From 8bc98059b0a7bbeecdbeac5faef5fae10a870b3c Mon Sep 17 00:00:00 2001 From: vondo <> Date: Fri, 28 Aug 2009 19:18:37 +0000 Subject: [PATCH 001/163] - instead of spaces to deliniate levels in topics list --- DocDB/cgi/DocDBVersion.pm | 2 +- DocDB/cgi/TopicHTML.pm | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/DocDB/cgi/DocDBVersion.pm b/DocDB/cgi/DocDBVersion.pm index 88dd2b4c..89d10696 100644 --- a/DocDB/cgi/DocDBVersion.pm +++ b/DocDB/cgi/DocDBVersion.pm @@ -20,6 +20,6 @@ # along with DocDB; if not, write to the Free Software # Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA -$DocDBVersion = "8.7.10"; +$DocDBVersion = "8.7.11"; 1; diff --git a/DocDB/cgi/TopicHTML.pm b/DocDB/cgi/TopicHTML.pm index 60c771a7..795b59a5 100644 --- a/DocDB/cgi/TopicHTML.pm +++ b/DocDB/cgi/TopicHTML.pm @@ -377,7 +377,7 @@ sub TopicScroll ($) { # my @ActiveIDs = @TopicIDs; # Later can select single root topics, etc. foreach my $ID (@TopicIDs) { - my $Spaces = '  'x(1*(scalar(@{$TopicProvenance{$ID}})-1)); + my $Spaces = '-'x(1*(scalar(@{$TopicProvenance{$ID}})-1)); if ($ItemFormat eq "short") { $TopicLabels{$ID} = $Spaces.CGI::escapeHTML($Topics{$ID}{Short}); } elsif ($ItemFormat eq "long") { From 2f14bda57e6af89be0ac98e53e1069add1f4963e Mon Sep 17 00:00:00 2001 From: vondo <> Date: Tue, 1 Sep 2009 19:13:33 +0000 Subject: [PATCH 002/163] Fix caching and wording problem for administering institutions --- DocDB/cgi/AuthorSQL.pm | 6 ++++++ DocDB/cgi/InstitutionAdminister | 9 +++++---- DocDB/doc/CHANGES | 7 +++++++ 3 files changed, 18 insertions(+), 4 deletions(-) diff --git a/DocDB/cgi/AuthorSQL.pm b/DocDB/cgi/AuthorSQL.pm index d65222e0..d067f417 100644 --- a/DocDB/cgi/AuthorSQL.pm +++ b/DocDB/cgi/AuthorSQL.pm @@ -143,6 +143,12 @@ sub GetInstitutions { # Creates/fills a hash $Institutions{$InstitutionID}{} wit $HaveAllInstitutions = 1; } +sub ClearInstitutions { + %Institutions = (); + $HaveAllInstitutions = 0; + return; +} + sub FetchInstitution { # Creates/fills a hash $Institutions{$InstitutionID}{} with all Institutions my ($InstitutionID) = @_; if ($Institutions{$InstitutionID}{InstitutionID}) { diff --git a/DocDB/cgi/InstitutionAdminister b/DocDB/cgi/InstitutionAdminister index 51d62959..3380c513 100755 --- a/DocDB/cgi/InstitutionAdminister +++ b/DocDB/cgi/InstitutionAdminister @@ -92,13 +92,13 @@ if ($Action eq "Delete") { # Delete institutions # Deal with name changes if ($ShortName) { - print "Updating short topic name.
\n"; + print "Updating short institution name.
\n"; my $InstitutionUpdate = $dbh->prepare( "update Institution set ShortName=? where InstitutionID=?"); $InstitutionUpdate -> execute($ShortName,$InstitutionID); } if ($LongName) { - print "Updating long topic name.
\n"; + print "Updating long institution name.
\n"; my $InstitutionUpdate = $dbh->prepare( "update Institution set LongName=? where InstitutionID=?"); $InstitutionUpdate -> execute($LongName,$InstitutionID); @@ -117,11 +117,12 @@ if ($Action eq "Delete") { # Delete institutions # For modify or new fetch institution information and display. +ClearInstitutions(); if ($Action eq "Modify" || $Action eq "New") { &FetchInstitution($InstitutionID); print "

Here are the results of your modification:
\n"; - print "Short name: $Institutions{$InstitutionID}{SHORT}
\n"; - print "Long name: $Institutions{$InstitutionID}{LONG}
\n"; + print "Short institution name: $Institutions{$InstitutionID}{SHORT}
\n"; + print "Long institution name: $Institutions{$InstitutionID}{LONG}
\n"; print "

\n"; } diff --git a/DocDB/doc/CHANGES b/DocDB/doc/CHANGES index 894f2710..05dfee8d 100644 --- a/DocDB/doc/CHANGES +++ b/DocDB/doc/CHANGES @@ -1,3 +1,10 @@ + + Fix caching and wording problem for administering institutions + +8.7.11 + + Use dash instead of spaces to deliniate levels in topics + 8.7.10 Some fixes to topic administration From 5b390ee1e18db828c6c6ce3ac1874dbb76ac2250 Mon Sep 17 00:00:00 2001 From: vondo <> Date: Mon, 7 Dec 2009 17:10:57 +0000 Subject: [PATCH 003/163] Switch to Sun-compatible ps, Nova changes for signature dates --- DocDB/cgi/DocumentAddForm | 2 +- DocDB/cgi/DocumentHTML.pm | 7 ++++++- DocDB/cgi/EmailAdminister | 2 +- DocDB/cgi/EmailCreate | 2 +- DocDB/cgi/FSUtilities.pm | 2 +- DocDB/cgi/RevisionHTML.pm | 12 ++++++++++-- DocDB/cgi/SQLUtilities.pm | 15 +++++++++------ DocDB/cgi/SelectEmailPrefs | 2 +- DocDB/cgi/SignoffHTML.pm | 24 +++++++++++++++++++----- DocDB/cgi/SignoffUtilities.pm | 22 ++++++++++++++++++++++ 10 files changed, 71 insertions(+), 19 deletions(-) diff --git a/DocDB/cgi/DocumentAddForm b/DocDB/cgi/DocumentAddForm index f9253771..4a2cb0ec 100755 --- a/DocDB/cgi/DocumentAddForm +++ b/DocDB/cgi/DocumentAddForm @@ -276,7 +276,7 @@ print $query -> hidden(-name => 'docid', -default => $DocumentID); print $query -> hidden(-name => 'oldversion',-default => $Version); # Generate unique ID to disallow multiple posting -srand (time ^ $$ ^ unpack "%32L*", `ps axww`); +srand (time ^ $$ ^ unpack "%32L*", `ps -eaf`); my $UniqueID = time."-".(int rand (2**31-1)); print $query -> hidden(-name => 'uniqueid', -default => $UniqueID); diff --git a/DocDB/cgi/DocumentHTML.pm b/DocDB/cgi/DocumentHTML.pm index e1f53144..f1a90eff 100644 --- a/DocDB/cgi/DocumentHTML.pm +++ b/DocDB/cgi/DocumentHTML.pm @@ -389,7 +389,12 @@ sub DocumentLink (%) { my ($ApprovalStatus,$LastApproved) = RevisionStatus($DocRevID); unless ($ApprovalStatus eq "Unmanaged") { $Link .= "
($ApprovalStatus"; - if ($ApprovalStatus eq "Unapproved") { + if($ApprovalStatus eq "Approved") { + my $LastApproved = RevisionSignoffDate($DocRevID); + my $ApprovalDateTime = ConvertToDateTime({-MySQLTimeStamp => $LastApproved, }); + my $ApprovalTime = DateTimeString({ -DateTime => $ApprovalDateTime, -ShowTime => $FALSE, }); + $Link .= " - $ApprovalTime"; + } elsif ($ApprovalStatus eq "Unapproved") { if (defined $LastApproved) { my $DocumentID = $DocRevisions{$LastApproved}{DOCID}; my $Version = $DocRevisions{$LastApproved}{Version}; diff --git a/DocDB/cgi/EmailAdminister b/DocDB/cgi/EmailAdminister index c7765775..99dcccdb 100755 --- a/DocDB/cgi/EmailAdminister +++ b/DocDB/cgi/EmailAdminister @@ -108,7 +108,7 @@ if ($Action eq "Delete") { # Delete user FetchEmailUser($EmailUserID); if ($NewPassword) { - srand (time ^ $$ ^ unpack "%32L*", `ps axww`); + srand (time ^ $$ ^ unpack "%32L*", `ps -eaf`); my $Salt = ((0..9,'a'..'z','A'..'Z','.','/')[(int rand (64))]). ((0..9,'a'..'z','A'..'Z','.','/')[(int rand (64))]); diff --git a/DocDB/cgi/EmailCreate b/DocDB/cgi/EmailCreate index daaba2ec..466937a5 100755 --- a/DocDB/cgi/EmailCreate +++ b/DocDB/cgi/EmailCreate @@ -72,7 +72,7 @@ print $query -> header( -charset => $HTTP_ENCODING ); # Everything is OK, create the account unless (@ErrorStack) { - srand (time ^ $$ ^ unpack "%32L*", `ps axww`); + srand (time ^ $$ ^ unpack "%32L*", `ps -eaf`); my $Salt = ((0..9,'a'..'z','A'..'Z','.','/')[(int rand (64))]). ((0..9,'a'..'z','A'..'Z','.','/')[(int rand (64))]); diff --git a/DocDB/cgi/FSUtilities.pm b/DocDB/cgi/FSUtilities.pm index fd98d3a0..8bb54106 100644 --- a/DocDB/cgi/FSUtilities.pm +++ b/DocDB/cgi/FSUtilities.pm @@ -332,7 +332,7 @@ sub DownloadURLs (%) { } sub MakeTmpSubDir { - my $TmpSubDir = $TmpDir."/".(time ^ $$ ^ unpack "%32L*", `ps axww`); + my $TmpSubDir = $TmpDir."/".(time ^ $$ ^ unpack "%32L*", `ps -eaf`); mkdir $TmpSubDir, oct 755 or die "Could not make temporary directory"; return $TmpSubDir; } diff --git a/DocDB/cgi/RevisionHTML.pm b/DocDB/cgi/RevisionHTML.pm index ff1cfbd9..282c51bc 100644 --- a/DocDB/cgi/RevisionHTML.pm +++ b/DocDB/cgi/RevisionHTML.pm @@ -413,22 +413,30 @@ sub PrintPubInfo ($) { sub PrintModTimes { require "SQLUtilities.pm"; + require "SignoffUtilities.pm"; my ($DocRevID) = @_; my $DocumentID = $DocRevisions{$DocRevID}{DOCID}; $DocTime = &EuroDateHM($Documents{$DocumentID}{Date}); $RevTime = &EuroDateHM($DocRevisions{$DocRevID}{DATE}); $VersionTime = &EuroDateHM($DocRevisions{$DocRevID}{VersionDate}); - + my $ActualDateTime = ConvertToDateTime({-MySQLTimeStamp => $DocRevisions{$DocRevID}{TimeStamp}, }); my $ActualTime = DateTimeString({ -DateTime => $ActualDateTime }); - + print "

Document Created:
\n
$DocTime
\n"; print "
Contents Revised:
\n
$VersionTime
\n"; print "
DB Info Revised:
\n
$RevTime
\n"; if ($ActualTime ne $RevTime) { print "
Actually Revised:
\n
$ActualTime
\n"; } + + my $LastApproved = RevisionSignoffDate($DocRevID); + if ($LastApproved) { + my $ApprovalDateTime = ConvertToDateTime({-MySQLTimeStamp => $LastApproved, }); + my $ApprovalTime = DateTimeString({ -DateTime => $ApprovalDateTime }); + print "
Last Signed:
\n
$ApprovalTime
\n"; + } } sub OtherVersionLinks { diff --git a/DocDB/cgi/SQLUtilities.pm b/DocDB/cgi/SQLUtilities.pm index 9c388655..63968bbe 100644 --- a/DocDB/cgi/SQLUtilities.pm +++ b/DocDB/cgi/SQLUtilities.pm @@ -118,13 +118,16 @@ sub DateTimeString { my ($ArgRef) = @_; my $ShowSeconds = exists $ArgRef->{-ShowSeconds} ? $ArgRef->{-ShowSeconds} : $FALSE; - my $DateTime = exists $ArgRef->{-DateTime} ? $ArgRef->{-DateTime} : DateTime->now(); - - my $Format = "%d %b %Y, "; - if ($ShowSeconds) { - $Format .= "%T"; + my $ShowTime = exists $ArgRef->{-ShowTime} ? $ArgRef->{-ShowTime} : $TRUE; + my $DateTime = exists $ArgRef->{-DateTime} ? $ArgRef->{-DateTime} : DateTime->now(); + + my $Format = "%d %b %Y"; + if (not $ShowTime) { + # Do nothing + } elsif ($ShowSeconds) { + $Format .= ", %T"; } else { - $Format .= "%R"; + $Format .= ", %R"; } my $String = $DateTime->strftime($Format); diff --git a/DocDB/cgi/SelectEmailPrefs b/DocDB/cgi/SelectEmailPrefs index 5dd32082..d610ef8a 100755 --- a/DocDB/cgi/SelectEmailPrefs +++ b/DocDB/cgi/SelectEmailPrefs @@ -143,7 +143,7 @@ if ($Mode eq "newuser") { print "

