID ($) {
return $TalkSeparatorID;
}
$TalkSeparatorFetch -> execute($TalkSeparatorID);
- ($SessionID,$Time,$Title,$Note,$TimeStamp) = $TalkSeparatorFetch -> fetchrow_array;
+ ($SessionID,$Time,$Title,$Note,$TimeStamp) = $TalkSeparatorFetch -> fetchrow_array;
if ($TimeStamp) {
$TalkSeparators{$TalkSeparatorID}{SessionID} = $SessionID;
$TalkSeparators{$TalkSeparatorID}{Time} = $Time;
@@ -115,8 +123,8 @@ sub FetchTalkSeparatorByID ($) {
$TalkSeparators{$TalkSeparatorID}{Note} = $Note;
$TalkSeparators{$TalkSeparatorID}{TimeStamp} = $TimeStamp;
}
-
- return $TalkSeparatorID;
+
+ return $TalkSeparatorID;
}
sub FetchSessionOrdersBySessionID {
@@ -148,7 +156,7 @@ sub FetchSessionOrdersBySessionID {
$SessionOrders{$SessionOrderID}{TalkOrder} = $TalkOrder;
push @SessionOrderIDs,$SessionOrderID;
}
- return @SessionOrderIDs;
+ return @SessionOrderIDs;
}
sub FetchSessionOrderByID ($) {
@@ -172,20 +180,20 @@ sub DeleteSessionTalk ($) {
require "TalkHintSQL.pm";
- my $TalkDelete = $dbh -> prepare("delete from SessionTalk where SessionTalkID=?");
- my $OrderDelete = $dbh -> prepare("delete from SessionOrder where SessionTalkID=?");
+ my $TalkDelete = $dbh -> prepare("delete from SessionTalk where SessionTalkID=?");
+ my $OrderDelete = $dbh -> prepare("delete from SessionOrder where SessionTalkID=?");
$TalkDelete -> execute($SessionTalkID);
$OrderDelete -> execute($SessionTalkID);
-
- &DeleteHints($SessionTalkID);
+
+ &DeleteHints($SessionTalkID);
}
sub DeleteTalkSeparator ($) {
my ($TalkSeparatorID) = @_;
- my $SeparatorDelete = $dbh -> prepare("delete from TalkSeparator where TalkSeparatorID=?");
- my $OrderDelete = $dbh -> prepare("delete from SessionOrder where TalkSeparatorID=?");
+ my $SeparatorDelete = $dbh -> prepare("delete from TalkSeparator where TalkSeparatorID=?");
+ my $OrderDelete = $dbh -> prepare("delete from SessionOrder where TalkSeparatorID=?");
$SeparatorDelete -> execute($TalkSeparatorID);
$OrderDelete -> execute($TalkSeparatorID);
@@ -194,21 +202,21 @@ sub DeleteTalkSeparator ($) {
sub ConfirmTalk (%) {
require "RevisionSQL.pm";
my %Params = @_;
-
+
my $DocumentID = $Params{-docid} || 0;
my $SessionTalkID = $Params{-sessiontalkid} || 0;
my $EventID = $Params{-eventid} || 0;
-
+
&FetchRevisionsByDocument($DocumentID);
my $DocRevID = $DocRevIDs{$DocumentID}{$Documents{$DocumentID}{NVersions}};
-
+
my $Check = $dbh -> prepare("select RevEventID from RevisionEvent where DocRevID=? and ConferenceID=?");
$Check -> execute($DocRevID,$EventID);
my ($RevisionEventID) = $Check -> fetchrow_array;
unless ($RevisionEventID) {
- my $Insert = $dbh -> prepare("insert into RevisionEvent (RevEventID,DocRevID,ConferenceID) values (0,?,?)");
+ my $Insert = $dbh -> prepare("insert into RevisionEvent (RevEventID,DocRevID,ConferenceID) values (0,?,?)");
$Insert -> execute($DocRevID,$EventID);
- }
-}
+ }
+}
1;
diff --git a/DocDB/cgi/TopicAdminister b/DocDB/cgi/TopicAdminister
index d4939ec3..1dc7bff9 100755
--- a/DocDB/cgi/TopicAdminister
+++ b/DocDB/cgi/TopicAdminister
@@ -2,18 +2,18 @@
#
# Description: This script is called by AdministerForm and does administration
# on Topics in the DB. TopicAdd is simpler and can only add
-# topics. TopicAdd is most useful in setting up a new DB, while
-# TopicAdminister will be more useful in maintaining an existing DB.
+# topics. TopicAdd is most useful in setting up a new DB, while
+# TopicAdminister will be more useful in maintaining an existing DB.
#
# Author: Eric Vaandering (ewv@fnal.gov)
-# Modified:
+# Modified:
-# Copyright 2001-2009 Eric Vaandering, Lynn Garren, Adam Bryant
+# Copyright 2001-2013 Eric Vaandering, Lynn Garren, Adam Bryant
# This file is part of DocDB.
# DocDB is free software; you can redistribute it and/or modify
-# it under the terms of version 2 of the GNU General Public License
+# it under the terms of version 2 of the GNU General Public License
# as published by the Free Software Foundation.
# DocDB is distributed in the hope that it will be useful,
@@ -40,13 +40,15 @@ require "Sorts.pm";
require "DBUtilities.pm";
require "HTMLUtilities.pm";
+require "UntaintInput.pm";
require "TopicHTML.pm";
-require "TopicSQL.pm";
+require "TopicSQL.pm";
$query = new CGI; # Global for subroutines
+$query -> autoEscape(0);
-# Parameters to script
+# Parameters to script
my $Untaint = CGI::Untaint -> new($query -> Vars);
@@ -57,8 +59,8 @@ my $Force = $Untaint -> extract (-as_printable => "admforce") || "";
my $TopicID = $Untaint -> extract (-as_integer => "topics") || 0;
my $ParentTopicID = $Untaint -> extract (-as_integer => "parenttopic") || 0;
-my $LongName = $Untaint -> extract (-as_printable => "longdesc") || "";
-my $ShortName = $Untaint -> extract (-as_printable => "shortdesc") || "";
+my $LongName = $Untaint -> extract (-as_safehtml => "longdesc") || "";
+my $ShortName = $Untaint -> extract (-as_safehtml => "shortdesc") || "";
$query -> delete_all();
@@ -82,12 +84,12 @@ DocDBHeader("Topic Administration","",-scripts => ["PopUps","TopicAdminDisable"]
unless (CanAdminister()) {
push @ErrorStack,$Msg_AdminNoLogin;
-}
+}
EndPage();
GetTopics();
if ($Action eq "Delete") {
- # FIXME?: Force option is not going to be compatible with children with
+ # FIXME?: Force option is not going to be compatible with children with
# multiple parents In that case we would need to determine if any topics
# would be orphaned and then delete those, but not ones with another
# parent
@@ -98,41 +100,47 @@ if ($Action eq "Delete") {
push @WarnStack,$Msg_ModTopicEmpty;
}
-# Deal with name changes
+# Deal with name changes
- if ($TopicID && $ShortName) {
+ if ($TopicID && $ShortName) {
push @ActionStack,"Updated short description of topic.";
my $Update = $dbh -> prepare("update Topic set ShortDescription=? where TopicID=?");
$Update -> execute($ShortName,$TopicID);
}
- if ($TopicID && $LongName) {
+ if ($TopicID && $LongName) {
push @ActionStack,"Updated long description of topic.";
my $Update = $dbh -> prepare("update Topic set LongDescription=? where TopicID=?");
$Update -> execute($LongName,$TopicID);
}
-# Deal with parent changes
+# Deal with parent changes
- if ($ParentTopicID && $ParentTopicID == $TopicID) {
+ if ($TopicID && $ParentTopicID && $ParentTopicID == $TopicID) {
push @WarnStack,"You cannot set a topic to be its own parent. No action taken.";
- }
+ }
+
+ if (grep {$_ eq $ParentTopicID} @{$TopicDescendants{$TopicID}}) {
+ push @ErrorStack,"The topic you tried to modify has the proposed parent as one of its descendants. No action taken.";
+ }
- if ($TopicID && $ParentTopicID && $ParentTopicID != $TopicID) {
+ EndPage();
+
+ if ($TopicID && $ParentTopicID && $ParentTopicID != $TopicID) {
push @ActionStack,"Updated parent topic of (sub)topic.";
-
+
my $Delete = $dbh -> prepare("delete from TopicHierarchy where TopicID=?");
my $Insert = $dbh -> prepare("insert into TopicHierarchy (TopicHierarchyID,TopicID,ParentTopicID) values (0,?,?)");
-
+
$Delete -> execute($TopicID);
$Insert -> execute($TopicID,$ParentTopicID);
}
} elsif ($Action eq "New") {
if ($ShortName || $LongName) {
- if (!$LongName) {
+ if (!$LongName) {
$LongName = $ShortName;
push @WarnStack,"No long description supplied. Short description substituted.";
- } elsif (!$ShortName) {
+ } elsif (!$ShortName) {
$ShortName = $LongName;
push @WarnStack,"No short description supplied. Long description substituted.";
}
@@ -141,25 +149,25 @@ if ($Action eq "Delete") {
$TopicInsert -> execute($ShortName,$LongName);
my $TopicID = $TopicInsert -> {mysql_insertid};
- if ($ParentTopicID) {
+ if ($ParentTopicID && $TopicID && $ParentTopicID != $TopicID) {
my $Insert = $dbh -> prepare("insert into TopicHierarchy (TopicHierarchyID,TopicID,ParentTopicID) values (0,?,?)");
$Insert -> execute($TopicID,$ParentTopicID);
push @ActionStack,"New sub-topic created with descriptions $ShortName and $LongName.";
} else {
- push @ActionStack,"New root-level topic created with descriptions $ShortName and $LongName.";
+ push @ActionStack,"New root-level topic created with descriptions $ShortName and $LongName.";
}
} else {
push @WarnStack,"No short or long description supplied. No topic created.";
- }
-} elsif ($TopicID || $ParentTopicID || $LongName || $ShortName) {
+ }
+} elsif ($TopicID || $ParentTopicID || $LongName || $ShortName) {
push @WarnStack,"No valid action was specified.";
-}
-
-if (@ActionStack) {
+}
+
+if (@ActionStack) {
ClearTopics();
GetTopics();
ActionReport();
-}
+}
EndPage();
@@ -167,18 +175,18 @@ print $query -> start_multipart_form('POST',"$TopicAdminister",'id="topic" name=
print "Total number of Documents: $NDocuments Total number of Revisions: $NRevisions \n";
-print " Number of File Entries: $NFiles Total Active Revisions: $NOKRevisions \n";
-print " Actual number of Files: $NOKFiles Average Versions per Document: $RevPerDoc \n";
-print " Average Files per Revision: $FilePerRev Total number of Documents: $NDocuments Total number of Revisions: $NRevisions \n";
+print " Number of File Entries: $NFiles Total Active Revisions: $NOKRevisions \n";
+print " Actual number of Files: $NOKFiles Average Versions per Document: $RevPerDoc \n";
+print " Average Files per Revision: $FilePerRev \n";