\n"; EndPage(); } else { # Everything OK, lets create the user - srand (time ^ $$ ^ unpack "%32L*", `ps axww`); + srand (time ^ $$ ^ unpack "%32L*", `ps -eaf`); my $Salt = ((0..9,'a'..'z','A'..'Z','.','/')[(int rand (64))]). ((0..9,'a'..'z','A'..'Z','.','/')[(int rand (64))]); diff --git a/DocDB/cgi/SignoffHTML.pm b/DocDB/cgi/SignoffHTML.pm index fe117784..812531b3 100644 --- a/DocDB/cgi/SignoffHTML.pm +++ b/DocDB/cgi/SignoffHTML.pm @@ -118,7 +118,7 @@ sub PrintSignatureInfo ($) { # Otherwise, note that it's waiting my $SignatureText = ""; - my $SignatureLink = &SignatureLink($EmailUserID); + my $SignatureLink = &SignatureLink($EmailUserID,$SignatureID); if ($Status eq "Ready" || $Status eq "Signed") { if ($Status eq "Ready") { $Action = "sign"; @@ -173,12 +173,26 @@ sub PrintSignatureInfo ($) { sub SignatureLink ($) { require "NotificationSQL.pm"; - my ($EmailUserID) = @_; + require "SQLUtilities.pm"; + require "SignoffSQL.pm"; + my ($EmailUserID,$SignatureID) = @_; &FetchEmailUser($EmailUserID); - my $Link = ""; - $Link .= $EmailUser{$EmailUserID}{Name}; - $Link .= ""; + my $Link = " $SignatureTimestamp, }); + my $SignatureTime = DateTimeString({ -DateTime => $SignatureDateTime }); + + + $Link .= " title=\"$SignatureTime\""; + } + }#title=\"$InstitutionName\" + $Link .= ">"; + $Link .= $EmailUser{$EmailUserID}{Name}; + $Link .= ""; return $Link; } 1; diff --git a/DocDB/cgi/SignoffUtilities.pm b/DocDB/cgi/SignoffUtilities.pm index 174bb2e0..902e35f1 100644 --- a/DocDB/cgi/SignoffUtilities.pm +++ b/DocDB/cgi/SignoffUtilities.pm @@ -156,6 +156,28 @@ sub RevisionStatus ($) { # Return the approval status of a revision return ($Status,$LastDocRevID); } +sub RevisionSignoffDate ($) { + require "SignoffSQL.pm"; + require "RevisionSQL.pm"; + require "Sorts.pm"; + + my ($DocRevID) = @_; + FetchDocRevisionByID($DocRevID); + my $LastTimeStamp = 0; + my @SignoffIDs = GetAllSignoffsByDocRevID($DocRevID); + foreach my $SignoffID (@SignoffIDs) { + # Copy the signoff + my @SignatureIDs = GetSignatures($SignoffID); + foreach my $SignatureID (@SignatureIDs) { + FetchSignature($SignatureID); + if ($Signatures{$SignatureID}{Signed} && $Signatures{$SignatureID}{TimeStamp} > $LastTimeStamp) { + $LastTimeStamp = $Signatures{$SignatureID}{TimeStamp}; + } + } + } + return $LastTimeStamp; +} + sub BuildSignoffDefault ($) { require "SignoffSQL.pm"; require "NotificationSQL.pm"; From ff93dd5cc446b45240b7b801eb4ede9cef43a11d Mon Sep 17 00:00:00 2001 From: vondo <> Date: Tue, 8 Dec 2009 12:33:09 +0000 Subject: [PATCH 004/163] Preserve timestamp when copying --- DocDB/cgi/SignoffSQL.pm | 9 ++++++--- 1 file changed, 6 insertions(+), 3 deletions(-) diff --git a/DocDB/cgi/SignoffSQL.pm b/DocDB/cgi/SignoffSQL.pm index c1436d16..f1569321 100644 --- a/DocDB/cgi/SignoffSQL.pm +++ b/DocDB/cgi/SignoffSQL.pm @@ -312,8 +312,8 @@ sub CopyRevisionSignoffs { # CopySignoffs from one revision to another my $SignoffInsert = $dbh -> prepare("insert into Signoff (SignoffID,DocRevID,Note) ". "values (0,?,?)"); - my $SignatureInsert = $dbh -> prepare("insert into Signature (SignatureID,EmailUserID,SignoffID,Note,Signed) ". - "values (0,?,?,?,?)"); + my $SignatureInsert = $dbh -> prepare("insert into Signature (SignatureID,EmailUserID,SignoffID,Note,Signed,TimeStamp) ". + "values (0,?,?,?,?,?)"); my %SignoffMap = (); @@ -330,11 +330,14 @@ sub CopyRevisionSignoffs { # CopySignoffs from one revision to another FetchSignature($OldSignatureID); # Copy Signatures my $Signed = $Signatures{$OldSignatureID}{Signed}; + my $TimeStamp = $Signatures{$OldSignatureID}{TimeStamp}; if (!$CopySignatures) { $Signed = $FALSE; + $TimeStamp = 0; } $SignatureInsert->execute($Signatures{$OldSignatureID}{EmailUserID}, $NewSignoffID, - $Signatures{$OldSignatureID}{Note}, $Signed); + $Signatures{$OldSignatureID}{Note}, $Signed, + $TimeStamp); } } my $DependencyInsert = $dbh -> prepare("insert into SignoffDependency (SignoffDependencyID,PreSignoffID,SignoffID) ". From aa58757b553636f3913c281f3edf987861a8db6d Mon Sep 17 00:00:00 2001 From: vondo <> Date: Wed, 9 Dec 2009 09:09:41 +0000 Subject: [PATCH 005/163] Missing require --- DocDB/cgi/DocumentHTML.pm | 2 ++ 1 file changed, 2 insertions(+) diff --git a/DocDB/cgi/DocumentHTML.pm b/DocDB/cgi/DocumentHTML.pm index f1a90eff..f221b40e 100644 --- a/DocDB/cgi/DocumentHTML.pm +++ b/DocDB/cgi/DocumentHTML.pm @@ -386,6 +386,8 @@ sub DocumentLink (%) { $Link .= $EndElement; if ($UseSignoffs && !$NoApprovalStatus) { # Put document status on next line require "SignoffUtilities.pm"; + require "SignoffSQL.pm"; + require "SQLUtilities.pm"; my ($ApprovalStatus,$LastApproved) = RevisionStatus($DocRevID); unless ($ApprovalStatus eq "Unmanaged") { $Link .= "
($ApprovalStatus"; From 503c9bbbb0b87e5b1cfef72a87bc123c43389e29 Mon Sep 17 00:00:00 2001 From: vondo <> Date: Mon, 28 Dec 2009 17:40:08 +0000 Subject: [PATCH 006/163] Add signed/not signed to popup --- DocDB/cgi/SignoffHTML.pm | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/DocDB/cgi/SignoffHTML.pm b/DocDB/cgi/SignoffHTML.pm index 812531b3..63f6d2d8 100644 --- a/DocDB/cgi/SignoffHTML.pm +++ b/DocDB/cgi/SignoffHTML.pm @@ -187,7 +187,9 @@ sub SignatureLink ($) { my $SignatureTime = DateTimeString({ -DateTime => $SignatureDateTime }); - $Link .= " title=\"$SignatureTime\""; + $Link .= " title=\"Signed $SignatureTime\""; + } else { + $Link .= " title=\"Not signed\""; } }#title=\"$InstitutionName\" $Link .= ">"; From 6a06af2eb305bac611151320d6e79a0a51eab682 Mon Sep 17 00:00:00 2001 From: vondo <> Date: Mon, 28 Dec 2009 17:41:59 +0000 Subject: [PATCH 007/163] If the user can't modify the document, only show signagtures, don't provide the ability to sign. --- DocDB/cgi/SignoffHTML.pm | 93 ++++++++++++++++++++++++---------------- 1 file changed, 55 insertions(+), 38 deletions(-) diff --git a/DocDB/cgi/SignoffHTML.pm b/DocDB/cgi/SignoffHTML.pm index 63f6d2d8..cdf2e6d2 100644 --- a/DocDB/cgi/SignoffHTML.pm +++ b/DocDB/cgi/SignoffHTML.pm @@ -47,12 +47,17 @@ sub PrintRevisionSignoffInfo ($) { # FIXME: Handle more complicated topologies? my $DocumentID = $DocRevisions{$DocRevID}{DOCID}; my $Version = $DocRevisions{$DocRevID}{Version}; - # Don't display anything unless the user is logged into a group that can - # modify the DB. Maybe we want to display but not provide signature boxes? + # Don't display anything if the user is logged in as public. + # If the user can't modify the document, only show signatures, + # don't provide the ability to sign. - unless (&CanModify($DocumentID,$Version)) { + if ($Public) { return; } + my $UserCanSign = $FALSE; + if (CanModify($DocumentID,$Version)) { + $UserCanSign = $TRUE; + } my @RootSignoffIDs = &GetRootSignoffs($DocRevID); if (@RootSignoffIDs) { @@ -63,7 +68,7 @@ sub PrintRevisionSignoffInfo ($) { # FIXME: Handle more complicated topologies? print "

\n"; print "\n"; @@ -73,17 +78,17 @@ sub PrintRevisionSignoffInfo ($) { # FIXME: Handle more complicated topologies? sub PrintSignoffInfo ($) { require "SignoffSQL.pm"; - my ($SignoffID) = @_; + my ($SignoffID,$UserCanSign) = @_; if ($Public) { return; } my @SubSignoffIDs = &GetSubSignoffs($SignoffID); print "
  • "; - &PrintSignatureInfo($SignoffID); + PrintSignatureInfo($SignoffID,$UserCanSign); if (@SubSignoffIDs) { print "\n"; } @@ -96,7 +101,7 @@ sub PrintSignatureInfo ($) { require "SignoffUtilities.pm"; require "NotificationSQL.pm"; - my ($SignoffID) = @_; + my ($SignoffID,$UserCanSign) = @_; if ($Public) { return; } @@ -119,49 +124,61 @@ sub PrintSignatureInfo ($) { my $SignatureText = ""; my $SignatureLink = &SignatureLink($EmailUserID,$SignatureID); - if ($Status eq "Ready" || $Status eq "Signed") { - if ($Status eq "Ready") { - $Action = "sign"; - $ActionText = "Sign Document" - } else { - $Action = "unsign"; - $ActionText = "Remove Signature" - } - if ($UserValidation eq "certificate") { - if (FetchEmailUserIDByCert() == $EmailUserID) { + if ($UserCanSign) { + if ($Status eq "Ready" || $Status eq "Signed") { + if ($Status eq "Ready") { + $Action = "sign"; + $ActionText = "Sign Document" + } else { + $Action = "unsign"; + $ActionText = "Remove Signature" + } + if ($UserValidation eq "certificate") { + if (FetchEmailUserIDByCert() == $EmailUserID) { + $SignatureText .= $query -> start_multipart_form('POST',"$SignRevision"); + $SignatureText .= "
    \n"; + $SignatureText .= "$SignatureLink "; + $SignatureText .= $query -> hidden(-name => 'signatureid', -default => $SignatureID); + $SignatureText .= $query -> hidden(-name => 'emailuserid', -default => $EmailUserID); + $SignatureText .= $query -> hidden(-name => 'action', -default => $Action); + $SignatureText .= $query -> submit (-value => $ActionText); + $SignatureText .= "
    \n"; + $SignatureText .= $query -> end_multipart_form; + } else { + if ($Status eq "Signed") { + $SignatureText .= "$SignatureLink (signature complete)"; + } else { + $SignatureText .= "$SignatureLink (waiting for signature)"; + } + } + } else { $SignatureText .= $query -> start_multipart_form('POST',"$SignRevision"); $SignatureText .= "
    \n"; $SignatureText .= "$SignatureLink "; $SignatureText .= $query -> hidden(-name => 'signatureid', -default => $SignatureID); $SignatureText .= $query -> hidden(-name => 'emailuserid', -default => $EmailUserID); $SignatureText .= $query -> hidden(-name => 'action', -default => $Action); + $SignatureText .= $query -> password_field(-name => "password-$EmailUserID", -size => 16, -maxlength => 32); + $SignatureText .= " "; $SignatureText .= $query -> submit (-value => $ActionText); $SignatureText .= "
    \n"; $SignatureText .= $query -> end_multipart_form; - } else { - if ($Status eq "Signed") { - $SignatureText .= "$SignatureLink (signature complete)"; - } else { - $SignatureText .= "$SignatureLink (waiting for signature)"; - } } + } elsif ($Status eq "NotReady") { + $SignatureText .= "$SignatureLink (waiting for other signatures)"; } else { - $SignatureText .= $query -> start_multipart_form('POST',"$SignRevision"); - $SignatureText .= "
    \n"; - $SignatureText .= "$SignatureLink "; - $SignatureText .= $query -> hidden(-name => 'signatureid', -default => $SignatureID); - $SignatureText .= $query -> hidden(-name => 'emailuserid', -default => $EmailUserID); - $SignatureText .= $query -> hidden(-name => 'action', -default => $Action); - $SignatureText .= $query -> password_field(-name => "password-$EmailUserID", -size => 16, -maxlength => 32); - $SignatureText .= " "; - $SignatureText .= $query -> submit (-value => $ActionText); - $SignatureText .= "
    \n"; - $SignatureText .= $query -> end_multipart_form; + $SignatureText .= "$SignatureLink (unknown status)"; } - } elsif ($Status eq "NotReady") { - $SignatureText .= "$SignatureLink (waiting for other signatures)"; } else { - $SignatureText .= "$SignatureLink (unknown status)"; + if ($Status eq "Ready") { + $SignatureText .= "$SignatureLink (waiting for signature)"; + } elsif ($Status eq "Signed"){ + $SignatureText .= "$SignatureLink (signature complete)"; + } elsif ($Status eq "NotReady") { + $SignatureText .= "$SignatureLink (waiting for other signatures)"; + } else { + $SignatureText .= "$SignatureLink (unknown status)"; + } } push @SignatureSnippets,$SignatureText; } # if ($SignatureIDOK) From e6534b136e6865e72d70ddce682dfd2f1b13f6cc Mon Sep 17 00:00:00 2001 From: vondo <> Date: Mon, 28 Dec 2009 20:10:09 +0000 Subject: [PATCH 008/163] Bump version, documentation changes --- DocDB/cgi/DocDBVersion.pm | 2 +- DocDB/doc/CHANGES | 4 +++- DocDB/doc/GetDocDB.txt | 2 +- DocDB/doc/install-docdb.html | 3 ++- 4 files changed, 7 insertions(+), 4 deletions(-) diff --git a/DocDB/cgi/DocDBVersion.pm b/DocDB/cgi/DocDBVersion.pm index 89d10696..563d6fa6 100644 --- a/DocDB/cgi/DocDBVersion.pm +++ b/DocDB/cgi/DocDBVersion.pm @@ -20,6 +20,6 @@ # along with DocDB; if not, write to the Free Software # Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA -$DocDBVersion = "8.7.11"; +$DocDBVersion = "8.7.12"; 1; diff --git a/DocDB/doc/CHANGES b/DocDB/doc/CHANGES index 05dfee8d..948d7e6c 100644 --- a/DocDB/doc/CHANGES +++ b/DocDB/doc/CHANGES @@ -1,4 +1,6 @@ - +8.7.12 + Show the times when a document is signed in left bar, document list, and popups + in document view. Fix caching and wording problem for administering institutions 8.7.11 diff --git a/DocDB/doc/GetDocDB.txt b/DocDB/doc/GetDocDB.txt index c10cad28..793b4575 100644 --- a/DocDB/doc/GetDocDB.txt +++ b/DocDB/doc/GetDocDB.txt @@ -2,7 +2,7 @@ DocDB is released often and .tar or .zip files are not usually made. The best way to get DocDB is to check out the latest stable version from the CVS repository into a special account for the document database. Set the environment variable CVSROOT to -":pserver:anony@docdb.fnal.gov:/local/cvs/doccvs/cvs" (No password or cvs login +":pserver:docdb-v.cvs.sourceforge.net:/cvsroot/docdb-v" (No password or cvs login is required. Only DocDB is available in this repository.) Check out DocDB with the command "cvs co -r stable DocDB" diff --git a/DocDB/doc/install-docdb.html b/DocDB/doc/install-docdb.html index 4eb8a148..75c2fb09 100644 --- a/DocDB/doc/install-docdb.html +++ b/DocDB/doc/install-docdb.html @@ -32,7 +32,8 @@ DocDB is released often and .tar or .zip files are not usually made. The best way to get DocDB is to check out the latest stable version from the CVS repository into a special account for the document database. Set the environment variable CVSROOT to -:pserver:anony@docdb.fnal.gov:/local/cvs/doccvs/cvs +:pserver:docdb-v.cvs.sourceforge.net:/cvsroot/docdb-v + (No password or cvs login is required. Only DocDB is available in this repository.)
    From 3c6d5506d6097d92b8a8f7ba4413990fe53aa06d Mon Sep 17 00:00:00 2001 From: vondo <> Date: Fri, 26 Feb 2010 21:02:28 +0000 Subject: [PATCH 009/163] Fix author sorting --- DocDB/cgi/DocDBVersion.pm | 2 +- DocDB/cgi/Sorts.pm | 8 ++++---- DocDB/doc/CHANGES | 13 +++++++++---- 3 files changed, 14 insertions(+), 9 deletions(-) diff --git a/DocDB/cgi/DocDBVersion.pm b/DocDB/cgi/DocDBVersion.pm index 563d6fa6..de6fdc32 100644 --- a/DocDB/cgi/DocDBVersion.pm +++ b/DocDB/cgi/DocDBVersion.pm @@ -20,6 +20,6 @@ # along with DocDB; if not, write to the Free Software # Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA -$DocDBVersion = "8.7.12"; +$DocDBVersion = "8.7.13"; 1; diff --git a/DocDB/cgi/Sorts.pm b/DocDB/cgi/Sorts.pm index b782096c..7c886b17 100644 --- a/DocDB/cgi/Sorts.pm +++ b/DocDB/cgi/Sorts.pm @@ -87,12 +87,12 @@ sub byLastName { # Obsolete sub AuthorRevIDsByOrder { require "AuthorSQL.pm"; - if ($AuthorRevIDs{$a}{AuthorOrder} || $AuthorRevIDs{$b}{AuthorOrder}) { - return $a <=> $b; + if ($RevisionAuthors{$a}{AuthorOrder} || $RevisionAuthors{$b}{AuthorOrder}) { + return $RevisionAuthors{$a}{AuthorOrder} <=> $RevisionAuthors{$b}{AuthorOrder}; } - my $AID = $AuthorRevIDs{$a}{AuthorID}; - my $BID = $AuthorRevIDs{$b}{AuthorID}; + my $AID = $RevisionAuthors{$a}{AuthorID}; + my $BID = $RevisionAuthors{$b}{AuthorID}; unless ($Authors{$AID}{LastName}) { FetchAuthor($AID); diff --git a/DocDB/doc/CHANGES b/DocDB/doc/CHANGES index 948d7e6c..3e5ceb10 100644 --- a/DocDB/doc/CHANGES +++ b/DocDB/doc/CHANGES @@ -1,10 +1,15 @@ +8.7.13 + Fix an old bug where authors were essentially unsorted. Only did the right + thing by accident. + + 8.7.12 - Show the times when a document is signed in left bar, document list, and popups - in document view. - Fix caching and wording problem for administering institutions + Show the times when a document is signed in left bar, document list, and popups + in document view. + Fix caching and wording problem for administering institutions 8.7.11 - + Use dash instead of spaces to deliniate levels in topics 8.7.10 From 0e09b7e9baca2784e76a0228420e590999127913 Mon Sep 17 00:00:00 2001 From: vondo <> Date: Fri, 26 Feb 2010 22:37:37 +0000 Subject: [PATCH 010/163] Fix Minerva bug for event/session location --- DocDB/cgi/MeetingHTML.pm | 6 +++--- DocDB/doc/CHANGES | 3 ++- 2 files changed, 5 insertions(+), 4 deletions(-) diff --git a/DocDB/cgi/MeetingHTML.pm b/DocDB/cgi/MeetingHTML.pm index 5b656a39..5c1c8cbf 100644 --- a/DocDB/cgi/MeetingHTML.pm +++ b/DocDB/cgi/MeetingHTML.pm @@ -694,7 +694,7 @@ sub EventHeader ($) { "External URL","Event Info","Event Wrapup"); if ($DisplayMode eq "SingleSession") { - @Fields = ("Full Title","Date & Time","Location","Alt. Location", + @Fields = ("Full Title","Date & Time","Event Location","Alt. Event Location", "Event Topic(s)","Event Moderator(s)","External URL","Session Info"); %RenameFields = ( "Session Info" => "Event Info",); } @@ -752,11 +752,11 @@ sub EventHeader ($) { $Fields{"Date & Time"} = EuroDate($SeparatorStartTime)." at ".EuroTimeHM($SeparatorStartTime); } - if ($Sessions{$SessionID}{Location}) { + if ($Sessions{$SessionID}{Location} && $DisplayMode ne "SingleSession") { $Fields{"Location"} = $Sessions{$SessionID}{Location}; } - if ($Sessions{$SessionID}{AltLocation}) { + if ($Sessions{$SessionID}{AltLocation} && $DisplayMode ne "SingleSession") { $Fields{"Alt. Location"} = $Sessions{$SessionID}{AltLocation}; } diff --git a/DocDB/doc/CHANGES b/DocDB/doc/CHANGES index 3e5ceb10..2ca92dde 100644 --- a/DocDB/doc/CHANGES +++ b/DocDB/doc/CHANGES @@ -1,7 +1,8 @@ 8.7.13 Fix an old bug where authors were essentially unsorted. Only did the right thing by accident. - + Fix a bug where single session events showed the session location, but + editing the event edited the event location. Now use event location. 8.7.12 Show the times when a document is signed in left bar, document list, and popups From 23ca993a5c1b5f489b63736e6e1cb2b7f5cc512e Mon Sep 17 00:00:00 2001 From: vondo <> Date: Fri, 5 Nov 2010 19:50:35 +0000 Subject: [PATCH 011/163] Suggested clarification from Anne Heavey --- DocDB/cgi/GeneralInstructions.pm | 12 ++++++++---- 1 file changed, 8 insertions(+), 4 deletions(-) diff --git a/DocDB/cgi/GeneralInstructions.pm b/DocDB/cgi/GeneralInstructions.pm index 4514a69b..11a53f10 100644 --- a/DocDB/cgi/GeneralInstructions.pm +++ b/DocDB/cgi/GeneralInstructions.pm @@ -360,10 +360,14 @@ HTML

    When updating a document, you can change all the information above. - However, all the forms should be pre-filled for you with the information from - the previous version. You will either have to supply all the files you want to - be in the new version, or choose to have unchanged files copied to the next version.