-print " Average Files per Document: $FilePerDoc Average Files per Document: $FilePerDoc \n";
print "\n";
my $NAuth_query = $dbh -> prepare("select COUNT(AuthorID) from Author");
- $NAuth_query -> execute();
+ $NAuth_query -> execute();
my ($NAuthors) = $NAuth_query -> fetchrow_array;
my $NUniqAuth_query = $dbh -> prepare("select COUNT(DISTINCT(AuthorID)) from RevisionAuthor");
- $NUniqAuth_query -> execute();
+ $NUniqAuth_query -> execute();
my ($NUniqAuth) = $NUniqAuth_query -> fetchrow_array;
my $NRevAuth_query = $dbh -> prepare("select COUNT(AuthorID) from RevisionAuthor");
- $NRevAuth_query -> execute();
+ $NRevAuth_query -> execute();
my ($NRevisionAuthors) = $NRevAuth_query -> fetchrow_array;
my $AuthPerRev = sprintf "%5.2f",$NRevisionAuthors/$NRevisions;
my $DocPerAuth = sprintf "%5.2f",$NDocuments/$NUniqAuth*$AuthPerRev;
my $NTopic_query = $dbh -> prepare("select COUNT(TopicID) from Topic");
- $NTopic_query -> execute();
+ $NTopic_query -> execute();
my ($NTopics) = $NTopic_query -> fetchrow_array;
my $NUniqTopic_query = $dbh -> prepare("select COUNT(DISTINCT(TopicID)) from RevisionTopic");
- $NUniqTopic_query -> execute();
+ $NUniqTopic_query -> execute();
my ($NUniqTopics) = $NUniqTopic_query -> fetchrow_array;
my $NRevTopic_query = $dbh -> prepare("select COUNT(TopicID) from RevisionTopic");
- $NRevTopic_query -> execute();
+ $NRevTopic_query -> execute();
my ($NRevisionTopics) = $NRevTopic_query -> fetchrow_array;
my $TopicPerRev = sprintf "%5.2f",$NRevisionTopics/$NRevisions;
my $DocPerTopic = sprintf "%5.2f",$NDocuments/$NUniqTopics*$TopicPerRev;
print "\n";
-print "Number of registered Authors: $NAuthors \n";
-print " Number of possible Topics: $NTopics Number of registered Authors: $NAuthors \n";
+print " Number of possible Topics: $NTopics Authors of one or more Documents: $NUniqAuth \n";
-print " Number of Topics used: $NUniqTopics Authors of one or more Documents: $NUniqAuth \n";
+print " Number of Topics used: $NUniqTopics Number of Authors on all Revisions: $NRevisionAuthors \n";
-print " Number of Topics on all Revisions: $NRevisionTopics Number of Authors on all Revisions: $NRevisionAuthors \n";
+print " Number of Topics on all Revisions: $NRevisionTopics Average Authors per Revision: $AuthPerRev \n";
-print " Average Topics per Revision: $TopicPerRev Average Authors per Revision: $AuthPerRev \n";
+print " Average Topics per Revision: $TopicPerRev Average Documents per Author: $DocPerAuth \n";
-print " Average Documents per Topic: $DocPerTopic Average Documents per Author: $DocPerAuth \n";
+print " Average Documents per Topic: $DocPerTopic Number of Events: $NEvents Events with Documents: $NUniqEvents Number of Events for all Revisions: $NRevisionEvents Average Events per Revision: $EventsPerRev Estimated Documents per Event: $DocPerEvent Number of Events: $NEvents Events with Documents: $NUniqEvents Number of Events for all Revisions: $NRevisionEvents Average Events per Revision: $EventsPerRev Estimated Documents per Event: $DocPerEvent \n";
print "
\n";
+}
+$Table .= "\n";
-print " \n";
print "\n";
- AdministerActions(-form => "topic");
+print " \n";
+ AdministerActions(-form => "topic");
print " \n";
print "\n";
-print " \n";
@@ -189,18 +197,18 @@ print "\n";
print "\n";
print "\n";
- TopicScroll({ -helptext => "Topic", -helplink => "topics",
+print " \n";
+ TopicScroll({ -helptext => "Topic", -helplink => "topics",
-itemformat => "full", -disabled => $TRUE,
- -extratext => "[Long description]",
- });
-print " \n";
+ -extratext => "[Long description]",
+ });
+print "\n";
print "\n"; ShortDescriptionBox(-name => "shortdesc", -disabled => $TRUE);
print " \n";
print "\n";
-print " \n";
print "\n";
+print " \n";
AdminRegardless();
print " \n";
print "\n";
-print " \n";
@@ -217,5 +225,5 @@ print $query -> end_multipart_form;
DocDBNavBar();
DocDBFooter($DBWebMasterEmail,$DBWebMasterName);
-
+
exit;
diff --git a/DocDB/cgi/TopicHTML.pm b/DocDB/cgi/TopicHTML.pm
index 60c771a7..bdd2e481 100644
--- a/DocDB/cgi/TopicHTML.pm
+++ b/DocDB/cgi/TopicHTML.pm
@@ -7,7 +7,7 @@
#
# Author: Eric Vaandering (ewv@fnal.gov)
-# Copyright 2001-2009 Eric Vaandering, Lynn Garren, Adam Bryant
+# Copyright 2001-2013 Eric Vaandering, Lynn Garren, Adam Bryant
# This file is part of DocDB.
@@ -24,6 +24,8 @@
# along with DocDB; if not, write to the Free Software
# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA
+require "HTMLUtilities.pm";
+
sub TopicListByID {
my ($ArgRef) = @_;
my @TopicIDs = exists $ArgRef->{-topicids} ? @{$ArgRef->{-topicids}} : ();
@@ -116,14 +118,14 @@ sub TopicLink ($) {
$Link = "";
if ($Format eq "short") {
- $Text = CGI::escapeHTML($Topics{$TopicID}{Short});
+ $Text = SmartHTML( {-text => $Topics{$TopicID}{Short}, } );
$Tooltip = TopicName({-topicid => $TopicID, -format => "withparents",} );
} elsif ($Format eq "long") {
- $Text = CGI::escapeHTML($Topics{$TopicID}{Long} );
- $Tooltip = CGI::escapeHTML($Topics{$TopicID}{Short});
+ $Text = SmartHTML( {-text => $Topics{$TopicID}{Long} , } );
+ $Tooltip = SmartHTML( {-text => $Topics{$TopicID}{Short}, } );
} elsif ($Format eq "withparents") {
- $Text = CGI::escapeHTML($Topics{$TopicID}{Short});
- $Tooltip = CGI::escapeHTML($Topics{$TopicID}{Long} );
+ $Text = SmartHTML( {-text => $Topics{$TopicID}{Short}, } );
+ $Tooltip = SmartHTML( {-text => $Topics{$TopicID}{Long}, } );
my @ParentTopicIDs = FetchTopicParents( {-topicid => $TopicID});
if (@ParentTopicIDs) {
my ($ParentTopicID) = @ParentTopicIDs;
@@ -156,7 +158,7 @@ sub TopicName ($) {
$Text .= $Separator;
}
}
- $Text .= CGI::escapeHTML($Topics{$TopicID}{Short});
+ $Text .= SmartHTML( {-text => $Topics{$TopicID}{Short}, } );
return $Text;