    - + However, all the forms should be pre-filled for you with the information from the previous version. + For documents with multiple files, you may update just some of the files or all of them. In either case, + the version number will be incremented. DocDB assumes the new document revision will include the same set + (hence, the same number) of files. Therefore, for each file listed, you need to either provide an updated file + (using Browse), or explicitly copy the previous version of the file to the new version of the document. + To copy a file, click the box to the right of the line: Copy filename from previous version: + If you want to drop a file from the new version, leave its box unchecked, and at the end of the + list of files click the box in front of New version has fewer files.

    Finally, updating the database information about the document is similar to updating the document except for two things. First, you can't supply new From 2eb8dd171dab48f5daf1d834e6a7bf30ed4cb2c5 Mon Sep 17 00:00:00 2001 From: vondo <> Date: Tue, 9 Nov 2010 15:58:04 +0000 Subject: [PATCH 012/163] Obsolete = 0 backport --- DocDB/cgi/Search.pm | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/DocDB/cgi/Search.pm b/DocDB/cgi/Search.pm index 5ff7b2ad..5cc56265 100644 --- a/DocDB/cgi/Search.pm +++ b/DocDB/cgi/Search.pm @@ -241,7 +241,7 @@ sub LocalSearch ($) { ### Get Documents from DocumentRevision that match my @RevisionPhrases = (); - my $RevisionQuery = "select DocumentID from DocumentRevision where Obsolete=0 and "; + my $RevisionQuery = "select DocumentID from DocumentRevision where Obsolete=0 and ("; if ($TitlePhrase ) {push @RevisionPhrases,$TitlePhrase ;} if ($AbstractPhrase ) {push @RevisionPhrases,$AbstractPhrase ;} @@ -253,7 +253,8 @@ sub LocalSearch ($) { if ($StartDatePhrase ) {push @RevisionPhrases,$StartDatePhrase ;} $RevisionQuery .= join $OuterLogic,@RevisionPhrases; - + $RevisionQuery .= ")"; + push @DebugStack,"Revision query is $RevisionQuery"; my %RevisionDocumentIDs = (); my $document_list = $dbh -> prepare($RevisionQuery); @@ -266,6 +267,7 @@ sub LocalSearch ($) { $RevisionDocumentIDs{$DocumentID} = 1; # Hash removes duplicates } @RevisionDocumentIDs = keys %RevisionDocumentIDs; + push @DebugStack,"Found document IDs are ".join ' ',@RevisionDocumentIDs; } ### Topics (if any) From ed4aa84179beec10bd3b3b7d7ce57bdcbe232ddf Mon Sep 17 00:00:00 2001 From: vondo <> Date: Wed, 10 Nov 2010 20:17:02 +0000 Subject: [PATCH 013/163] Fix for obsolete groups --- DocDB/cgi/ListBy | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/DocDB/cgi/ListBy b/DocDB/cgi/ListBy index 61a5afda..94c3d93d 100755 --- a/DocDB/cgi/ListBy +++ b/DocDB/cgi/ListBy @@ -210,7 +210,8 @@ if ($Days) { $SecurityGroups{$GroupID}{NAME} are available:"; $List = $dbh -> prepare("select DISTINCT(DocumentRevision.DocumentID) from ". - "DocumentRevision,RevisionSecurity where DocumentRevision.DocRevID=RevisionSecurity.DocRevID and RevisionSecurity.GroupID=?"); + "DocumentRevision,RevisionSecurity where DocumentRevision.DocRevID=RevisionSecurity.DocRevID ". + "and DocumentRevision.Obsolete=0 and RevisionSecurity.GroupID=?"); $List -> execute($GroupID); } elsif ($AllPubs) { $Title = "$Project Publications"; From 34b5422429aedcec3cb7d891316ed28919492efe Mon Sep 17 00:00:00 2001 From: vondo <> Date: Fri, 12 Nov 2010 18:51:49 +0000 Subject: [PATCH 014/163] Provide a way to override AuthName --- DocDB/cgi/DocDBGlobals.pm | 2 ++ DocDB/cgi/FSUtilities.pm | 3 +++ 2 files changed, 5 insertions(+) diff --git a/DocDB/cgi/DocDBGlobals.pm b/DocDB/cgi/DocDBGlobals.pm index c3aecf41..dde0def7 100644 --- a/DocDB/cgi/DocDBGlobals.pm +++ b/DocDB/cgi/DocDBGlobals.pm @@ -89,6 +89,8 @@ $Preferences{Security}{Certificates}{FNALKCA} = $FALSE; # TRUE or FALSE - s $Preferences{Security}{Certificates}{DOEGrids} = $FALSE; # TRUE or FALSE - show DOEgrid certificate instructions $Preferences{Security}{Certificates}{ShowCertInstructions} = $FALSE; # TRUE or FALSE - show certificate instructions even on non-cert version +$Preferences{Security}{AuthName} = ""; # Set to override default AuthName of group1 or group2, etc. + $Preferences{Options}{DynamicFullList}{Private} = $FALSE; # Generate Full document list by dynamically for private db $Preferences{Options}{DynamicFullList}{Public} = $FALSE; # Generate Full document list by dynamically for public db diff --git a/DocDB/cgi/FSUtilities.pm b/DocDB/cgi/FSUtilities.pm index 8bb54106..86b25a9d 100644 --- a/DocDB/cgi/FSUtilities.pm +++ b/DocDB/cgi/FSUtilities.pm @@ -162,6 +162,9 @@ sub ProtectDirectory { # Write (or delete) correct .htaccess file in directory } my $AuthName = join ' or ',@users; + if ($Preferences{Security}{AuthName}) { + $AuthName = $Preferences{Security}{AuthName}; + } my $directory = &GetDirectory($documentID,$version); if (@users) { From 1b39a0d11ffc5f103ab1bb4a39d7a60a126b0ec1 Mon Sep 17 00:00:00 2001 From: vondo <> Date: Wed, 27 Jul 2011 20:34:00 +0000 Subject: [PATCH 015/163] Merge in changes from cd_1105 --- DocDB/cgi/DocDBGlobals.pm | 8 +- DocDB/cgi/DocDBVersion.pm | 2 +- DocDB/cgi/DocumentAddForm | 10 +- DocDB/cgi/DocumentHTML.pm | 3 +- DocDB/cgi/EmailAdministerForm | 6 +- DocDB/cgi/FileHTML.pm | 144 ++++++++++++------------ DocDB/cgi/MailNotification.pm | 202 ++++++++++++++++++---------------- DocDB/cgi/MeetingHTML.pm | 12 +- DocDB/cgi/ProcessDocumentAdd | 9 +- DocDB/cgi/RevisionHTML.pm | 7 +- DocDB/cgi/Sorts.pm | 12 +- DocDB/doc/CHANGES | 6 + 12 files changed, 236 insertions(+), 185 deletions(-) diff --git a/DocDB/cgi/DocDBGlobals.pm b/DocDB/cgi/DocDBGlobals.pm index dde0def7..db83aab6 100644 --- a/DocDB/cgi/DocDBGlobals.pm +++ b/DocDB/cgi/DocDBGlobals.pm @@ -1,4 +1,4 @@ -# +# Name: $RCSfile$ # Description: Configuration file for the DocDB. Sets default # values and script names. Do not change this file, # specific local settings are in ProjectGlobals.pm. @@ -7,7 +7,7 @@ # Author: Eric Vaandering (ewv@fnal.gov) # Modified: # -# Copyright 2001-2009 Eric Vaandering, Lynn Garren, Adam Bryant +# Copyright 2001-2011 Eric Vaandering, Lynn Garren, Adam Bryant # This file is part of DocDB. @@ -98,6 +98,10 @@ $Preferences{Options}{AlwaysRetrieveFile} = $FALSE; # Always use RetrieveF $Preferences{Options}{SubmitAgree} = ""; # "Put text here to make users agree to a privacy statement or some-such.
    I agree:" +# On updates of documents, require an entry in the note field and/or zero out the submitter and require a new entry +$Preferences{Options}{Update}{RequireNote} = $FALSE; +$Preferences{Options}{Update}{RequireSubmitter} = $FALSE; + $Preferences{Components}{iCal} = $TRUE; # Display links to iCal calendars $Preferences{Topics}{MinLevel}{Document} = 1; diff --git a/DocDB/cgi/DocDBVersion.pm b/DocDB/cgi/DocDBVersion.pm index de6fdc32..fb14b645 100644 --- a/DocDB/cgi/DocDBVersion.pm +++ b/DocDB/cgi/DocDBVersion.pm @@ -20,6 +20,6 @@ # along with DocDB; if not, write to the Free Software # Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA -$DocDBVersion = "8.7.13"; +$DocDBVersion = "8.7.14"; 1; diff --git a/DocDB/cgi/DocumentAddForm b/DocDB/cgi/DocumentAddForm index 4a2cb0ec..b095334e 100755 --- a/DocDB/cgi/DocumentAddForm +++ b/DocDB/cgi/DocumentAddForm @@ -8,7 +8,7 @@ # # Author: Eric Vaandering (ewv@fnal.gov) -# Copyright 2001-2009 Eric Vaandering, Lynn Garren, Adam Bryant +# Copyright 2001-2011 Eric Vaandering, Lynn Garren, Adam Bryant # This file is part of DocDB. @@ -140,6 +140,10 @@ if ($mode eq "reserve") { $RequiredEntries{Abstract} = 0; } +if ($Preferences{Options}{Update}{RequireNote} && ($mode eq "update" || $mode eq "updatedb")){ + $RequiredEntries{Note} = 1; +} + my $DocRevID; if ($mode eq "update" || $mode eq "updatedb") { @@ -177,7 +181,9 @@ if ($mode eq "update" || $mode eq "updatedb") { # Need to read in last version v $TitleDefault = $DocRevisions{$DocRevID}{Title}; $PubInfoDefault = $DocRevisions{$DocRevID}{PUBINFO}; $AbstractDefault = $DocRevisions{$DocRevID}{Abstract}; - $RequesterDefault = $DocRevisions{$DocRevID}{Submitter}; + if (not $Preferences{Options}{Update}{RequireSubmitter}) { + $RequesterDefault = $DocRevisions{$DocRevID}{Submitter}; + } $KeywordsDefault = $DocRevisions{$DocRevID}{Keywords}; $RevisionNoteDefault = $DocRevisions{$DocRevID}{Note}; $DocTypeIDDefault = $DocRevisions{$DocRevID}{DocTypeID}; diff --git a/DocDB/cgi/DocumentHTML.pm b/DocDB/cgi/DocumentHTML.pm index f221b40e..688455c0 100644 --- a/DocDB/cgi/DocumentHTML.pm +++ b/DocDB/cgi/DocumentHTML.pm @@ -41,6 +41,7 @@ sub DocumentTable (%) { my $MaxDocs = $Params{-maxdocs}; my $NoneBehavior = $Params{-nonebehavior} || "skip"; # skip| my $TalkID = $Params{-talkid} || 0; + my $SkipVersions = $Params{-skipversions} || $False; my @DocumentIDs = @{$Params{-docids}}; my @SessionOrderIDs = @{$Params{-sessionorderids}}; my %FieldList = %{$Params{-fieldlist}}; @@ -266,7 +267,7 @@ sub DocumentTable (%) { print AddLineBreaks(URLify($DocRevisions{$DocRevID}{Note})); } elsif ($Field eq "Files") { # Files in document require "FileHTML.pm"; - ShortFileListByRevID($DocRevID); + ShortFileListByRevID($DocRevID, $SkipVersions); } elsif ($Field eq "Confirm") { print $query -> start_multipart_form('POST',$ConfirmTalkHint); print "

    \n"; diff --git a/DocDB/cgi/EmailAdministerForm b/DocDB/cgi/EmailAdministerForm index ae879737..e5469ae5 100755 --- a/DocDB/cgi/EmailAdministerForm +++ b/DocDB/cgi/EmailAdministerForm @@ -10,7 +10,7 @@ # # Author: Eric Vaandering (ewv@fnal.gov) -# Copyright 2001-2009 Eric Vaandering, Lynn Garren, Adam Bryant +# Copyright 2001-2011 Eric Vaandering, Lynn Garren, Adam Bryant # This file is part of DocDB. @@ -192,7 +192,7 @@ if ($EmailUserID) { ### Display of existing groups - my @EmailUserIDs = sort EmailUserIDsByName GetEmailUserIDs(); + my @EmailUserIDs = sort EmailUserIDsByUsername GetEmailUserIDs(); print "\n"; print "\n"; @@ -246,7 +246,7 @@ if ($EmailUserID) { my @SecurityGroups = sort keys %SecurityIDs; foreach my $SecurityGroup (@SecurityGroups) { - my @EmailUserIDs = sort EmailUserIDsByName FetchEmailUserIDsBySecurityGroup($SecurityIDs{$SecurityGroup}); + my @EmailUserIDs = sort EmailUserIDsByUsername FetchEmailUserIDsBySecurityGroup($SecurityIDs{$SecurityGroup}); if (@EmailUserIDs) { print "

    $SecurityGroup has these members:

    \n
    NameUsernameVerified?Can Sign?Groups
    \n"; - + my ($HelpLink,$HelpText,$FileHelpLink,$FileHelpText,$DescHelpLink,$DescHelpText); if ($Type eq "file") { $HelpLink = "fileupload"; @@ -264,21 +270,21 @@ sub FileUploadBox (%) { $FileHelpLink = "remoteurl"; $FileHelpText = "URL"; } - + if ($DescOnly) { $HelpLink = "filechar"; $HelpText = "Update File Characteristics"; } - + $DescHelpLink = "description"; $DescHelpText = "Description"; - + my $BoxTitle = FormElementTitle(-helplink => $HelpLink, -helptext => $HelpText, -required => $Required); - print '\n"; - + for (my $i = 1; $i <= $MaxFiles; ++$i) { my $FileID = shift @FileIDs; my $ElementName = "upload$i"; @@ -288,13 +294,13 @@ sub FileUploadBox (%) { my $CopyName = "copyfile$i"; my $URLName = "url$i"; my $NewName = "newname$i"; - + my $FileHelp = FormElementTitle(-helplink => $FileHelpLink, -helptext => $FileHelpText); my $DescriptionHelp = FormElementTitle(-helplink => $DescHelpLink, -helptext => $DescHelpText); my $NewNameHelp = FormElementTitle(-helplink => "newfilename", -helptext => "New Filename"); my $MainHelp = FormElementTitle(-helplink => "main", -helptext => "Main?", -nocolon => $TRUE, -nobold => $TRUE); my $DefaultDesc = $DocFiles{$FileID}{DESCRIPTION}; - + if ($DescOnly) { print "\n"; print ""; @@ -313,29 +319,29 @@ sub FileUploadBox (%) { print $query -> filefield(-name => $ElementName, -size => $FileSize, -maxlength => $FileMaxSize); } elsif ($Type eq "http") { - print $query -> textfield(-name => $URLName, -size => $FileSize, + print $query -> textfield(-name => $URLName, -size => $FileSize, -maxlength => $FileMaxSize); } print "\n"; print "\n"; - + if ($Type eq "http") { print "\n"; print "\n"; print "\n"; } - } + } print "\n"; print "\n"; if ($FileID && $AllowCopy && !$DescOnly) { @@ -352,13 +358,13 @@ sub FileUploadBox (%) { print $query -> hidden(-name => $FileIDName, -value => $FileID); print $query -> checkbox(-name => $CopyName, -label => ''); print "\n"; - } + } print "\n"; } if ($AllowCopy && $NOrigFiles) { - print '\n"; } @@ -372,10 +378,10 @@ sub FileUploadBox (%) { } print "
    '; + print '
    '; print $BoxTitle; print "
    Filename:
    \n"; print $NewNameHelp; print "\n"; - print $query -> textfield(-name => $NewName, -size => $FileSize, + print $query -> textfield(-name => $NewName, -size => $FileSize, -maxlength => $FileMaxSize); print "
    \n"; print $DescriptionHelp; print "\n"; - print $query -> textfield (-name => $DescName, -size => 60, + print $query -> textfield (-name => $DescName, -size => 60, -maxlength => 128, -default => $DefaultDesc); if ($DocFiles{$FileID}{ROOT} || !$FileID) { @@ -343,7 +349,7 @@ sub FileUploadBox (%) { } else { print $query -> checkbox(-name => $MainName, -label => ''); } - + print $MainHelp; print "
    '; - print $query -> checkbox(-name => 'LessFiles', -label => ''); - print FormElementTitle(-helplink => "LessFiles", -helptext => "New version has fewer files", + print '
    '; + print $query -> checkbox(-name => 'LessFiles', -label => ''); + print FormElementTitle(-helplink => "LessFiles", -helptext => "New version has fewer files", -nocolon => $TRUE, -nobold => $TRUE);; print "
    \n"; } - + sub ArchiveUploadBox (%) { - my (%Params) = @_; - + my (%Params) = @_; + my $Required = $Params{-required} || 0; # short, long, full print "\n"; diff --git a/DocDB/cgi/MailNotification.pm b/DocDB/cgi/MailNotification.pm index d9984bdc..719f555f 100644 --- a/DocDB/cgi/MailNotification.pm +++ b/DocDB/cgi/MailNotification.pm @@ -1,9 +1,19 @@ -# Copyright 2001-2009 Eric Vaandering, Lynn Garren, Adam Bryant +# Name: $RCSfile$ +# Description: This script provides a form to administer users receiving +# e-mail notifications and shows the complete list of who is +# receiving what. +# +# Revision: $Revision$ +# Modified: $Author$ on $Date$ +# +# Author: Eric Vaandering (ewv@fnal.gov) + +# Copyright 2001-2011 Eric Vaandering, Lynn Garren, Adam Bryant # This file is part of DocDB. # DocDB is free software; you can redistribute it and/or modify -# it under the terms of version 2 of the GNU General Public License +# it under the terms of version 2 of the GNU General Public License # as published by the Free Software Foundation. # DocDB is distributed in the hope that it will be useful, @@ -19,7 +29,7 @@ sub MailNotices (%) { unless ($MailInstalled) { return; - } + } require Mail::Send; require Mail::Mailer; @@ -29,21 +39,21 @@ sub MailNotices (%) { require "ResponseElements.pm"; require "Utilities.pm"; require "Security.pm"; - + my (%Params) = @_; my $DocRevID = $Params{-docrevid}; my $Type = $Params{-type} || "updateunknown"; my @EmailUserIDs = @{$Params{-emailids}}; - + FetchDocRevisionByID($DocRevID); my $DocumentID = $DocRevisions{$DocRevID}{DOCID}; my $Version = $DocRevisions{$DocRevID}{Version}; - -# Figure out who cares + +# Figure out who cares my @Addressees = (); - if ($Type eq "update" || $Type eq "updatedb" || $Type eq "add" || + if ($Type eq "update" || $Type eq "updatedb" || $Type eq "add" || $Type eq "reserve" || $Type eq "addfiles" || $Type eq "updateunknown") { @Addressees = UsersToNotify($DocRevID,{-period => "Immediate"} ); } elsif ($Type eq "signature") { @@ -51,7 +61,7 @@ sub MailNotices (%) { FetchEmailUser($EmailUserID); push @Addressees,$EmailUser{$EmailUserID}{EmailAddress}; } - } elsif ($Type eq "approved") { + } elsif ($Type eq "approved") { @Addressees = UsersToNotify($DocRevID,{-period => "Immediate"} ); my %EmailUsers = (); my @SignoffIDs = GetAllSignoffsByDocRevID($DocRevID); @@ -61,12 +71,12 @@ sub MailNotices (%) { my $EmailUserID = $Signatures{$SignatureID}{EmailUserID}; FetchEmailUser($EmailUserID); push @Addressees,$EmailUser{$EmailUserID}{EmailAddress}; - } - } - } - + } + } + } + @Addressees = Unique(@Addressees); - + # If anyone, open the mailer if (@Addressees) { @@ -78,13 +88,13 @@ sub MailNotices (%) { my $Title = $DocRevisions{$DocRevID}{Title}; my ($Subject,$Message,$Feedback); - - if ($Type eq "update" || $Type eq "updatedb" || $Type eq "add" || + + if ($Type eq "update" || $Type eq "updatedb" || $Type eq "add" || $Type eq "reserve" || $Type eq "addfiles" || $Type eq "updateunknown") { $Subject = "$FullID: $Title"; $Message = "The following document was added or updated ". "in the $Project Document Database:\n\n"; - $Feedback = "E-mail sent to: "; + $Feedback = "E-mail sent to: "; if ($Type eq "update") { $Message = "The following document was updated ". "in the $Project Document Database:\n\n"; @@ -100,7 +110,7 @@ sub MailNotices (%) { } elsif ($Type eq "addfiles") { $Message = "Files were added to the following document ". "in the $Project Document Database:\n\n"; - } + } } elsif ($Type eq "signature") { $Subject = "Ready for signature: $FullID: $Title"; $Message = "The following document ". @@ -108,14 +118,14 @@ sub MailNotices (%) { "is ready for your signature:\n". "(Note that you may not be able to sign if you share ". "signature authority with someone who has already signed.)\n\n"; - $Feedback = "Signature(s) requested from: "; + $Feedback = "Signature(s) requested from: "; } elsif ($Type eq "approved") { $Subject = "Approved: $FullID: $Title"; $Message = "The following document ". "in the $Project Document Database ". "has been approved (received all necessary signatures).\n\n"; - $Feedback = "Approval notification sent to: "; - } + $Feedback = "Approval notification sent to: "; + } $Headers{To} = \@Addressees; $Headers{From} = "$Project Document Database <$DBWebMasterEmail>"; @@ -129,9 +139,9 @@ sub MailNotices (%) { $Addressees =~ s/\&/\&\;/g; $Addressees =~ s//\>\;/g; - + print $Feedback,$Addressees,"

    "; - } + } } sub RevisionMailBody ($) { @@ -144,11 +154,11 @@ sub RevisionMailBody ($) { require "Sorts.pm"; FetchDocRevisionByID($DocRevID); - + my $Title = $DocRevisions{$DocRevID}{Title}; my $FullID = FullDocumentID($DocRevisions{$DocRevID}{DOCID},$DocRevisions{$DocRevID}{VERSION}); my $URL = DocumentURL($DocRevisions{$DocRevID}{DOCID}); - + FetchAuthor($DocRevisions{$DocRevID}{Submitter}); my $Submitter = $Authors{$DocRevisions{$DocRevID}{Submitter}}{FULLNAME}; @@ -157,9 +167,9 @@ sub RevisionMailBody ($) { my @AuthorIDs = AuthorRevIDsToAuthorIDs({ -authorrevids => \@AuthorRevIDs, }); my @TopicIDs = GetRevisionTopics({-docrevid => $DocRevID}); my @EventIDs = GetRevisionEvents($DocRevID); - -# Build list of authors - + +# Build list of authors + my @Authors = (); foreach $AuthorID (@AuthorIDs) { FetchAuthor($AuthorID); @@ -169,9 +179,9 @@ sub RevisionMailBody ($) { push @Authors,$Authors{$AuthorID}{FULLNAME}; } my $Authors = join ', ',@Authors; - + # Build list of topics - + my @Topics = (); foreach $TopicID (@TopicIDs) { FetchTopic({-topicid => $TopicID}); @@ -181,9 +191,9 @@ sub RevisionMailBody ($) { push @Topics,$Topics{$TopicID}{Long}; } my $Topics = join ', ',@Topics; - -# Build list of events - + +# Build list of events + my @Events = (); foreach $EventID (@EventIDs) { FetchConferenceByConferenceID($EventID); @@ -194,10 +204,10 @@ sub RevisionMailBody ($) { " (".EuroDate($Conferences{$EventID}{StartDate}).")"; } my $Events = join ', ',@Events; - - + + # Construct the mail body - + print $Mailer " Title: ",$DocRevisions{$DocRevID}{Title},"\n"; print $Mailer " Document ID: ",$FullID,"\n"; print $Mailer " URL: ",$URL,"\n"; @@ -207,12 +217,12 @@ sub RevisionMailBody ($) { print $Mailer " Topics: ",$Topics,"\n"; if ($Events) { print $Mailer " Events: ",$Events,"\n"; - } + } print $Mailer " Keywords: ",$DocRevisions{$DocRevID}{Keywords},"\n"; print $Mailer " Abstract: ",$DocRevisions{$DocRevID}{Abstract},"\n"; if ($DocRevisions{$DocRevID}{Note}) { print $Mailer " Notes: ",$DocRevisions{$DocRevID}{Note},"\n"; - } + } } sub UsersToNotify ($$) { @@ -223,14 +233,14 @@ sub UsersToNotify ($$) { require "MeetingSQL.pm"; require "NotificationSQL.pm"; require "TopicSQL.pm"; - + require "Security.pm"; require "Utilities.pm"; require "AuthorUtilities.pm"; unless ($Period eq "Immediate" || $Period eq "Daily" || $Period eq "Weekly") { return undef; - } + } GetTopics(); @@ -248,12 +258,12 @@ sub UsersToNotify ($$) { "select EmailUserID from Notification where Period=? and Type=? and TextKey=?"); # Get users interested in this particular document (only immediate) - + if ($Period eq "Immediate") { $Fetch -> execute("Immediate","Document",$DocumentID); $Fetch -> bind_columns(undef,\($UserID)); while ($Fetch -> fetch) { - $UserIDs{$UserID} = 1; + $UserIDs{$UserID} = 1; } } @@ -263,12 +273,12 @@ sub UsersToNotify ($$) { $Fetch -> execute($Period,"AllDocuments",1); $Fetch -> bind_columns(undef,\($UserID)); while ($Fetch -> fetch) { - $UserIDs{$UserID} = 1; + $UserIDs{$UserID} = 1; } $Fetch -> execute($Period,"AllDocuments",0); $Fetch -> bind_columns(undef,\($UserID)); while ($Fetch -> fetch) { - $UserIDs{$UserID} = 1; + $UserIDs{$UserID} = 1; } # Get users interested in topics for this reporting period @@ -276,7 +286,7 @@ sub UsersToNotify ($$) { GetTopics(); my @TopicIDs = (); my @InitialTopicIDs = GetRevisionTopics( {-docrevid => $DocRevID} ); - + foreach my $TopicID (@InitialTopicIDs) { push @TopicIDs,@{$TopicProvenance{$TopicID}}; # Add ancestors to list } @@ -285,10 +295,10 @@ sub UsersToNotify ($$) { $Fetch -> execute($Period,"Topic",$TopicID); $Fetch -> bind_columns(undef,\($UserID)); while ($Fetch -> fetch) { - $UserIDs{$UserID} = 1; + $UserIDs{$UserID} = 1; } - } - + } + # Get users interested in events for this reporting period my @EventIDs = GetRevisionEvents($DocRevID); @@ -297,17 +307,17 @@ sub UsersToNotify ($$) { $Fetch -> execute($Period,"Event",$EventID); $Fetch -> bind_columns(undef,\($UserID)); while ($Fetch -> fetch) { - $UserIDs{$UserID} = 1; + $UserIDs{$UserID} = 1; } my $EventGroupID = $Conferences{$EventID}{EventGroupID}; - + $Fetch -> execute($Period,"EventGroup",$EventGroupID); $Fetch -> bind_columns(undef,\($UserID)); while ($Fetch -> fetch) { - $UserIDs{$UserID} = 1; + $UserIDs{$UserID} = 1; } - } + } # Get users interested in authors for this reporting period @@ -317,12 +327,12 @@ sub UsersToNotify ($$) { $Fetch -> execute($Period,"Author",$AuthorID); $Fetch -> bind_columns(undef,\($UserID)); while ($Fetch -> fetch) { - $UserIDs{$UserID} = 1; + $UserIDs{$UserID} = 1; } - } + } # Get users interested in keywords for this reporting period - + FetchDocRevisionByID($DocRevID); my @Keywords = split /,*\s+/,$DocRevisions{$DocRevID}{Keywords}; # Comma and/or space separated @@ -331,13 +341,13 @@ sub UsersToNotify ($$) { $TextFetch -> execute($Period,"Keyword",$Keyword); $TextFetch -> bind_columns(undef,\($UserID)); while ($TextFetch -> fetch) { - $UserIDs{$UserID} = 1; + $UserIDs{$UserID} = 1; } - } + } -# Translate UserIDs into E-mail addresses, +# Translate UserIDs into E-mail addresses, # verify user is allowed to receive notification - + foreach $UserID (keys %UserIDs) { my $EmailUserID = FetchEmailUser($UserID); if ($EmailUserID && CanAccess($DocumentID,$Version,$EmailUserID)) { @@ -347,8 +357,8 @@ sub UsersToNotify ($$) { push @Addressees,$EmailAddress; } } - } - + } + return @Addressees; } @@ -360,12 +370,12 @@ sub EmailKeywordForm ($) { require "FormElements.pm"; - print FormElementTitle(-helplink => "notifykeyword", -helptext => $Period, + print FormElementTitle(-helplink => "notifykeyword", -helptext => $Period, -extratext => "(separate with spaces)"); my $Keywords = join ' ',sort @Defaults; - print $query -> textfield (-name => $Name , -default => $Keywords, + print $query -> textfield (-name => $Name , -default => $Keywords, -size => 80, -maxlength => 400); } @@ -378,7 +388,7 @@ sub EmailAllForm ($) { print $query -> checkbox(-name => $Name, -checked => 'checked', -value => 1, -label => 'All Documents'); } else { print $query -> checkbox(-name => $Name, -value => 1, -label => 'All Documents'); - } + } } sub DisplayNotification ($$;$) { @@ -398,38 +408,38 @@ sub DisplayNotification ($$;$) { my @EventGroupIDs = @{$Notifications{$EmailUserID}{"EventGroup_".$Set}}; my @Keywords = @{$Notifications{$EmailUserID}{"Keyword_".$Set}}; my @AllDocuments = @{$Notifications{$EmailUserID}{"AllDocuments_".$Set}}; - + my $NewNotify = (@AllDocuments || @AuthorIDs || @TopicIDs || @EventIDs || @EventGroupIDs || @Keywords); - + if ($NotifyAllTopics || $NewNotify) { - print "$Set notifications:\n"; - print "