}
@@ -377,14 +379,15 @@ sub TopicScroll ($) {
# my @ActiveIDs = @TopicIDs; # Later can select single root topics, etc.
foreach my $ID (@TopicIDs) {
- my $Spaces = ' 'x(1*(scalar(@{$TopicProvenance{$ID}})-1));
+ my $SafeShort = SmartHTML({-text=>$Topics{$ID}{Short}});
+ my $SafeLong = SmartHTML({-text=>$Topics{$ID}{Long}});
+ my $Spaces = '-'x(1*(scalar(@{$TopicProvenance{$ID}})-1));
if ($ItemFormat eq "short") {
- $TopicLabels{$ID} = $Spaces.CGI::escapeHTML($Topics{$ID}{Short});
+ $TopicLabels{$ID} = $Spaces.$SafeShort;
} elsif ($ItemFormat eq "long") {
- $TopicLabels{$ID} = $Spaces.CGI::escapeHTML($Topics{$ID}{Long});
+ $TopicLabels{$ID} = $Spaces.$SafeLong;
} elsif ($ItemFormat eq "full") {
- $TopicLabels{$ID} = $Spaces.CGI::escapeHTML($Topics{$ID}{Short}.
- " [".$Topics{$ID}{Long}."]");
+ $TopicLabels{$ID} = $Spaces.$SafeShort." [".$SafeLong."]";
}
if (($ItemFormat eq "short" or $ItemFormat eq "long") &&
@@ -397,13 +400,10 @@ sub TopicScroll ($) {
-text => $Text , -extratext => $ExtraText,
-required => $Required);
- $query -> autoEscape(0); # Turn off and on since sometimes scrolling_list double escape this.
-
print $query -> scrolling_list(-name => $Name, -values => \@TopicIDs,
-size => $Size, -labels => \%TopicLabels,
-multiple => $Multiple,
-default => \@Defaults, %Options);
- $query -> autoEscape(1);
}
1;
diff --git a/DocDB/cgi/TopicSQL.pm b/DocDB/cgi/TopicSQL.pm
index f8cd84b1..e87360b7 100644
--- a/DocDB/cgi/TopicSQL.pm
+++ b/DocDB/cgi/TopicSQL.pm
@@ -7,7 +7,7 @@
# Author: Eric Vaandering (ewv@fnal.gov)
# Modified:
-# Copyright 2001-2009 Eric Vaandering, Lynn Garren, Adam Bryant
+# Copyright 2001-2013 Eric Vaandering, Lynn Garren, Adam Bryant
# This file is part of DocDB.
@@ -278,7 +278,7 @@ sub DeleteTopic ($) {
if ($Abort) {
return 0;
}
-
+
my $TopicDelete = $dbh -> prepare("delete from Topic where TopicID=?");
my $RevisionDelete = $dbh -> prepare("delete from RevisionTopic where TopicID=?");
my $HintDelete = $dbh -> prepare("delete from TopicHint where TopicID=?");
@@ -302,9 +302,9 @@ sub DeleteTopic ($) {
}
if ($Force) {
- push @ActionStack,"Topic $Topics{$TopicID}{LongDescription}, all sub-topics, all associations, and all associations to sub-topics deleted.";
+ push @ActionStack,"Topic $Topics{$TopicID}{LongDescription}, all sub-topics, all associations, and all associations to sub-topics deleted.";
} else {
- push @ActionStack,"Topic $Topics{$TopicID}{LongDescription} deleted.";
+ push @ActionStack,"Topic $Topics{$TopicID}{LongDescription} deleted.";
}
return 1;
}
diff --git a/DocDB/cgi/TopicUtilities.pm b/DocDB/cgi/TopicUtilities.pm
index ccf94cfd..ca2eca97 100644
--- a/DocDB/cgi/TopicUtilities.pm
+++ b/DocDB/cgi/TopicUtilities.pm
@@ -1,12 +1,12 @@
# Author: Eric Vaandering (ewv@fnal.gov)
-# Modified:
+# Modified:
-# Copyright 2001-2009 Eric Vaandering, Lynn Garren, Adam Bryant
+# Copyright 2001-2013 Eric Vaandering, Lynn Garren, Adam Bryant
# This file is part of DocDB.
# DocDB is free software; you can redistribute it and/or modify
-# it under the terms of version 2 of the GNU General Public License
+# it under the terms of version 2 of the GNU General Public License
# as published by the Free Software Foundation.
# DocDB is distributed in the hope that it will be useful,
@@ -22,52 +22,54 @@ sub AllRootTopics {
require "TopicSQL.pm";
GetTopics();
-
+
my @TopicIDs = keys %Topics;
my @RootIDs = ();
-
+
foreach my $TopicID (@TopicIDs) {
unless (@{$TopicParents{$TopicID}}) {
push @RootIDs,$TopicID;
- }
+ }
}
-
+
return @RootIDs;
}
sub TopicAndSubTopics {
my ($ArgRef) = @_;
my $TopicID = exists $ArgRef->{-topicid} ? $ArgRef->{-topicid} : 0;
-
+
require "TopicSQL.pm";
require "Utilities.pm";
GetTopics();
-
+
my @TopicIDs = ($TopicID);
-
+
foreach my $ChildID (@{$TopicChildren{$TopicID}}) {
my @ChildIDs = TopicAndSubTopics({ -topicid => $ChildID });
push @TopicIDs,@ChildIDs;
}
-
- return Unique(@TopicIDs);
+
+ return Unique(@TopicIDs);
}
sub BuildTopicProvenance {
%TopicProvenance = ();
-
- # When finished, @{$TopicProvenance{$TopicID}} is an array for every $TopicID,
- # which has that TopicID as its first element, its parent as its second,
+ %TopicDescendants = ();
+
+ # When finished, @{$TopicProvenance{$TopicID}} is an array for every $TopicID,
+ # which has that TopicID as its first element, its parent as its second,
# grandparent as the third, etc.
-
+ # @{$TopicDescendants{$TopicID}} is a list of all children, grandchildren, etc for a topic.