    \n"; print "\n"; diff --git a/DocDB/cgi/MeetingModify b/DocDB/cgi/MeetingModify index 55e335bd..1f611d00 100755 --- a/DocDB/cgi/MeetingModify +++ b/DocDB/cgi/MeetingModify @@ -7,7 +7,7 @@ # # Author: Eric Vaandering (ewv@fnal.gov) -# Copyright 2001-2011 Eric Vaandering, Lynn Garren, Adam Bryant +# Copyright 2001-2012 Eric Vaandering, Lynn Garren, Adam Bryant # This file is part of DocDB. @@ -49,9 +49,6 @@ require "WebUtilities.pm"; $query = new CGI; # Global for subroutines %params = $query -> Vars; -foreach my $Keyword (keys %params) { - $params{$Keyword} = CGI::escapeHTML($params{$Keyword}); -} $query -> delete_all(); # Stop program from caching variable from script to script my $Mode = $params{mode}; diff --git a/DocDB/cgi/ProcessDocumentAdd b/DocDB/cgi/ProcessDocumentAdd index 19a61702..b84aa938 100755 --- a/DocDB/cgi/ProcessDocumentAdd +++ b/DocDB/cgi/ProcessDocumentAdd @@ -8,7 +8,7 @@ # # Author: Eric Vaandering (ewv@fnal.gov) -# Copyright 2001-2011 Eric Vaandering, Lynn Garren, Adam Bryant +# Copyright 2001-2012 Eric Vaandering, Lynn Garren, Adam Bryant # This file is part of DocDB. @@ -71,9 +71,6 @@ GetSecurityGroups(); ### Set up, give user initial information %params = $query -> Vars; -foreach my $Keyword (keys %params) { - $params{$Keyword} = CGI::escapeHTML($params{$Keyword}); -} $mode = $params{mode}; #FIXME: Remove $Mode = $params{mode}; diff --git a/DocDB/cgi/RetrieveArchive b/DocDB/cgi/RetrieveArchive index af4b9e40..4e3e4712 100755 --- a/DocDB/cgi/RetrieveArchive +++ b/DocDB/cgi/RetrieveArchive @@ -7,7 +7,7 @@ # Modified: # -# Copyright 2001-2011 Eric Vaandering, Lynn Garren, Adam Bryant +# Copyright 2001-2012 Eric Vaandering, Lynn Garren, Adam Bryant # This file is part of DocDB. @@ -110,7 +110,7 @@ unless (@ErrorStack) { } elsif ($Type eq "tar") { $Status = system("$Tar cf --exclude='.htaccess' $TmpFile $Directory"); } elsif ($Type eq "zip") { - $Status = system("$Zip $TmpFile --exclude .htaccess $Directory/*"); + $Status = system("$Zip $TmpFile $Directory/* -x .htaccess "); } if ($Status) { push @ErrorStack,"There was a problem creating the archive. Please contact an administrator."; diff --git a/DocDB/cgi/Search b/DocDB/cgi/Search index 4778ba0a..d21eee17 100755 --- a/DocDB/cgi/Search +++ b/DocDB/cgi/Search @@ -8,7 +8,7 @@ # # Author: Eric Vaandering (ewv@fnal.gov) -# Copyright 2001-2011 Eric Vaandering, Lynn Garren, Adam Bryant +# Copyright 2001-2012 Eric Vaandering, Lynn Garren, Adam Bryant # This file is part of DocDB. @@ -40,9 +40,6 @@ $dbh = DBI->connect('DBI:mysql:'.$db_name.':'.$db_host,$db_rouser,$db_ropass); ### Set up, give user initial information my %CGIParams = $query -> Vars; -foreach my $Keyword (keys %CGIParams) { - $CGIParams{$Keyword} = CGI::escapeHTML($CGIParams{$Keyword}); -} ### Pull info out of params into local variables diff --git a/DocDB/cgi/SessionModify b/DocDB/cgi/SessionModify index 1f0ecb47..6dc77f73 100755 --- a/DocDB/cgi/SessionModify +++ b/DocDB/cgi/SessionModify @@ -8,7 +8,7 @@ # # Author: Eric Vaandering (ewv@fnal.gov) -# Copyright 2001-2011 Eric Vaandering, Lynn Garren, Adam Bryant +# Copyright 2001-2012 Eric Vaandering, Lynn Garren, Adam Bryant # This file is part of DocDB. @@ -62,9 +62,6 @@ $query = new CGI; # Global for subroutines ### Gather parameters %params = $query -> Vars; -foreach my $Keyword (keys %params) { - $params{$Keyword} = CGI::escapeHTML($params{$Keyword}); -} $query -> delete_all(); # Stop program from caching variable from script to script my $SessionID = $params{sessionid}; diff --git a/DocDB/cgi/XMLUpload b/DocDB/cgi/XMLUpload index 2ff86155..8b982014 100755 --- a/DocDB/cgi/XMLUpload +++ b/DocDB/cgi/XMLUpload @@ -11,7 +11,7 @@ # # Author: Eric Vaandering (ewv@fnal.gov) -# Copyright 2001-2011 Eric Vaandering, Lynn Garren, Adam Bryant +# Copyright 2001-2012 Eric Vaandering, Lynn Garren, Adam Bryant # This file is part of DocDB. @@ -44,9 +44,6 @@ require "Security.pm"; my $Twig = XML::Twig -> new(); $query = new CGI; # Global for subroutines my %CGIParams = $query -> Vars; -foreach my $Keyword (keys %CGIParams) { - $CGIParams{$Keyword} = CGI::escapeHTML($CGIParams{$Keyword}); -} CreateConnection(-type => "rw"); my $XMLText = $query -> param("XMLFile");; diff --git a/DocDB/doc/CHANGES b/DocDB/doc/CHANGES index 35315af1..e77e4f88 100644 --- a/DocDB/doc/CHANGES +++ b/DocDB/doc/CHANGES @@ -1,3 +1,8 @@ +8.7.16 + Fix exclusion list for zip files + Increase limit on related documents + Back out XSS patches from 8.7.15, need a more robust solution + 8.7.15 Cache timezone name, fix apparent issues with DateTime constructor Fix consistentcy issues between submitter and requester From 48c24e27bc3d71e333e65502ad1a42e9e054d3ed Mon Sep 17 00:00:00 2001 From: vondo <> Date: Tue, 24 Apr 2012 15:12:57 +0000 Subject: [PATCH 018/163] Don't loose security when updating public docs --- DocDB/cgi/DocDBVersion.pm | 2 +- DocDB/cgi/DocumentAddForm | 3 +++ DocDB/doc/CHANGES | 4 ++++ DocDB/scripts/Resecure | 13 ++++++++----- 4 files changed, 16 insertions(+), 6 deletions(-) diff --git a/DocDB/cgi/DocDBVersion.pm b/DocDB/cgi/DocDBVersion.pm index e0eeb61f..f820c80c 100644 --- a/DocDB/cgi/DocDBVersion.pm +++ b/DocDB/cgi/DocDBVersion.pm @@ -20,6 +20,6 @@ # along with DocDB; if not, write to the Free Software # Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA -$DocDBVersion = "8.7.16"; +$DocDBVersion = "8.7.17"; 1; diff --git a/DocDB/cgi/DocumentAddForm b/DocDB/cgi/DocumentAddForm index 61c442cf..27e0bd22 100755 --- a/DocDB/cgi/DocumentAddForm +++ b/DocDB/cgi/DocumentAddForm @@ -188,6 +188,9 @@ if ($mode eq "update" || $mode eq "updatedb") { # Need to read in last version v $RevisionNoteDefault = $DocRevisions{$DocRevID}{Note}; $DocTypeIDDefault = $DocRevisions{$DocRevID}{DocTypeID}; @SecurityDefaults = GetRevisionSecurityGroups($DocRevID); + unless (@SecurityDefaults) { + @SecurityDefaults = (0); + } my @AuthorRevIDs = GetRevisionAuthors($DocRevID); @AuthorRevIDs = sort AuthorRevIDsByOrder @AuthorRevIDs; $AuthorListOrdered = IsAuthorListOrdered({ -authorrevids => \@AuthorRevIDs, }); diff --git a/DocDB/doc/CHANGES b/DocDB/doc/CHANGES index e77e4f88..d594b9d8 100644 --- a/DocDB/doc/CHANGES +++ b/DocDB/doc/CHANGES @@ -1,3 +1,7 @@ +8.7.17 + Don't loose security when updating public docs + Modified Resecure from Laura + 8.7.16 Fix exclusion list for zip files Increase limit on related documents diff --git a/DocDB/scripts/Resecure b/DocDB/scripts/Resecure index 08b9ca71..cac9c0e1 100755 --- a/DocDB/scripts/Resecure +++ b/DocDB/scripts/Resecure @@ -86,7 +86,7 @@ if ($Days || $Hours) { "from DocumentRevision where Obsolete=0 and DocRevID=?"); my @AllRevisions = sort numerically keys %AllRevision; foreach $RevID (@AllRevisions) { - unless ($RevID) {next;} + unless (defined ($RevID)) {next;} $revision_list -> execute($RevID); ($DocRevID,$DocumentID,$VersionNumber) = $revision_list -> fetchrow_array; $Revision{$DocRevID}{DocRevID} = $DocRevID; @@ -98,7 +98,7 @@ if ($Days || $Hours) { my @Revisions = sort numerically keys %Revision; foreach $RevisionID (@Revisions) { - unless ($Revision{$RevisionID}{VersionNumber}) {next;} # No directories for v0 documents + #unless ($Revision{$RevisionID}{VersionNumber}) {next;} # No directories for v0 documents my $security_list = $dbh -> prepare( "select GroupID ". "from RevisionSecurity where DocRevID=?"); @@ -114,9 +114,12 @@ foreach $RevisionID (@Revisions) { foreach $GroupID (@GroupIDs) { print " $GroupID"; } - &ProtectDirectory($Revision{$RevisionID}{DocumentID}, - $Revision{$RevisionID}{VersionNumber}, - @GroupIDs); + my $Directory = &GetDirectory($Revision{$RevisionID}{DocumentID},$Revision{$RevisionID}{VersionNumber}); + if (-d $Directory) { + &ProtectDirectory($Revision{$RevisionID}{DocumentID}, + $Revision{$RevisionID}{VersionNumber}, + @GroupIDs); + } print "\n"; } From 2357e72de93962698d0647d1d16c11bf615862ff Mon Sep 17 00:00:00 2001 From: vondo <> Date: Mon, 28 Jan 2013 17:04:16 +0000 Subject: [PATCH 019/163] Fix spelling of administrator --- DocDB/cgi/AdministerElements.pm | 4 +-- DocDB/cgi/AuthorAddForm | 14 ++++----- DocDB/cgi/CertificateApplyForm | 26 ++++++++-------- DocDB/cgi/DeleteConfirm | 6 ++-- DocDB/cgi/DeleteDocument | 32 +++++++++---------- DocDB/cgi/DocDBInstructions | 16 +++++----- DocDB/cgi/EmailAdminister | 54 ++++++++++++++++----------------- DocDB/cgi/FSUtilities.pm | 4 +-- DocDB/cgi/ListKeywords | 14 ++++----- DocDB/cgi/Messages.pm | 16 +++++----- DocDB/cgi/UserAccessApply | 8 ++--- 11 files changed, 97 insertions(+), 97 deletions(-) diff --git a/DocDB/cgi/AdministerElements.pm b/DocDB/cgi/AdministerElements.pm index 2d8eaef1..ab523199 100644 --- a/DocDB/cgi/AdministerElements.pm +++ b/DocDB/cgi/AdministerElements.pm @@ -1,5 +1,5 @@ # Name: $RCSfile$ -# Description: Various routines which supply input forms for adminstrative +# Description: Various routines which supply input forms for administrative # functions # # Revision: $Revision$ @@ -7,7 +7,7 @@ # # Author: Eric Vaandering (ewv@fnal.gov) -# Copyright 2001-2009 Eric Vaandering, Lynn Garren, Adam Bryant +# Copyright 2001-2013 Eric Vaandering, Lynn Garren, Adam Bryant # This file is part of DocDB. diff --git a/DocDB/cgi/AuthorAddForm b/DocDB/cgi/AuthorAddForm index 8ce3eeb8..39eafe51 100755 --- a/DocDB/cgi/AuthorAddForm +++ b/DocDB/cgi/AuthorAddForm @@ -3,15 +3,15 @@ # Description: A simple for to allow new author addition (no changes possible) # # Author: Eric Vaandering (ewv@fnal.gov) -# Modified: +# Modified: # -# Copyright 2001-2009 Eric Vaandering, Lynn Garren, Adam Bryant +# Copyright 2001-2013 Eric Vaandering, Lynn Garren, Adam Bryant # This file is part of DocDB. # DocDB is free software; you can redistribute it and/or modify -# it under the terms of version 2 of the GNU General Public License +# it under the terms of version 2 of the GNU General Public License # as published by the Free Software Foundation. # DocDB is distributed in the hope that it will be useful, @@ -24,7 +24,7 @@ # Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA -use CGI qw(-nosticky); +use CGI qw(-nosticky); use DBI; require "DocDBGlobals.pm"; @@ -50,10 +50,10 @@ print $query -> start_multipart_form('POST',"$AuthorAdd"); print "

    You are about to add an author to the $Project document database. Anyone is allowed to add authors. Please be careful and make sure to put the authors first name, last name, and -middle initials (with periods) in the right place. If you make a mistake, +middle initials (with periods) in the right place. If you make a mistake, DO NOT enter the author again. Contact an -adminstrator and explain the problem. -Required fields are denoted by $RequiredMark. Click any +administrator and explain the problem. +Required fields are denoted by $RequiredMark. Click any highlighted link for quick help.