+
foreach my $TopicID (keys %Topics) {
push @{$TopicProvenance{$TopicID}},$TopicID;
}
-
+
# Check each provenance entry to see if we can append to the list
# FIXME: Cannot deal with multiple parents.
-
+
my $Found = $TRUE;
while ($Found) {
$Found = $FALSE;
@@ -78,11 +80,24 @@ sub BuildTopicProvenance {
$Found = $TRUE;
my @ParentIDs = @{$TopicParents{$LastID}};
my $FirstParentID = pop @ParentIDs;
+ if (grep {$_ eq $FirstParentID} @{$TopicProvenance{$TopicID}}) {
+ push @ErrorStack, "Detected a topic loop where topic $TopicID has topic $FirstParentID as a parent multiple times. Aborting.";
+ return;
+ }
push @{$TopicProvenance{$TopicID}},$FirstParentID;
- }
+ }
+ }
+ }
+
+ foreach my $TopicID (keys %Topics) {
+ my @IDs = @{$TopicProvenance{$TopicID}};
+ foreach my $ID (@IDs) {
+ if ($ID != $TopicID) {
+ push @{$TopicDescendants{$ID}}, $TopicID;
+ }
}
}
-
+
return;
}
diff --git a/DocDB/cgi/UntaintHTML.pm b/DocDB/cgi/UntaintHTML.pm
new file mode 100644
index 00000000..ade7fe8a
--- /dev/null
+++ b/DocDB/cgi/UntaintHTML.pm
@@ -0,0 +1,38 @@
+# Name: UntaintHTML.pm
+# Description: Turns user input into escaped HTML
+#
+# Author: Eric Vaandering (ewv@fnal.gov)
+# Modified: Eric Vaandering (ewv@fnal.gov)
+
+# Copyright 2001-2013 Eric Vaandering, Lynn Garren, Adam Bryant
+
+# This file is part of DocDB.
+
+# DocDB is free software; you can redistribute it and/or modify
+# it under the terms of version 2 of the GNU General Public License
+# as published by the Free Software Foundation.
+
+# DocDB is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+# GNU General Public License for more details.
+
+# You should have received a copy of the GNU General Public License
+# along with DocDB; if not, write to the Free Software
+# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA
+
+package CGI::Untaint::safehtml;
+
+$VERSION = '1.00';
+
+use strict;
+use base 'CGI::Untaint::printable';
+use HTML::Entities qw(encode_entities_numeric);
+
+sub is_valid {
+ my $self = shift;
+ my $EscapedHTML = encode_entities_numeric($self->value);
+ $self->value($EscapedHTML);
+}
+
+1;
diff --git a/DocDB/cgi/UntaintInput.pm b/DocDB/cgi/UntaintInput.pm
new file mode 100644
index 00000000..cacc8416
--- /dev/null
+++ b/DocDB/cgi/UntaintInput.pm
@@ -0,0 +1,32 @@
+#
+# Description: Gather together all Untaint handlers for every script that needs them
+#
+# Author: Eric Vaandering (ewv@fnal.gov)
+# Modified: Eric Vaandering (ewv@fnal.gov)
+
+# Copyright 2001-2013 Eric Vaandering, Lynn Garren, Adam Bryant
+
+# This file is part of DocDB.
+
+# DocDB is free software; you can redistribute it and/or modify
+# it under the terms of version 2 of the GNU General Public License
+# as published by the Free Software Foundation.
+
+# DocDB is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+# GNU General Public License for more details.
+
+# You should have received a copy of the GNU General Public License
+# along with DocDB; if not, write to the Free Software
+# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA
+
+use CGI::Untaint;
+
+require "UntaintHTML.pm";
+require "UntaintInteger.pm";
+require "UntaintListOfInts.pm";
+require "UntaintListOfWords.pm";
+require "UntaintListOfHTML.pm";
+
+1;
diff --git a/DocDB/cgi/UntaintInteger.pm b/DocDB/cgi/UntaintInteger.pm
new file mode 100644
index 00000000..c3b2e789
--- /dev/null
+++ b/DocDB/cgi/UntaintInteger.pm
@@ -0,0 +1,42 @@
+# Name: UntaintInteger.pm
+# Description: Allows an integer with leading/trailing whitespace
+#
+# Author: Eric Vaandering (ewv@fnal.gov)
+# Modified: Eric Vaandering (ewv@fnal.gov)
+
+# Copyright 2001-2013 Eric Vaandering, Lynn Garren, Adam Bryant
+
+# This file is part of DocDB.
+
+# DocDB is free software; you can redistribute it and/or modify
+# it under the terms of version 2 of the GNU General Public License
+# as published by the Free Software Foundation.
+
+# DocDB is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+# GNU General Public License for more details.
+
+# You should have received a copy of the GNU General Public License
+# along with DocDB; if not, write to the Free Software
+# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA
+
+package CGI::Untaint::typedint;
+
+$VERSION = '1.00';
+
+use strict;
+use base 'CGI::Untaint::object';
+
+sub _untaint_re { qr/^\s*([+-]?\d+)\s*$/ }
+
+sub is_valid {
+ my $self = shift;
+ my $NewInt = $self->value;
+ $NewInt =~ s/^\s+//; # Remove leading and trailing spaces
+ $NewInt =~ s/\s+$//;
+
+ $self->value($NewInt);
+}
+
+1;
diff --git a/DocDB/cgi/UntaintListOfHTML.pm b/DocDB/cgi/UntaintListOfHTML.pm
new file mode 100644
index 00000000..a5d1ecb9
--- /dev/null
+++ b/DocDB/cgi/UntaintListOfHTML.pm
@@ -0,0 +1,49 @@
+# Name: UntaintListOfHTML.pm
+# Description: Allows a list of (null separated) possible HTML fragments
+# and return sanitized HTML
+#
+# Author: Eric Vaandering (ewv@fnal.gov)
+# Modified: Eric Vaandering (ewv@fnal.gov)
+
+# Copyright 2001-2013 Eric Vaandering, Lynn Garren, Adam Bryant
+
+# This file is part of DocDB.