    \n"; print "
    "; if ($OffsetDays) { # We are copying, not modifiying the original - $query -> param('meetingorderid',"n$SessionOrder"); #FIXME: Try to remove - print $query -> hidden(-name => 'meetingorderid', -default => "n$SessionOrder"); - } else { - $query -> param('meetingorderid',$MeetingOrderID); #FIXME: Try to remove - print $query -> hidden(-name => 'meetingorderid', -default => $MeetingOrderID); + $MeetingOrderID = "n$SessionOrder"; } + $query -> param('meetingorderid',$MeetingOrderID); #FIXME: Try to remove + print $query -> hidden(-name => 'meetingorderid', -default => $MeetingOrderID); + SessionOrder(); print "
    \n"; SessionModifyLink($MeetingOrderID); print "
    \n"; SessionDelete($MeetingOrderID); print "
    \n"; @@ -277,6 +276,7 @@ sub SessionSeparator ($) { if ($SessionSeparatorDefault eq "Yes") { print "Break\n"; + print $query -> hidden(-name => "sessionseparator", -default => "$MeetingOrderID"); } elsif ($SessionSeparatorDefault eq "No") { print "\n"; } else { @@ -455,7 +455,7 @@ sub PrintSession (%) { if (@SessionOrderIDs) { my %FieldListOptions = (-default => "Event Agenda", -eventid => $EventID, -eventgroupid => $EventGroupID); my %FieldList = PrepareFieldList(%FieldListOptions); - DocumentTable(-sessionorderids => \@SessionOrderIDs, -fieldlist => \%FieldList); + DocumentTable(-sessionorderids => \@SessionOrderIDs, -fieldlist => \%FieldList, -skipversions => $TRUE); } else { if ($OnlyTalks) { print "No agenda yet\n"; diff --git a/DocDB/cgi/ProcessDocumentAdd b/DocDB/cgi/ProcessDocumentAdd index 9ec2f704..07230025 100755 --- a/DocDB/cgi/ProcessDocumentAdd +++ b/DocDB/cgi/ProcessDocumentAdd @@ -2,12 +2,13 @@ # # Name: $RCSfile$ # Description: Receives the output of DocumentAddForm and creates or updates the document +# # Revision: $Revision$ # Modified: $Author$ on $Date$ # # Author: Eric Vaandering (ewv@fnal.gov) -# Copyright 2001-2009 Eric Vaandering, Lynn Garren, Adam Bryant +# Copyright 2001-2011 Eric Vaandering, Lynn Garren, Adam Bryant # This file is part of DocDB. @@ -223,6 +224,12 @@ unless ($params{title}) { push @ErrorStack,"You must supply a title for this document."; } +if ($mode eq "update" || $mode eq "updatedb") { + if ($Preferences{Options}{Update}{RequireNote} && !$RevisionNote) { + push @ErrorStack,"You must supply a note when updating this document."; + } +} + if (@JournalIDs || @Volumes || @Pages) { my @TestJournalIDs = @JournalIDs; my @TestVolumes = @Volumes; diff --git a/DocDB/cgi/RevisionHTML.pm b/DocDB/cgi/RevisionHTML.pm index 282c51bc..692f7c59 100644 --- a/DocDB/cgi/RevisionHTML.pm +++ b/DocDB/cgi/RevisionHTML.pm @@ -1,12 +1,12 @@ # Name: $RCSfile$ -# Description: +# Description: +# # Revision: $Revision$ # Modified: $Author$ on $Date$ # # Author: Eric Vaandering (ewv@fnal.gov) -# -# Copyright 2001-2009 Eric Vaandering, Lynn Garren, Adam Bryant +# Copyright 2001-2011 Eric Vaandering, Lynn Garren, Adam Bryant # This file is part of DocDB. @@ -60,6 +60,7 @@ sub RevisionNoteBox { my (%Params) = @_; my $Default = $Params{-default} || ""; my $JSInsert = $Params{-jsinsert} || ""; + my $Required = $Params{-required} || 0; print ""; my $ExtraText = ""; diff --git a/DocDB/cgi/Sorts.pm b/DocDB/cgi/Sorts.pm index 7c886b17..3657a727 100644 --- a/DocDB/cgi/Sorts.pm +++ b/DocDB/cgi/Sorts.pm @@ -7,7 +7,7 @@ # # Author Eric Vaandering (ewv@fnal.gov) -# Copyright 2001-2009 Eric Vaandering, Lynn Garren, Adam Bryant +# Copyright 2001-2011 Eric Vaandering, Lynn Garren, Adam Bryant # This file is part of DocDB. @@ -414,6 +414,16 @@ sub EmailUserIDsByName { $afirst cmp $bfirst; } +sub EmailUserIDsByUsername { + my $an = $EmailUser{$a}{Username}; + my $bn = $EmailUser{$b}{Username}; + + $an =~ tr/[A-Z]/[a-z]/; + $bn =~ tr/[A-Z]/[a-z]/; + + $an cmp $bn; +} + sub EventsByDate { # Do sort by date my $adate = $Conferences{$a}{StartDate}; my $bdate = $Conferences{$b}{StartDate}; diff --git a/DocDB/doc/CHANGES b/DocDB/doc/CHANGES index 2ca92dde..83f7ec48 100644 --- a/DocDB/doc/CHANGES +++ b/DocDB/doc/CHANGES @@ -1,3 +1,9 @@ +8.7.14 + Don't put versions on files in meeting display mode + Fix issue where "Schedule Similar" mixed data between sessions + Sort list of personal accounts + Add options (see DocDBGlobals) for additional requirements on updated docs + 8.7.13 Fix an old bug where authors were essentially unsorted. Only did the right thing by accident. From d2b1083392a66910996e9ac144a5a347c1319e15 Mon Sep 17 00:00:00 2001 From: vondo <> Date: Fri, 13 Jan 2012 22:08:42 +0000 Subject: [PATCH 016/163] Merge in cd_1111 changes --- DocDB/cgi/AddFiles | 5 +- DocDB/cgi/CalendarHTML.pm | 2 +- DocDB/cgi/CertificateUtilities.pm | 52 +++++++++---------- DocDB/cgi/Defaults.pm | 40 +++++++-------- DocDB/cgi/DocDBGlobals.pm | 2 + DocDB/cgi/DocDBVersion.pm | 4 +- DocDB/cgi/FileUtilities.pm | 15 ++++-- DocDB/cgi/GeneralInstructions.pm | 85 ++++++++++++++++++++++--------- DocDB/cgi/MeetingModify | 5 +- DocDB/cgi/ProcessDocumentAdd | 9 +++- DocDB/cgi/RetrieveArchive | 11 ++-- DocDB/cgi/SQLUtilities.pm | 4 +- DocDB/cgi/Search | 5 +- DocDB/cgi/SelectPrefs | 4 +- DocDB/cgi/SessionModify | 5 +- DocDB/cgi/ShowCalendar | 2 +- DocDB/cgi/UserAccessApply | 38 +++++++------- DocDB/cgi/XMLUpload | 5 +- DocDB/doc/CHANGES | 8 +++ 19 files changed, 188 insertions(+), 113 deletions(-) diff --git a/DocDB/cgi/AddFiles b/DocDB/cgi/AddFiles index 9d4e17d6..3715971a 100755 --- a/DocDB/cgi/AddFiles +++ b/DocDB/cgi/AddFiles @@ -8,7 +8,7 @@ # Author: Eric Vaandering (ewv@fnal.gov) # Modified: -# Copyright 2001-2009 Eric Vaandering, Lynn Garren, Adam Bryant +# Copyright 2001-2011 Eric Vaandering, Lynn Garren, Adam Bryant # This file is part of DocDB. @@ -62,6 +62,9 @@ $dbh = DBI -> connect('DBI:mysql:'.$db_name.':'.$db_host,$db_rwuser,$db_rwpass ### Set up, give user initial information %params = $query -> Vars; +foreach my $Keyword (keys %params) { + $params{$Keyword} = CGI::escapeHTML($params{$Keyword}); +} print $query -> header( -charset => $HTTP_ENCODING ); &DocDBHeader("$Project File Addition Results","File Addition Results"); diff --git a/DocDB/cgi/CalendarHTML.pm b/DocDB/cgi/CalendarHTML.pm index a0e84444..25a78da7 100644 --- a/DocDB/cgi/CalendarHTML.pm +++ b/DocDB/cgi/CalendarHTML.pm @@ -70,7 +70,7 @@ sub PrintCalendar { my $DaysInMonth = DateTime -> last_day_of_month(year => $Year, month => $Month) -> day(); my $FirstDay = DateTime -> new(year => $Year, month => $Month, day => 1); my $MonthName = $FirstDay -> month_name(); - my $Today = DateTime ->today(time_zone => 'local'); + my $Today = DateTime ->today(time_zone => $LocalTimezone); my $Class = "ByMonth"; if ($Type eq "year") { diff --git a/DocDB/cgi/CertificateUtilities.pm b/DocDB/cgi/CertificateUtilities.pm index b343ff5a..f68e8843 100644 --- a/DocDB/cgi/CertificateUtilities.pm +++ b/DocDB/cgi/CertificateUtilities.pm @@ -1,14 +1,14 @@ -# Description: Various routines to deal with certificates +# Description: Various routines to deal with certificates # # Author: Eric Vaandering (ewv@fnal.gov) -# Modified: +# Modified: -# Copyright 2001-2009 Eric Vaandering, Lynn Garren, Adam Bryant +# Copyright 2001-2011 Eric Vaandering, Lynn Garren, Adam Bryant # This file is part of DocDB. # DocDB is free software; you can redistribute it and/or modify -# it under the terms of version 2 of the GNU General Public License +# it under the terms of version 2 of the GNU General Public License # as published by the Free Software Foundation. # DocDB is distributed in the hope that it will be useful, @@ -21,15 +21,15 @@ # Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA sub FetchSecurityGroupsByCert (%) { - require "SecuritySQL.pm"; + require "SecuritySQL.pm"; my %Params = @_; my $EmailUserID = FetchEmailUserIDByCert(%Params); if ($EmailUser{$EmailUserID}{Verified} != 1) { push @DebugStack,"User is not verified"; - push @WarnStack,"You have a valid certificate, but have are not yet allowed to access to DocDB. + push @WarnStack,"You have a valid certificate, but are not yet allowed to access to DocDB. Apply for access."; return; - } + } my @UserGroupIDs = FetchUserGroupIDs($EmailUserID); return @UserGroupIDs; } @@ -38,15 +38,15 @@ sub FetchEmailUserIDByCert (%) { my %Params = @_; my $IgnoreVerification = $Params{-ignoreverification}; - - require "SecuritySQL.pm"; - require "NotificationSQL.pm"; + + require "SecuritySQL.pm"; + require "NotificationSQL.pm"; my $CertEmail = $ENV{SSL_CLIENT_S_DN_Email}; my $CertCN = $ENV{SSL_CLIENT_S_DN_CN}; - $CertificateCN = $CertCN; - $CertificateEmail = $CertEmail; + $CertificateCN = $CertCN; + $CertificateEmail = $CertEmail; push @DebugStack,"Finding EmailUserID by certificate $CertCN"; @@ -56,19 +56,19 @@ sub FetchEmailUserIDByCert (%) { if ($IgnoreVerification) { $EmailUserSelect = $dbh->prepare("select EmailUserID from EmailUser ". "where Name=?"); - } else { + } else { $EmailUserSelect = $dbh->prepare("select EmailUserID from EmailUser ". "where Verified=1 and Name=?"); } $EmailUserSelect -> execute($CertCN); - my ($EmailUserID) = $EmailUserSelect -> fetchrow_array; + my ($EmailUserID) = $EmailUserSelect -> fetchrow_array; push @DebugStack,"Found e-mail user: $EmailUserID"; if ($EmailUserID) { FetchEmailUser($EmailUserID) } - + return $EmailUserID; } @@ -83,37 +83,37 @@ sub CertificateStatus () { # nocert -- no certificate was presented (not sure if this can work) my $CertificateStatus = ""; - + my $CertEmail = $ENV{SSL_CLIENT_S_DN_Email}; my $CertCN = $ENV{SSL_CLIENT_S_DN_CN}; - + push @DebugStack,"Finding Status by certificate"; - + unless ($CertCN) { $CertificateStatus = "nocert"; push @DebugStack,"Certificate Status: $CertificateStatus"; return $CertificateStatus; - } - + } + my $EmailUserSelect; $EmailUserSelect = $dbh->prepare("select EmailUserID,Verified from EmailUser ". "where Name=?"); $EmailUserSelect -> execute($CertCN); - my ($EmailUserID,$Verified) = $EmailUserSelect -> fetchrow_array; + my ($EmailUserID,$Verified) = $EmailUserSelect -> fetchrow_array; push @DebugStack,"Checking user $CertCN by CN"; - + if ($Verified) { $CertificateStatus = "verified"; push @DebugStack,"Certificate Status: $CertificateStatus"; return $CertificateStatus; - } - + } + if ($EmailUserID) { $CertificateStatus = "unverified"; push @DebugStack,"Certificate Status: $CertificateStatus"; return $CertificateStatus; - } - + } + $CertificateStatus = "noapp"; push @DebugStack,"Certificate Status: $CertificateStatus"; return $CertificateStatus; diff --git a/DocDB/cgi/Defaults.pm b/DocDB/cgi/Defaults.pm index 5a4f89e6..55aaddba 100644 --- a/DocDB/cgi/Defaults.pm +++ b/DocDB/cgi/Defaults.pm @@ -4,20 +4,20 @@ # (in that order) # # Functions in this file: -# +# # SetAuthorMode: Selectable list or free-form text field -# SetTopicMode: Single or multiple selectable lists +# SetTopicMode: Single or multiple selectable lists # SetUploadMethod: File upload or HTTP fetch -# SetDateOverride: Allows over-riding modification date -# SetAuthorDefault: Sets Author and Requester defaults to cookie value +# SetDateOverride: Allows over-riding modification date +# SetAuthorDefault: Sets Author and Submitter defaults to cookie value # SetFileOptions: Sets archive mode and number of uploads -# Copyright 2001-2009 Eric Vaandering, Lynn Garren, Adam Bryant +# Copyright 2001-2011 Eric Vaandering, Lynn Garren, Adam Bryant # This file is part of DocDB. # DocDB is free software; you can redistribute it and/or modify -# it under the terms of version 2 of the GNU General Public License +# it under the terms of version 2 of the GNU General Public License # as published by the Free Software Foundation. # DocDB is distributed in the hope that it will be useful, @@ -35,7 +35,7 @@ sub SetAuthorMode { $AuthorMode = $params{authormode}; } else { $AuthorMode = $AuthorModePref; - } + } if ($AuthorMode ne "list" && $AuthorMode ne "field") { $AuthorMode = "list"; } @@ -49,7 +49,7 @@ sub SetTopicMode { } if ($TopicMode ne "single" && $TopicMode ne "multi") { $TopicMode = "multi"; - } + } } sub SetUploadMethod { @@ -57,10 +57,10 @@ sub SetUploadMethod { $Upload = $params{upload}; } else { $Upload = $UploadMethodPref; - } + } if ($Upload ne "http" && $Upload ne "file") { $Upload = "file"; - } + } } sub SetDateOverride { @@ -68,7 +68,7 @@ sub SetDateOverride { $Overdate = $params{overdate}; } else { $Overdate = $DateOverridePref; - } + } } sub SetFileOptions { @@ -78,26 +78,26 @@ sub SetFileOptions { $Archive = $params{archive}; } else { $Archive = $UploadTypePref - } + } if ($Archive eq "single") {$NumberUploads = 3;} # Make sure if ($Archive eq "multi") {$Archive = "single";} # No real difference if ($Archive ne "archive" && $Archive ne "single") { $Archive = "single"; - } - + } + if ($params{numfile}) { # User has selected $NumberUploads = $params{numfile}; } elsif ($NumFilesPref && $mode ne "update") { # User has a pref if ($Meeting || $OtherMeeting) { if ($NumFilesPref < 3) { $NumberUploads = 3; - } else { + } else { $NumberUploads = $NumFilesPref; - } - } else { + } + } else { $NumberUploads = $NumFilesPref; - } + } } else { # No selection, no pref if ($Meeting || $OtherMeeting) { $NumberUploads = 3; @@ -106,10 +106,10 @@ sub SetFileOptions { $NumberUploads = @DocFiles; # FIXME: One line with scalar unless ($NumberUploads) { # Gyrations to handle docs that have 0 files $NumberUploads = 3; - } + } } else { $NumberUploads = 3; - } + } } } diff --git a/DocDB/cgi/DocDBGlobals.pm b/DocDB/cgi/DocDBGlobals.pm index db83aab6..98821844 100644 --- a/DocDB/cgi/DocDBGlobals.pm +++ b/DocDB/cgi/DocDBGlobals.pm @@ -26,6 +26,8 @@ # Constants +use DateTime; +$LocalTimezone = DateTime::TimeZone->new(name => 'local'); $TRUE = 1; $FALSE = 0; diff --git a/DocDB/cgi/DocDBVersion.pm b/DocDB/cgi/DocDBVersion.pm index fb14b645..f49a10a2 100644 --- a/DocDB/cgi/DocDBVersion.pm +++ b/DocDB/cgi/DocDBVersion.pm @@ -3,7 +3,7 @@ # Revision: $Revision$ # Modified: $Author$ on $Date$ # -# Copyright 2001-2009 Eric Vaandering, Lynn Garren, Adam Bryant +# Copyright 2001-2011 Eric Vaandering, Lynn Garren, Adam Bryant # This file is part of DocDB. @@ -20,6 +20,6 @@ # along with DocDB; if not, write to the Free Software # Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA -$DocDBVersion = "8.7.14"; +$DocDBVersion = "8.7.15"; 1; diff --git a/DocDB/cgi/FileUtilities.pm b/DocDB/cgi/FileUtilities.pm index edc9278c..df1c1ec1 100644 --- a/DocDB/cgi/FileUtilities.pm +++ b/DocDB/cgi/FileUtilities.pm @@ -1,5 +1,5 @@ -# Copyright 2001-2009 Eric Vaandering, Lynn Garren, Adam Bryant +# Copyright 2001-2011 Eric Vaandering, Lynn Garren, Adam Bryant # This file is part of DocDB. @@ -196,12 +196,13 @@ sub StreamFile (%) { my @Parts = split /\//,$File; my $ShortFile = pop @Parts; - select STDOUT; - $| = 1; print "Content-Type: $MimeType\n", # Print header "Content-Disposition: filename=\"$ShortFile\"\n", "Content-Length: $Size\n\n"; + select STDOUT; + $| = 1; + open OUT, "<$File" or die "Cannot open File\n"; binmode OUT if -B $File; my $BlockSize = (stat OUT)[11] || 16384; @@ -210,11 +211,15 @@ sub StreamFile (%) { next unless defined $Length; my $Offset = 0; - while ($Length) { - my $Written = syswrite STDOUT, $Buffer, $Length, $Offset; + my $Written= 1; + while ($Length && $Written > 0) { + print STDOUT $Buffer; + $Written = $Length; + last unless defined($Written); $Length -= $Written; $Offset += $Written; } + last unless defined($Written); } close OUT; } else { diff --git a/DocDB/cgi/GeneralInstructions.pm b/DocDB/cgi/GeneralInstructions.pm index 11a53f10..837a3344 100644 --- a/DocDB/cgi/GeneralInstructions.pm +++ b/DocDB/cgi/GeneralInstructions.pm @@ -6,7 +6,7 @@ # Author: Eric Vaandering (ewv@fnal.gov) # Modified: -# Copyright 2001-2009 Eric Vaandering, Lynn Garren, Adam Bryant +# Copyright 2001-2011 Eric Vaandering, Lynn Garren, Adam Bryant # Additional Text: Marcia Teckenbrock # This file is part of DocDB. @@ -335,7 +335,7 @@ HTML When reserving a document, you must supply:

    • A title
      • -
    • A requester (who is requesting the document?)
      • +
    • A submitter (who is requesting or uoloading the document?)
    • A document type (talk, note, etc.)
    @@ -475,7 +475,7 @@ HTML forms to your liking and to save some typing by telling the database who you are.

    -

    Once the database knows who you are, your name will be pre-selected as the requester and +

    Once the database knows who you are, your name will be pre-selected as the submitter and author of new documents. You can, of course, change this setting to enter documents by people other than (or in addition to) yourself.

    @@ -504,7 +504,7 @@ HTML if ($UseSignoffs) { print "

    Document Signoffs

    \n"; - print "

    An optional component of DocDB is to allow some documents to be signed + print "

    An optional component of DocDB is to allow some documents to be signed or approved by a group of people before becoming approved. People with Personal Accounts can sign documents. The list of people needing to approve a document is editable by the same groups that can edit the document itself.

    @@ -512,21 +512,13 @@ HTML To freeze a document and its meta-information such that only managers can modify it or unfreeze it, ask the     DocDB - administrators for the procedure.

    \n"; + administrators for the procedure. The administrators can also add or subtract from the list of possible approvers.

    \n"; print "

    When displaying document version(s) in a list, there are obvious indications of which documents are approved, which are unapproved, and which are obsolete - (even if they were approved at some time). All information about who signed' + (even if they were approved at some time). All information about who signed each version of each document is kept.

    \n"; - print "

    DocDB contains the ability to allow any number of approval topologies. - For instance, person A or person B might be allowed to sign at the first step, - followed by person C at the second step. Or, person A and person B may both have to - sign (but in parallel) before person C can sign. However, the current DocDB code only - allows one topology (an ordered list). When a document under control is - updated, the signoff list structure is preserved, but the approvals themselves - are cleared.

    \n"; - print "

    The signoff system provides a number of additional convieniences:

    • Email notifications to signatories when a document is ready for their @@ -535,16 +527,61 @@ HTML
    • List of all documents a person is a signatory (actual or requested) on
    \n"; - print "

    A number of other features are planned and will be added as needed:

    -
      -
    • Email reports of outstanding signatures needed (to desired signatory and - other signatories of documents)
      • -
    • More complicated approval topolgies (OR's, parallel paths, etc.)
      • -
    • Reminders if a document goes unsigned for a while
      • -
    • Restricting the list of people who may sign documents to a sub-set of those with - personal accounts
      • -
    \n"; - } + print <How signature lists work varies a bit based on the action you are taking with a document.

    +

    New Documents

    + +

    On the new document page is a box labeled Signoffs. + There is also a link (Signoff Chooser) to the list of all people that have + been enabled to be approvers for DocDB.

    + +

    If the submitter chooses to enable signoffs for a document, click the + Signoff Chooser + link and pick one or more individuals to approve the document. You can + do this by selecting the names on the pop-up window in the order in which + the approvals should occur. Approvers will be sent e-mail in that order.

    + +

    The status of the document will be Unapproved until signoffs are + completed. The list of selected approvers is at the bottom of the DocDB + page for the document, and includes the status of the signoff process.

    + + +

    Updating Documents

    + +

    When updating a document, you are allowed to change the approvers required, + including + removing all approvers. Then update the document as needed and any signoffs + will be + handled as for new documents. All necessary approvals are set to unapproved + for the new version of the document.

    + + +

    Updating Metadata

    +

    When updating metadata, you are allowed to change the approvers required, + including + removing all approvers. Then update the metadata as needed. All necessary approvals are set to unapproved + for the document.

    + + + +

    Adding Files to a Document

    +

    Adding a file does not allow any changes to the list of approvers. + All necessary approvals are set to unapproved + for the document.

    + + +

    Approvers

    +

    Approvers will receive an e-mail requesting they sign the document. A URL + of the document page + is included in the e-mail. This document page contains a button to press + (and possibly a password to enter) next + to the name of the approver. Once all approvers have signed the document, the status + will change to Approved.

    + +HTML + +} print < Vars; +foreach my $Keyword (keys %params) { + $params{$Keyword} = CGI::escapeHTML($params{$Keyword}); +} $query -> delete_all(); # Stop program from caching variable from script to script my $Mode = $params{mode}; diff --git a/DocDB/cgi/ProcessDocumentAdd b/DocDB/cgi/ProcessDocumentAdd index 07230025..19a61702 100755 --- a/DocDB/cgi/ProcessDocumentAdd +++ b/DocDB/cgi/ProcessDocumentAdd @@ -71,6 +71,9 @@ GetSecurityGroups(); ### Set up, give user initial information %params = $query -> Vars; +foreach my $Keyword (keys %params) { + $params{$Keyword} = CGI::escapeHTML($params{$Keyword}); +} $mode = $params{mode}; #FIXME: Remove $Mode = $params{mode}; @@ -218,7 +221,7 @@ if ($PreserveSigs && $mode ne "updatedb") { push @ErrorStack,'Signatures may only be preserved when modifying document meta-data.'; } unless ($params{requester}) { - push @ErrorStack,"You must supply a requester for this document."; + push @ErrorStack,"You must supply a submitter for this document."; } unless ($params{title}) { push @ErrorStack,"You must supply a title for this document."; @@ -341,6 +344,10 @@ if ($#securities > 0) { } } +if ($#securities < 0) { + @securities = FindUsersGroups(); +} + my $ViewCheck = "create"; # Create/view are the same, check for more restrictive if ($EnhancedSecurity) { $ViewCheck = "view"; diff --git a/DocDB/cgi/RetrieveArchive b/DocDB/cgi/RetrieveArchive index 482bb784..af4b9e40 100755 --- a/DocDB/cgi/RetrieveArchive +++ b/DocDB/cgi/RetrieveArchive @@ -7,7 +7,7 @@ # Modified: # -# Copyright 2001-2009 Eric Vaandering, Lynn Garren, Adam Bryant +# Copyright 2001-2011 Eric Vaandering, Lynn Garren, Adam Bryant # This file is part of DocDB. @@ -103,14 +103,14 @@ unless (@ErrorStack) { if ($Type eq "tar.gz") { if ($GTar) { - $Status = system("$GTar czf $TmpFile -C $Directory ."); + $Status = system("$GTar czf $TmpFile --exclude='.htaccess' -C $Directory ."); } elsif ($Tar && $GZip) { - $Status = system("$Tar cf - $Directory | $GZip > $TmpFile"); + $Status = system("$Tar cf - --exclude='.htaccess' $Directory | $GZip > $TmpFile"); } } elsif ($Type eq "tar") { - $Status = system("$Tar cf $TmpFile $Directory"); + $Status = system("$Tar cf --exclude='.htaccess' $TmpFile $Directory"); } elsif ($Type eq "zip") { - $Status = system("$Zip $TmpFile $Directory/*"); + $Status = system("$Zip $TmpFile --exclude .htaccess $Directory/*"); } if ($Status) { push @ErrorStack,"There was a problem creating the archive. Please contact an administrator."; @@ -126,5 +126,6 @@ if (@ErrorStack || @WarnStack) { # There was a problem. Warn the user. DocDBFooter($DBWebMasterEmail,$DBWebMasterName); } else { StreamFile(-file => $TmpFile); + unlink($TmpFile); } diff --git a/DocDB/cgi/SQLUtilities.pm b/DocDB/cgi/SQLUtilities.pm index 63968bbe..987ae8dd 100644 --- a/DocDB/cgi/SQLUtilities.pm +++ b/DocDB/cgi/SQLUtilities.pm @@ -96,7 +96,7 @@ sub ConvertToDateTime { } $DateTime = DateTime -> new(year => $Year, month => $Month, day => $Day, hour => $Hour, minute => $Min, second => $Sec, - time_zone => 'local'); + time_zone => $LocalTimezone); } elsif ($OldTimeStamp) { my $Year = substr $OldTimeStamp,0,4; my $Month = substr $OldTimeStamp,4,2; @@ -106,7 +106,7 @@ sub ConvertToDateTime { my $Sec = substr $OldTimeStamp,12,2; $DateTime = DateTime -> new(year => $Year, month => $Month, day => $Day, hour => $Hour, minute => $Min, second => $Sec, - time_zone => 'local'); + time_zone => $LocalTimezone); } return $DateTime; diff --git a/DocDB/cgi/Search b/DocDB/cgi/Search index 1ad17129..4778ba0a 100755 --- a/DocDB/cgi/Search +++ b/DocDB/cgi/Search @@ -8,7 +8,7 @@ # # Author: Eric Vaandering (ewv@fnal.gov) -# Copyright 2001-2009 Eric Vaandering, Lynn Garren, Adam Bryant +# Copyright 2001-2011 Eric Vaandering, Lynn Garren, Adam Bryant # This file is part of DocDB. @@ -40,6 +40,9 @@ $dbh = DBI->connect('DBI:mysql:'.$db_name.':'.$db_host,$db_rouser,$db_ropass); ### Set up, give user initial information my %CGIParams = $query -> Vars; +foreach my $Keyword (keys %CGIParams) { + $CGIParams{$Keyword} = CGI::escapeHTML($CGIParams{$Keyword}); +} ### Pull info out of params into local variables diff --git a/DocDB/cgi/SelectPrefs b/DocDB/cgi/SelectPrefs index 6b58fd06..979b0293 100755 --- a/DocDB/cgi/SelectPrefs +++ b/DocDB/cgi/SelectPrefs @@ -3,12 +3,12 @@ # Author: Adam Bryant # -# Copyright 2001-2009 Eric Vaandering, Lynn Garren, Adam Bryant +# Copyright 2001-2011 Eric Vaandering, Lynn Garren, Adam Bryant # This file is part of DocDB. # DocDB is free software; you can redistribute it and/or modify -# it under the terms of version 2 of the GNU General Public License +# it under the terms of version 2 of the GNU General Public License # as published by the Free Software Foundation. # DocDB is distributed in the hope that it will be useful, diff --git a/DocDB/cgi/SessionModify b/DocDB/cgi/SessionModify index c3daad42..1f0ecb47 100755 --- a/DocDB/cgi/SessionModify +++ b/DocDB/cgi/SessionModify @@ -8,7 +8,7 @@ # # Author: Eric Vaandering (ewv@fnal.gov) -# Copyright 2001-2009 Eric Vaandering, Lynn Garren, Adam Bryant +# Copyright 2001-2011 Eric Vaandering, Lynn Garren, Adam Bryant # This file is part of DocDB. @@ -62,6 +62,9 @@ $query = new CGI; # Global for subroutines ### Gather parameters %params = $query -> Vars; +foreach my $Keyword (keys %params) { + $params{$Keyword} = CGI::escapeHTML($params{$Keyword}); +} $query -> delete_all(); # Stop program from caching variable from script to script my $SessionID = $params{sessionid}; diff --git a/DocDB/cgi/ShowCalendar b/DocDB/cgi/ShowCalendar index dd0b6acf..cddaa748 100755 --- a/DocDB/cgi/ShowCalendar +++ b/DocDB/cgi/ShowCalendar @@ -69,7 +69,7 @@ my $WindowStart; my $WindowEnd; my $WindowDays; my $EventTableStart; -my $Today = DateTime -> now(time_zone => 'local'); +my $Today = DateTime -> now(time_zone => $LocalTimezone); push @DebugStack, "Today is ".$Today -> iso8601; diff --git a/DocDB/cgi/UserAccessApply b/DocDB/cgi/UserAccessApply index 845af869..a8a9eb9b 100755 --- a/DocDB/cgi/UserAccessApply +++ b/DocDB/cgi/UserAccessApply @@ -2,12 +2,12 @@ # # Author Eric Vaandering (ewv@fnal.gov) -# Copyright 2001-2009 Eric Vaandering, Lynn Garren, Adam Bryant +# Copyright 2001-2011 Eric Vaandering, Lynn Garren, Adam Bryant # This file is part of DocDB. # DocDB is free software; you can redistribute it and/or modify -# it under the terms of version 2 of the GNU General Public License +# it under the terms of version 2 of the GNU General Public License # as published by the Free Software Foundation. # DocDB is distributed in the hope that it will be useful, @@ -51,12 +51,12 @@ EndPage(); my $CertificateStatus = &CertificateStatus(); my $CertEmail = $params{email}; -unless ($CertEmail) { +unless ($CertEmail) { push @ErrorStack,"You must supply an e-mail address."; } EndPage(); - + my $CertCN = $ENV{SSL_CLIENT_S_DN_CN}; if ($CertificateStatus eq "verified") { @@ -71,15 +71,15 @@ if ($CertificateStatus eq "verified") { } } else { print "
  • None: Contact an adminstrator if this is incorrect
    • \n"; - } + } print "\n"; -} elsif ($CertificateStatus eq "unverified") { +} elsif ($CertificateStatus eq "unverified") { print "You have already applied for access to documents. A new request has not been generated. If you believe your request has been misplaced or neglected, contact an administator."; print "The following information may be helpful:
    \n"; print "Certificate Common Name (CN): $CertCN
    \n"; print "Certificate E-mail Address: $CertEmail
    \n"; -} elsif ($CertificateStatus eq "mismatch") { +} elsif ($CertificateStatus eq "mismatch") { print "Your certificate is valid but a similar certificate already exists for either your e-mail address or your name (CN). Only one certificate is allowed per person. Contact an administrator if you @@ -87,8 +87,8 @@ if ($CertificateStatus eq "verified") { print "The following information may be helpful:
    \n"; print "Certificate Common Name (CN): $CertCN
    \n"; print "Certificate E-mail Address: $CertEmail
    \n"; -} elsif ($CertificateStatus eq "nocert") { - print "You didn't present a certificate. Make sure your browser is supplying one and contact an administrator if are supplying one."; +} elsif ($CertificateStatus eq "nocert") { + print "You didn't present a certificate. Make sure your browser is supplying one and contact an administrator if you are supplying one."; } elsif ($CertificateStatus eq "noapp") { ### Get additional parameters @@ -97,7 +97,7 @@ if ($CertificateStatus eq "verified") { my @RequestedGroupIDs = split /\0/,$params{reqgroups}; my $UserName = $CertCN; $UserName =~ s/\W//g; - + ### Fill in DB tables my $UserInsert = $dbh -> prepare( @@ -105,17 +105,17 @@ if ($CertificateStatus eq "verified") { " values (0,?,?,?,0,'x')"); $UserInsert -> execute($UserName,$CertCN,$CertEmail); my $EmailUserID = $UserInsert -> {mysql_insertid}; # Works with MySQL only - + my $UsersGroupInsert = $dbh -> prepare( "insert into UsersGroup (UsersGroupID,EmailUserID,GroupID) ". " values (0,?,?)"); foreach my $GroupID (@RequestedGroupIDs) { $UsersGroupInsert -> execute($EmailUserID,$GroupID); - } + } ### Notify applicant and administrator - + print "You ($CertCN with e-mail address $CertEmail) have requested "; print "access to $Project DocDB. "; print "You have requested membership in the following groups:\n"; @@ -123,14 +123,14 @@ if ($CertificateStatus eq "verified") { foreach my $GroupID (@RequestedGroupIDs) { &FetchSecurityGroup($GroupID); print "
  • ",$SecurityGroups{$GroupID}{NAME},"
    • \n"; - } + } print "\n"; if ($MailInstalled) { require "EmailUtilities.pm"; - + print "An e-mail has been sent to the administrators and a confirmation e-mail has been sent to you.

    \n"; - + my @To = ($DBWebMasterEmail); my $Subject = "$CertCN requests access to $Project DocDB"; my $Body = "$CertCN with e-mail address $CertEmail has requested "; @@ -139,7 +139,7 @@ if ($CertificateStatus eq "verified") { foreach my $GroupID (@RequestedGroupIDs) { &FetchSecurityGroup($GroupID); $Body .= " ".$SecurityGroups{$GroupID}{NAME}."\n"; - } + } $Body .= "\n"; $Body .= "If this is correct, please visit $EmailAdministerForm, "; $Body .= "select \"Modify\", select the user, check \"Verify\", and click to Submit.\n\n"; @@ -147,7 +147,7 @@ if ($CertificateStatus eq "verified") { if ($CertNote) { $Body .= "The user attached this note to their application:\n"; $Body .= $CertNote; - } + } &SendEmail(-body => $Body, -to => \@To, -subject => $Subject); my @To = ($CertEmail); @@ -161,7 +161,7 @@ if ($CertificateStatus eq "verified") { $Body .= "Thank you."; &SendEmail(-body => $Body, -to => \@To, -subject => $Subject); - } + } } diff --git a/DocDB/cgi/XMLUpload b/DocDB/cgi/XMLUpload index 5a3875bb..2ff86155 100755 --- a/DocDB/cgi/XMLUpload +++ b/DocDB/cgi/XMLUpload @@ -11,7 +11,7 @@ # # Author: Eric Vaandering (ewv@fnal.gov) -# Copyright 2001-2009 Eric Vaandering, Lynn Garren, Adam Bryant +# Copyright 2001-2011 Eric Vaandering, Lynn Garren, Adam Bryant # This file is part of DocDB. @@ -44,6 +44,9 @@ require "Security.pm"; my $Twig = XML::Twig -> new(); $query = new CGI; # Global for subroutines my %CGIParams = $query -> Vars; +foreach my $Keyword (keys %CGIParams) { + $CGIParams{$Keyword} = CGI::escapeHTML($CGIParams{$Keyword}); +} CreateConnection(-type => "rw"); my $XMLText = $query -> param("XMLFile");; diff --git a/DocDB/doc/CHANGES b/DocDB/doc/CHANGES index 83f7ec48..35315af1 100644 --- a/DocDB/doc/CHANGES +++ b/DocDB/doc/CHANGES @@ -1,3 +1,11 @@ +8.7.15 + Cache timezone name, fix apparent issues with DateTime constructor + Fix consistentcy issues between submitter and requester + No security by default should default to user's security, not public + StreamFile: change to using 'print' instead of 'sysprint' in the StreamFile routine + Fix several possible instances of XSS + Improved signoff instructions from Eileen Berman + 8.7.14 Don't put versions on files in meeting display mode Fix issue where "Schedule Similar" mixed data between sessions From 705c93107fe7278873f3a225ca497db435476e47 Mon Sep 17 00:00:00 2001 From: vondo <> Date: Tue, 20 Mar 2012 20:22:31 +0000 Subject: [PATCH 017/163] Fold in cd_1203c --- DocDB/cgi/AddFiles | 5 +---- DocDB/cgi/DocDBVersion.pm | 4 ++-- DocDB/cgi/DocumentAddForm | 4 ++-- DocDB/cgi/MeetingModify | 5 +---- DocDB/cgi/ProcessDocumentAdd | 5 +---- DocDB/cgi/RetrieveArchive | 4 ++-- DocDB/cgi/Search | 5 +---- DocDB/cgi/SessionModify | 5 +---- DocDB/cgi/XMLUpload | 5 +---- DocDB/doc/CHANGES | 5 +++++ 10 files changed, 17 insertions(+), 30 deletions(-) diff --git a/DocDB/cgi/AddFiles b/DocDB/cgi/AddFiles index 3715971a..1550ff1f 100755 --- a/DocDB/cgi/AddFiles +++ b/DocDB/cgi/AddFiles @@ -8,7 +8,7 @@ # Author: Eric Vaandering (ewv@fnal.gov) # Modified: -# Copyright 2001-2011 Eric Vaandering, Lynn Garren, Adam Bryant +# Copyright 2001-2012 Eric Vaandering, Lynn Garren, Adam Bryant # This file is part of DocDB. @@ -62,9 +62,6 @@ $dbh = DBI -> connect('DBI:mysql:'.$db_name.':'.$db_host,$db_rwuser,$db_rwpass ### Set up, give user initial information %params = $query -> Vars; -foreach my $Keyword (keys %params) { - $params{$Keyword} = CGI::escapeHTML($params{$Keyword}); -} print $query -> header( -charset => $HTTP_ENCODING ); &DocDBHeader("$Project File Addition Results","File Addition Results"); diff --git a/DocDB/cgi/DocDBVersion.pm b/DocDB/cgi/DocDBVersion.pm index f49a10a2..e0eeb61f 100644 --- a/DocDB/cgi/DocDBVersion.pm +++ b/DocDB/cgi/DocDBVersion.pm @@ -3,7 +3,7 @@ # Revision: $Revision$ # Modified: $Author$ on $Date$ # -# Copyright 2001-2011 Eric Vaandering, Lynn Garren, Adam Bryant +# Copyright 2001-2012 Eric Vaandering, Lynn Garren, Adam Bryant # This file is part of DocDB. @@ -20,6 +20,6 @@ # along with DocDB; if not, write to the Free Software # Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA -$DocDBVersion = "8.7.15"; +$DocDBVersion = "8.7.16"; 1; diff --git a/DocDB/cgi/DocumentAddForm b/DocDB/cgi/DocumentAddForm index b095334e..61c442cf 100755 --- a/DocDB/cgi/DocumentAddForm +++ b/DocDB/cgi/DocumentAddForm @@ -8,7 +8,7 @@ # # Author: Eric Vaandering (ewv@fnal.gov) -# Copyright 2001-2011 Eric Vaandering, Lynn Garren, Adam Bryant +# Copyright 2001-2012 Eric Vaandering, Lynn Garren, Adam Bryant # This file is part of DocDB. @@ -520,7 +520,7 @@ print "

    \n"; TextField(-name => 'xrefs', -size => 40, - -default => $XRefDefault, + -default => $XRefDefault, -maxlength => 2048, -helplink => 'xrefentry', -helptext => 'Related Documents'); print "
    \n"; diff --git a/DocDB/cgi/CertificateApplyForm b/DocDB/cgi/CertificateApplyForm index 7d8179de..1425a439 100755 --- a/DocDB/cgi/CertificateApplyForm +++ b/DocDB/cgi/CertificateApplyForm @@ -2,12 +2,12 @@ # # Author Eric Vaandering (ewv@fnal.gov) -# Copyright 2001-2009 Eric Vaandering, Lynn Garren, Adam Bryant +# Copyright 2001-2013 Eric Vaandering, Lynn Garren, Adam Bryant # This file is part of DocDB. # DocDB is free software; you can redistribute it and/or modify -# it under the terms of version 2 of the GNU General Public License +# it under the terms of version 2 of the GNU General Public License # as published by the Free Software Foundation. # DocDB is distributed in the hope that it will be useful, @@ -63,16 +63,16 @@ if ($CertificateStatus eq "verified") { print "
  • ",$SecurityGroups{$GroupID}{NAME},"
    • \n"; } } else { - print "
  • None. Contact an adminstrator if this is incorrect
    • \n"; - } + print "
  • None. Contact an administrator if this is incorrect
    • \n"; + } print "\n"; -} elsif ($CertificateStatus eq "unverified") { - print "Your certificate is valid and you have applied for access to documents. +} elsif ($CertificateStatus eq "unverified") { + print "Your certificate is valid and you have applied for access to documents. If you believe your request has been misplaced or neglected, contact an administator.

    "; print "The following information may be helpful:
    \n"; print "Certificate Common Name (CN): $CertCN
    \n"; print "Certificate E-mail Address: $CertEmail
    \n"; -} elsif ($CertificateStatus eq "mismatch") { +} elsif ($CertificateStatus eq "mismatch") { print "Your certificate is valid but a similar certificate already exists for either your e-mail address or your name (CN). Only one certificate is allowed per person. Contact an administrator if you @@ -80,14 +80,14 @@ if ($CertificateStatus eq "verified") { print "The following information may be helpful:
    \n"; print "Certificate Common Name (CN): $CertCN
    \n"; print "Certificate E-mail Address: $CertEmail
    \n"; -} elsif ($CertificateStatus eq "nocert") { +} elsif ($CertificateStatus eq "nocert") { print "You didn't present a certificate. Make sure your browser is supplying one and contact an administrator if are supplying one.