+
+# DocDB is free software; you can redistribute it and/or modify
+# it under the terms of version 2 of the GNU General Public License
+# as published by the Free Software Foundation.
+
+# DocDB is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+# GNU General Public License for more details.
+
+# You should have received a copy of the GNU General Public License
+# along with DocDB; if not, write to the Free Software
+# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA
+
+package CGI::Untaint::listofhtml;
+
+$VERSION = '1.00';
+
+use strict;
+use base 'CGI::Untaint::listofwords';
+use HTML::Entities qw(encode_entities_numeric);
+
+sub _untaint_re { qr/^(.*(\000)*)+$/ }
+
+sub is_valid {
+ my $self = shift;
+ my $RawValue = $self->value;
+ my @Values = split /\0/,$RawValue;
+ my @SafeValues = ();
+ foreach my $Value (@Values) {
+ my $SafeValue = encode_entities_numeric($Value);
+ push @SafeValues, $SafeValue;
+ }
+ my $ArrRef = \@SafeValues;
+
+ $self->value($ArrRef);
+}
+
+1;
diff --git a/DocDB/cgi/UntaintListOfInts.pm b/DocDB/cgi/UntaintListOfInts.pm
new file mode 100644
index 00000000..a4eb593f
--- /dev/null
+++ b/DocDB/cgi/UntaintListOfInts.pm
@@ -0,0 +1,42 @@
+# Name: UntaintListOfInts.pm
+# Description: Allows a list of (null separated) positive integers
+#
+# Author: Eric Vaandering (ewv@fnal.gov)
+# Modified: Eric Vaandering (ewv@fnal.gov)
+
+# Copyright 2001-2013 Eric Vaandering, Lynn Garren, Adam Bryant
+
+# This file is part of DocDB.
+
+# DocDB is free software; you can redistribute it and/or modify
+# it under the terms of version 2 of the GNU General Public License
+# as published by the Free Software Foundation.
+
+# DocDB is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+# GNU General Public License for more details.
+
+# You should have received a copy of the GNU General Public License
+# along with DocDB; if not, write to the Free Software
+# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA
+
+package CGI::Untaint::listofint;
+
+$VERSION = '1.00';
+
+use strict;
+use base 'CGI::Untaint::object';
+
+sub _untaint_re { qr/^((\d+)(\000)*)+$/ }
+
+sub is_valid {
+ my $self = shift;
+ my $RawValue = $self->value;
+ my @Values = split /\0/,$RawValue;
+ my $ArrRef = \@Values;
+
+ $self->value($ArrRef);
+}
+
+1;
diff --git a/DocDB/cgi/UntaintListOfWords.pm b/DocDB/cgi/UntaintListOfWords.pm
new file mode 100644
index 00000000..58094635
--- /dev/null
+++ b/DocDB/cgi/UntaintListOfWords.pm
@@ -0,0 +1,42 @@
+# Name: UntaintListOfWords.pm
+# Description: Allows a list of (null separated) words
+#
+# Author: Eric Vaandering (ewv@fnal.gov)
+# Modified: Eric Vaandering (ewv@fnal.gov)
+
+# Copyright 2001-2013 Eric Vaandering, Lynn Garren, Adam Bryant
+
+# This file is part of DocDB.
+
+# DocDB is free software; you can redistribute it and/or modify
+# it under the terms of version 2 of the GNU General Public License
+# as published by the Free Software Foundation.
+
+# DocDB is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+# GNU General Public License for more details.
+
+# You should have received a copy of the GNU General Public License
+# along with DocDB; if not, write to the Free Software
+# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA
+
+package CGI::Untaint::listofwords;
+
+$VERSION = '1.00';
+
+use strict;
+use base 'CGI::Untaint::object';
+
+sub _untaint_re { qr/^((\w+)(\000)*)+$/ }
+
+sub is_valid {
+ my $self = shift;
+ my $RawValue = $self->value;
+ my @Values = split /\0/,$RawValue;
+ my $ArrRef = \@Values;
+
+ $self->value($ArrRef);
+}
+
+1;
diff --git a/DocDB/cgi/UserAccessApply b/DocDB/cgi/UserAccessApply
index 845af869..18f14c10 100755
--- a/DocDB/cgi/UserAccessApply
+++ b/DocDB/cgi/UserAccessApply
@@ -2,12 +2,12 @@
#
# Author Eric Vaandering (ewv@fnal.gov)
-# Copyright 2001-2009 Eric Vaandering, Lynn Garren, Adam Bryant
+# Copyright 2001-2013 Eric Vaandering, Lynn Garren, Adam Bryant
# This file is part of DocDB.
# DocDB is free software; you can redistribute it and/or modify
-# it under the terms of version 2 of the GNU General Public License
+# it under the terms of version 2 of the GNU General Public License
# as published by the Free Software Foundation.
# DocDB is distributed in the hope that it will be useful,
@@ -21,6 +21,7 @@
use Benchmark;
use CGI;
+use CGI::Untaint;
use DBI;
$StartTime = new Benchmark;
@@ -28,14 +29,15 @@ $StartTime = new Benchmark;
require "DocDBGlobals.pm";
require "Messages.pm";
require "HTMLUtilities.pm";
+require "UntaintInput.pm";
require "ResponseElements.pm";
require "SecuritySQL.pm";
require "CertificateUtilities.pm";
$query = new CGI; # Global for subroutines
-
-%params = $query -> Vars;
+$query -> autoEscape(0);
+my $Untaint = CGI::Untaint -> new($query -> Vars);
$dbh = DBI->connect('DBI:mysql:'.$db_name.':'.$db_host,$db_rwuser,$db_rwpass);
@@ -49,15 +51,16 @@ EndPage();
### Output Information
my $CertificateStatus = &CertificateStatus();
-my $CertEmail = $params{email};
+my $CertEmail = $Untaint -> extract(-as_safehtml => "email") || "";
-unless ($CertEmail) {
+unless ($CertEmail) {
push @ErrorStack,"You must supply an e-mail address.";
}
EndPage();
-
+
my $CertCN = $ENV{SSL_CLIENT_S_DN_CN};
+my $CertDN = $ENV{SSL_CLIENT_S_DN};
if ($CertificateStatus eq "verified") {
print "Your certificate has already been verified. A new request has NOT been generated.\n";
- TopicScroll({ -helptext => "Parent Topic", -helplink => "parenttopic",
+print " \n";
+ TopicScroll({ -helptext => "Parent Topic", -helplink => "parenttopic",
-itemformat => "full", -disabled => $TRUE,
-name => "parenttopic",
- -extratext => "[Long description]",
- });
+ -extratext => "[Long description]",
+ });
print " \n";
print "
".
@@ -70,34 +73,26 @@ if ($CertificateStatus eq "verified") {
print "
\n";
- print "Certificate Common Name (CN): $CertCN
\n";
- print "Certificate E-mail Address: $CertEmail
\n";
-} elsif ($CertificateStatus eq "mismatch") {
- print "Your certificate is valid but a similar certificate already exists
- for either your e-mail address or your name (CN). Only one
- certificate is allowed per person. Contact an administrator if you
- don't know what to do.";
+ If you believe your request has been misplaced or neglected, contact an administrator.";
print "The following information may be helpful:
\n";
+ print "Certificate Distinguished Name (DN): $CertDN
\n";
print "Certificate Common Name (CN): $CertCN
\n";
print "Certificate E-mail Address: $CertEmail
\n";
-} elsif ($CertificateStatus eq "nocert") {
- print "You didn't present a certificate. Make sure your browser is supplying one and contact an administrator if are supplying one.";
+} elsif ($CertificateStatus eq "nocert") {
+ print "You didn't present a certificate. Make sure your browser is supplying one and contact an administrator if you are supplying one.";
} elsif ($CertificateStatus eq "noapp") {
### Get additional parameters
- my $CertNote = $params{certnote};
- my @RequestedGroupIDs = split /\0/,$params{reqgroups};
- my $UserName = $CertCN;
- $UserName =~ s/\W//g;
-
+ my $CertNote = $Untaint -> extract(-as_safehtml => "certnote") || "";
+ my @RequestedGroupIDs = @{ $Untaint -> extract(-as_listofint => "reqgroups") || undef };
+ my $UserName = $CertDN;
+
### Fill in DB tables
my $UserInsert = $dbh -> prepare(
@@ -105,41 +100,41 @@ if ($CertificateStatus eq "verified") {
" values (0,?,?,?,0,'x')");
$UserInsert -> execute($UserName,$CertCN,$CertEmail);
my $EmailUserID = $UserInsert -> {mysql_insertid}; # Works with MySQL only
-
+
my $UsersGroupInsert = $dbh -> prepare(
"insert into UsersGroup (UsersGroupID,EmailUserID,GroupID) ".
" values (0,?,?)");
foreach my $GroupID (@RequestedGroupIDs) {
$UsersGroupInsert -> execute($EmailUserID,$GroupID);
- }
+ }
### Notify applicant and administrator
-
- print "You ($CertCN with e-mail address $CertEmail) have requested ";
+
+ print "You ($CertDN with e-mail address $CertEmail) have requested ";
print "access to $Project DocDB. ";
print "You have requested membership in the following groups:\n";
print "\n";
foreach my $GroupID (@RequestedGroupIDs) {
&FetchSecurityGroup($GroupID);
print "
\n";
if ($MailInstalled) {
require "EmailUtilities.pm";
-
+
print "An e-mail has been sent to the administrators and a confirmation e-mail has been sent to you.\n";
-
+
my @To = ($DBWebMasterEmail);
my $Subject = "$CertCN requests access to $Project DocDB";
- my $Body = "$CertCN with e-mail address $CertEmail has requested ";
+ my $Body = "$CertCN (Certificate DN $CertDN) with e-mail address $CertEmail has requested ";
$Body .= "access to $Project DocDB. ";
$Body .= "He or she requests membership in the following groups:\n";
foreach my $GroupID (@RequestedGroupIDs) {
&FetchSecurityGroup($GroupID);
$Body .= " ".$SecurityGroups{$GroupID}{NAME}."\n";
- }
+ }
$Body .= "\n";
$Body .= "If this is correct, please visit $EmailAdministerForm, ";
$Body .= "select \"Modify\", select the user, check \"Verify\", and click to Submit.\n\n";
@@ -147,7 +142,7 @@ if ($CertificateStatus eq "verified") {
if ($CertNote) {
$Body .= "The user attached this note to their application:\n";
$Body .= $CertNote;
- }
+ }
&SendEmail(-body => $Body, -to => \@To, -subject => $Subject);
my @To = ($CertEmail);
@@ -157,11 +152,11 @@ if ($CertificateStatus eq "verified") {
$Body .= "access to $Project DocDB. If you did not initiate this request, ";
$Body .= "please contact the DocDB administrators at $DBWebMasterEmail immediately.\n\n";
$Body .= "If you did request this access, please give the ";
- $Body .= "adminstrators a few business days to respond to your request.\n";
+ $Body .= "administrators a few business days to respond to your request.\n";
$Body .= "Thank you.";
&SendEmail(-body => $Body, -to => \@To, -subject => $Subject);
- }
+ }
}
diff --git a/DocDB/cgi/Utilities.pm b/DocDB/cgi/Utilities.pm
index 458d2858..4b072dd1 100644
--- a/DocDB/cgi/Utilities.pm
+++ b/DocDB/cgi/Utilities.pm
@@ -1,4 +1,4 @@
-# Copyright 2001-2009 Eric Vaandering, Lynn Garren, Adam Bryant
+# Copyright 2001-2013 Eric Vaandering, Lynn Garren, Adam Bryant
# This file is part of DocDB.
@@ -89,34 +89,6 @@ sub IndexOf {
}
}
-sub URLify { # Adapted from Perl Cookbook, 6.21
- my ($Text) = @_;
-
- $urls = '(http|telnet|gopher|file|wais|ftp|https)';
- $ltrs = '\w';
- $gunk = '/#~:.?+=&%@!\-';
- $punc = '.:?\-';
- $any = "${ltrs}${gunk}${punc}";
- $Text =~ s{
- \b # start at word boundary
- ( # begin $1 {
- $urls : # need resource and a colon
- [$any] +? # followed by on or more
- # of any valid character, but
- # be conservative and take only
- # what you need to....
- ) # end $1 }
- (?= # look-ahead non-consumptive assertion
- [$punc]* # either 0 or more punctuation
- [^$any] # followed by a non-url char
- | # or else
- $ # then end of the string
- )
- }{$1}igox;
- $Text = &SafeHTML($Text);
- return $Text;
-}
-
sub AddTime ($;$) {
my ($TimeA,$TimeB) = @_;
@@ -137,30 +109,6 @@ sub AddTime ($;$) {
return $TimeString;
}
-sub Paragraphize {
- my ($Text) = @_;
- $Text =~ s/\s*\n\s*\n\s*/Here you can search documents in other DocDB installations.
+ print "
Here you can search documents in other DocDB installations.
Only public documents from those installations will be shown. If you
- don't see the the installation you want, the
+ don't see the the installation you want, the
DocDB
site may have what you are looking for.
";
-}
+}
my @ExternalDocDBIDs = GetAllExternalDocDBs();
@@ -80,7 +80,7 @@ if ($LocalSearch || !$SearchText) {
push @CheckArray, $query -> checkbox(-name => "docdb-0", -label => "").$ShortProject;
}
foreach my $DocDBID (@ExternalDocDBIDs) {
- my $Link = ExternalDocDBLink( {-docdbid => $DocDBID} );
+ my $Link = ExternalDocDBLink( {-docdbid => $DocDBID} );
if ($CGIParams{"docdb-$DocDBID"} || !$SearchText) {
push @CheckArray, $query -> checkbox(-name => "docdb-$DocDBID", -checked => 'checked', -label => "").$Link;
} else {
@@ -93,7 +93,7 @@ foreach my $DocDBID (@ExternalDocDBIDs) {
my $NColumns = 1;
if (scalar(@CheckArray) > 6) {
$NColumns = 3;
-} elsif (scalar(@CheckArray) > 3) {
+} elsif (scalar(@CheckArray) > 3) {
$NColumns = 2;
}
@@ -106,7 +106,7 @@ my $GotOne = $TRUE;
while ($GotOne) {
$GotOne = $FALSE;
- my $Row = "\n";
+ my $Row = " \n";
foreach my $ColumnRef (@ColumnRefs) {
my $Element = shift @{$ColumnRef};
if ($Element) {
@@ -118,8 +118,8 @@ while ($GotOne) {
if ($GotOne) {
$Table .= $Row;
}
-}
-$Table .= " ';
-print $query -> submit (-value => "Cross Search");
+print $query -> submit (-value => "Cross Search");
print ' ';
@@ -178,20 +178,20 @@ if (@Documents) {
print "
\n";
print "";
print " \n";
}
print "$Identifier \n";
print "$FoundDocuments{$Identifier}{Title} \n";
-
+
print "$FoundDocuments{$Identifier}{Author}";
if ($FoundDocuments{$Identifier}{EtAl}) {
print " et al.";
- }
+ }
print " \n";
-
+
print '',EuroDate($FoundDocuments{$Identifier}{Date})," \n";
-
+
print "
diff --git a/DocDB/scripts/Resecure b/DocDB/scripts/Resecure
index 08b9ca71..cac9c0e1 100755
--- a/DocDB/scripts/Resecure
+++ b/DocDB/scripts/Resecure
@@ -86,7 +86,7 @@ if ($Days || $Hours) {
"from DocumentRevision where Obsolete=0 and DocRevID=?");
my @AllRevisions = sort numerically keys %AllRevision;
foreach $RevID (@AllRevisions) {
- unless ($RevID) {next;}
+ unless (defined ($RevID)) {next;}
$revision_list -> execute($RevID);
($DocRevID,$DocumentID,$VersionNumber) = $revision_list -> fetchrow_array;
$Revision{$DocRevID}{DocRevID} = $DocRevID;
@@ -98,7 +98,7 @@ if ($Days || $Hours) {
my @Revisions = sort numerically keys %Revision;
foreach $RevisionID (@Revisions) {
- unless ($Revision{$RevisionID}{VersionNumber}) {next;} # No directories for v0 documents
+ #unless ($Revision{$RevisionID}{VersionNumber}) {next;} # No directories for v0 documents
my $security_list = $dbh -> prepare(
"select GroupID ".
"from RevisionSecurity where DocRevID=?");
@@ -114,9 +114,12 @@ foreach $RevisionID (@Revisions) {
foreach $GroupID (@GroupIDs) {
print " $GroupID";
}
- &ProtectDirectory($Revision{$RevisionID}{DocumentID},
- $Revision{$RevisionID}{VersionNumber},
- @GroupIDs);
+ my $Directory = &GetDirectory($Revision{$RevisionID}{DocumentID},$Revision{$RevisionID}{VersionNumber});
+ if (-d $Directory) {
+ &ProtectDirectory($Revision{$RevisionID}{DocumentID},
+ $Revision{$RevisionID}{VersionNumber},
+ @GroupIDs);
+ }
print "\n";
}