    "; } elsif ($CertificateStatus eq "noapp") { require "SecurityHTML.pm"; require "FormElements.pm"; print "

    Your certificate is valid but you have never applied for access to - documents.
    Fill out the form below to apply for access. - Select the groups which you think you belong to from the list. + documents.
    Fill out the form below to apply for access. + Select the groups which you think you belong to from the list. Your selection(s) will be verified by an administrator.

    "; print "
    \n"; print $query -> start_multipart_form('POST',$UserAccessApply); @@ -104,14 +104,14 @@ if ($CertificateStatus eq "verified") { print "
    \n"; print "\n"; print ""; print ""; - print "
    \n"; - TextArea(-helplink => "certnote", -helptext => "Notes", + TextArea(-helplink => "certnote", -helptext => "Notes", -extratext => "(Identify yourself or other notes if needed.)", - -name => "certnote"); + -name => "certnote"); print "
    \n"; print $query -> submit (-value => "Apply for access"); print "
    \n"; + print "\n"; print "\n"; } diff --git a/DocDB/cgi/DeleteConfirm b/DocDB/cgi/DeleteConfirm index 6b7c9c8e..b460031a 100755 --- a/DocDB/cgi/DeleteConfirm +++ b/DocDB/cgi/DeleteConfirm @@ -8,7 +8,7 @@ # # Author: Eric Vaandering (ewv@fnal.gov) -# Copyright 2001-2009 Eric Vaandering, Lynn Garren, Adam Bryant +# Copyright 2001-2013 Eric Vaandering, Lynn Garren, Adam Bryant # This file is part of DocDB. @@ -58,7 +58,7 @@ unless ($DocumentID) { push @ErrorStack,"You are must supply a document number to delete."; } unless (&CanAdminister) { - push @ErrorStack,"You must be logged in as the adminstrator to delete + push @ErrorStack,"You must be logged in as the administrator to delete documents"; } @@ -80,7 +80,7 @@ unless ($DocRevID) { EndPage(@ErrorStack); -print "

    To delete this document, you must supply the adminstrator +print "

    To delete this document, you must supply the administrator username and password:"; print $query -> startform('POST',$DeleteDocument); diff --git a/DocDB/cgi/DeleteDocument b/DocDB/cgi/DeleteDocument index 86218712..3dfef2c4 100755 --- a/DocDB/cgi/DeleteDocument +++ b/DocDB/cgi/DeleteDocument @@ -1,18 +1,18 @@ #! /usr/bin/env perl # # Description: This script is called by DeleteConfirm to actually delete -# the requested document, all associated entries in the DB, -# and the actual files as well. +# the requested document, all associated entries in the DB, +# and the actual files as well. # # Author: Eric Vaandering (ewv@fnal.gov) -# Modified: +# Modified: -# Copyright 2001-2009 Eric Vaandering, Lynn Garren, Adam Bryant +# Copyright 2001-2013 Eric Vaandering, Lynn Garren, Adam Bryant # This file is part of DocDB. # DocDB is free software; you can redistribute it and/or modify -# it under the terms of version 2 of the GNU General Public License +# it under the terms of version 2 of the GNU General Public License # as published by the Free Software Foundation. # DocDB is distributed in the hope that it will be useful, @@ -50,7 +50,7 @@ $dbh = DBI->connect('DBI:mysql:'.$db_name.':'.$db_host,$Username,$Password); unless ($dbh) { push @ErrorStack,"Unable to connect to the database. Check the password."; -} +} print $query -> header( -charset => $HTTP_ENCODING ); &DocDBHeader("Deleting Document $DocumentID"); @@ -59,11 +59,11 @@ EndPage(@ErrorStack); unless ($DocumentID) { push @ErrorStack,"You are must supply a document number to delete."; -} +} unless (&CanAdminister) { - push @ErrorStack,"You must be logged in as the adminstrator to delete + push @ErrorStack,"You must be logged in as the administrator to delete documents"; -} +} EndPage(@ErrorStack); @@ -92,10 +92,10 @@ my @Revisions = keys %Revision; unless (@Revisions) { print "Document $DocumentID does not exist.\n"; exit; -} - -# Delete stuff from files and linking tables - +} + +# Delete stuff from files and linking tables + foreach $RevisionID (@Revisions) { $author_delete -> execute($RevisionID); $topic_delete -> execute($RevisionID); @@ -107,16 +107,16 @@ foreach $RevisionID (@Revisions) { $document_delete -> execute($DocumentID); $revision_delete -> execute($DocumentID); - + # Delete stuff from file system $command = "rm -rf $Directory/*"; system ($command); - + print "Document $DocumentID has been deleted.

    "; &DocDBNavBar; &DocDBFooter($DBWebMasterEmail,$DBWebMasterName); - + exit; diff --git a/DocDB/cgi/DocDBInstructions b/DocDB/cgi/DocDBInstructions index 45c4cdfe..2bcd8b58 100755 --- a/DocDB/cgi/DocDBInstructions +++ b/DocDB/cgi/DocDBInstructions @@ -1,19 +1,19 @@ #! /usr/bin/env perl # -# Description: The instructions for DocDB. This is mostly HTML, but making +# Description: The instructions for DocDB. This is mostly HTML, but making # it a script allows us to eliminate parts of it that we don't want # and get it following everyone's style, and allows groups to add # to it with ProjectMessages. # # Author: Eric Vaandering (ewv@fnal.gov) -# Modified: +# Modified: -# Copyright 2001-2009 Eric Vaandering, Lynn Garren, Adam Bryant +# Copyright 2001-2013 Eric Vaandering, Lynn Garren, Adam Bryant # This file is part of DocDB. # DocDB is free software; you can redistribute it and/or modify -# it under the terms of version 2 of the GNU General Public License +# it under the terms of version 2 of the GNU General Public License # as published by the Free Software Foundation. # DocDB is distributed in the hope that it will be useful, @@ -25,8 +25,8 @@ # along with DocDB; if not, write to the Free Software # Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA -use CGI; -use DBI; +use CGI; +use DBI; require "DocDBGlobals.pm"; require "HTMLUtilities.pm"; @@ -39,7 +39,7 @@ $dbh = DBI->connect('DBI:mysql:'.$db_name.':'.$db_host,$db_rouser,$db_ropass); &GetSecurityGroups; -%params = $query -> Vars; +%params = $query -> Vars; $InstructionSet = $params{set} || "general"; # Title @@ -77,7 +77,7 @@ if ($InstructionSet eq "general") { $PageTitle = "Advanced Users & XML Interface"; $HTMLTitle = $PageTitle; } elsif ($InstructionSet eq "admin") { - $PageTitle = "Adminstration Instructions"; + $PageTitle = "Administration Instructions"; $HTMLTitle = $PageTitle; } print $query->header( -charset => $HTTP_ENCODING ); diff --git a/DocDB/cgi/EmailAdminister b/DocDB/cgi/EmailAdminister index 99dcccdb..1a406ab4 100755 --- a/DocDB/cgi/EmailAdminister +++ b/DocDB/cgi/EmailAdminister @@ -1,23 +1,23 @@ #! /usr/bin/env perl # -# Name: EmailAdminister -# Description: This script is called by EmailAdministerForm and does +# Name: EmailAdminister +# Description: This script is called by EmailAdministerForm and does # administration on users who have signed up for email from the # DB. Since users can change almost everything, it really just # deletes users and changes their passwords in case they forget. -# It also displays all the users and their notification +# It also displays all the users and their notification # preferences. # # Author: Eric Vaandering (ewv@fnal.gov) -# Modified: +# Modified: # -# Copyright 2001-2009 Eric Vaandering, Lynn Garren, Adam Bryant +# Copyright 2001-2013 Eric Vaandering, Lynn Garren, Adam Bryant # This file is part of DocDB. # DocDB is free software; you can redistribute it and/or modify -# it under the terms of version 2 of the GNU General Public License +# it under the terms of version 2 of the GNU General Public License # as published by the Free Software Foundation. # DocDB is distributed in the hope that it will be useful, @@ -43,7 +43,7 @@ require "EmailUserHTML.pm"; $query = new CGI; # Global for subroutines -# Parameters to script +# Parameters to script %params = $query -> Vars; my $Password = $params{password}; @@ -63,7 +63,7 @@ $dbh = DBI->connect('DBI:mysql:'.$db_name.':'.$db_host,$Username,$Password); unless ($dbh) { push @ErrorStack,$Msg_AdminNoConnect; -} +} print $query -> header( -charset => $HTTP_ENCODING ); DocDBHeader("Modified E-mail Users"); @@ -73,7 +73,7 @@ GetSecurityGroups(); unless (CanAdminister()) { push @ErrorStack,$Msg_AdminNoLogin; -} +} EndPage(); if ($Action eq "Delete") { # Delete user @@ -94,20 +94,20 @@ if ($Action eq "Delete") { # Delete user my $Table = "Email$NotifyType$NotifyTime"; my $NotifyDelete = $dbh -> prepare("delete from $Table where EmailUserID=?"); $NotifyDelete -> execute($EmailUserID); - } + } } push @ActionStack,"The user was deleted."; } ActionReport(); -} elsif ($Action eq "Modify") { - unless ($EmailUserID) { # Deal with password changes +} elsif ($Action eq "Modify") { + unless ($EmailUserID) { # Deal with password changes push @ErrorStack,$Msg_ModEUserEmpty; } EndPage(); FetchEmailUser($EmailUserID); - if ($NewPassword) { + if ($NewPassword) { srand (time ^ $$ ^ unpack "%32L*", `ps -eaf`); my $Salt = ((0..9,'a'..'z','A'..'Z','.','/')[(int rand (64))]). @@ -126,9 +126,9 @@ if ($Action eq "Delete") { # Delete user if ($ClearUser || $SingleUser) { my $UserUpdate = $dbh -> prepare("update EmailUser set CanSign=0,Verified=0 where EmailUserID=?"); $UserUpdate -> execute($EmailUserID); - unless ($SingleUser) { + unless ($SingleUser) { push @ActionStack,"The user is no longer verified and cannot sign documents."; - } + } } if ($UserSign) { my $UserUpdate = $dbh -> prepare("update EmailUser set CanSign=1 where EmailUserID=?"); @@ -139,13 +139,13 @@ if ($Action eq "Delete") { # Delete user my $UserUpdate = $dbh -> prepare("update EmailUser set Verified=1 where EmailUserID=?"); $UserUpdate -> execute($EmailUserID); push @ActionStack,"The user is verified."; - + if ($MailInstalled && $UserValidation eq "certificate") { require "EmailUtilities.pm"; my @To = ($EmailUser{$EmailUserID}{EmailAddress},$DBWebMasterEmail); my $Subject = "DocDB account for $EmailUser{$EmailUserID}{Name} activated"; - my $Body = "An adminstrator has approved the request for "; + my $Body = "An administrator has approved the request for "; $Body .= "$EmailUser{$EmailUserID}{Name} for access to $Project DocDB. "; $Body .= "If you did not request access to $Project DocDB, "; $Body .= "please contact $DBWebMasterEmail immediately."; @@ -154,35 +154,35 @@ if ($Action eq "Delete") { # Delete user } foreach my $UsersGroupID (@UsersGroupIDs) { my $UsersGroupSelect = $dbh -> prepare("select UsersGroupID from UsersGroup where EmailUserID=? and GroupID=?"); - $UsersGroupSelect -> execute($EmailUserID,$UsersGroupID); + $UsersGroupSelect -> execute($EmailUserID,$UsersGroupID); my ($ComboExists) = $UsersGroupSelect -> fetchrow_array; - unless ($ComboExists) { + unless ($ComboExists) { my $UsersGroupUpdate = $dbh -> prepare("insert into UsersGroup (UsersGroupID,EmailUserID,GroupID) ". " values (0,?,?)"); - $UsersGroupUpdate -> execute($EmailUserID,$UsersGroupID); + $UsersGroupUpdate -> execute($EmailUserID,$UsersGroupID); FetchSecurityGroup($UsersGroupID); push @ActionStack,"Added user to $SecurityGroups{$UsersGroupID}{NAME}"; - } - } - + } + } + ClearEmailUsers(); FetchEmailUser($EmailUserID); ActionReport(); - + print "

    The user now has the following information:

    "; print "\n"; PrintEmailUserInfo($EmailUserID); print "
    \n"; -} elsif ($Action eq "New") { +} elsif ($Action eq "New") { push @ErrorStack,"You can't create new users here. Do it the normal way."; } else { push @ErrorStack,"No valid action was specified."; -} +} EndPage(); WarnPage(); DocDBNavBar(); DocDBFooter($DBWebMasterEmail,$DBWebMasterName); - + exit; diff --git a/DocDB/cgi/FSUtilities.pm b/DocDB/cgi/FSUtilities.pm index 86b25a9d..f59226a4 100644 --- a/DocDB/cgi/FSUtilities.pm +++ b/DocDB/cgi/FSUtilities.pm @@ -5,7 +5,7 @@ # Author: Eric Vaandering (ewv@fnal.gov) # Modified: -# Copyright 2001-2009 Eric Vaandering, Lynn Garren, Adam Bryant +# Copyright 2001-2013 Eric Vaandering, Lynn Garren, Adam Bryant # This file is part of DocDB. @@ -260,7 +260,7 @@ sub ExtractArchive { system ($Command); } else { print "Could not unpack the archive; contact an - adminstrator.
    \n"; + administrator.
    \n"; } chdir $current_dir; } diff --git a/DocDB/cgi/ListKeywords b/DocDB/cgi/ListKeywords index 9aaf669c..6137acbf 100755 --- a/DocDB/cgi/ListKeywords +++ b/DocDB/cgi/ListKeywords @@ -1,20 +1,20 @@ #! /usr/bin/env perl # # Name: ListKeywords -# Description: Lists the managed keywords. +# Description: Lists the managed keywords. # In the first mode, links perform a search -# In chooser mode, links insert the keyword into the +# In chooser mode, links insert the keyword into the # form on the calling page # # Author: Lynn Garren (garren@fnal.gov) # Modified: Eric Vaandering (ewv@fnal.gov) -# Copyright 2001-2009 Eric Vaandering, Lynn Garren, Adam Bryant +# Copyright 2001-2013 Eric Vaandering, Lynn Garren, Adam Bryant # This file is part of DocDB. # DocDB is free software; you can redistribute it and/or modify -# it under the terms of version 2 of the GNU General Public License +# it under the terms of version 2 of the GNU General Public License # as published by the Free Software Foundation. # DocDB is distributed in the hope that it will be useful, @@ -26,7 +26,7 @@ # along with DocDB; if not, write to the Free Software # Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA -use CGI; +use CGI; use DBI; require "DocDBGlobals.pm"; @@ -57,7 +57,7 @@ if ($Mode eq "chooser") { print "

    \n"; print "Please use the following keywords to facilitate searches. Note that spaces are NOT allowed in keywords. To suggest additional keywords, send mail - to an adminstrator. The links below + to an administrator. The links below will search the database for all instances of a single keyword. Use the search form to do a more complicated search.

    \n"; @@ -67,7 +67,7 @@ if ($Mode eq "chooser") { } elsif ($Format eq "long") { print "

    The abbreviated listing lists all the keywords compactly.\n

    "; - } + } if ($KeywordAddendumText) { print "

    $KeywordAddendumText

    \n"; } diff --git a/DocDB/cgi/Messages.pm b/DocDB/cgi/Messages.pm index 6484633d..7c820237 100644 --- a/DocDB/cgi/Messages.pm +++ b/DocDB/cgi/Messages.pm @@ -1,17 +1,17 @@ # -# Description: Central location for many of the error messages for the DocDB -# since many programs return the same errors. +# Description: Central location for many of the error messages for the DocDB +# since many programs return the same errors. # # Author: Eric Vaandering (ewv@fnal.gov) # Modified: Lynn Garren (garren@fnal.gov) # -# Copyright 2001-2009 Eric Vaandering, Lynn Garren, Adam Bryant +# Copyright 2001-2013 Eric Vaandering, Lynn Garren, Adam Bryant # This file is part of DocDB. # DocDB is free software; you can redistribute it and/or modify -# it under the terms of version 2 of the GNU General Public License +# it under the terms of version 2 of the GNU General Public License # as published by the Free Software Foundation. # DocDB is distributed in the hope that it will be useful, @@ -26,7 +26,7 @@ $Msg_NoConnect = "Unable to connect to the database. Please alert an administrator."; $Msg_AdminNoConnect = "Unable to connect to the database. Make sure you use the correct password."; -$Msg_AdminNoLogin = "You must be logged in as the adminstrator to perform this action."; +$Msg_AdminNoLogin = "You must be logged in as the administrator to perform this action."; $Msg_AdminNoPass = "You must supply a username and password to perform administration actions."; $Msg_ModInstEmpty = "You must select an institution to modify or delete."; @@ -48,8 +48,8 @@ $Msg_DelFullEvent = "This event has associated documents. Not deleted."; # Messages for document creation, modification, display -$Msg_DocNoAccess = "Either you are not authorized to view this document - (with the username and password you supplied) +$Msg_DocNoAccess = "Either you are not authorized to view this document + (with the username and password you supplied) or the document does not exist."; @@ -91,6 +91,6 @@ $Msg_WarnModManaged = "Warning: You are about to modify a managed document. This if (-e "ProjectMessages.pm") { require "ProjectMessages.pm"; push @DebugStack,"Included Project Messages"; -} +} 1; diff --git a/DocDB/cgi/UserAccessApply b/DocDB/cgi/UserAccessApply index a8a9eb9b..ca2b2ced 100755 --- a/DocDB/cgi/UserAccessApply +++ b/DocDB/cgi/UserAccessApply @@ -2,7 +2,7 @@ # # Author Eric Vaandering (ewv@fnal.gov) -# Copyright 2001-2011 Eric Vaandering, Lynn Garren, Adam Bryant +# Copyright 2001-2013 Eric Vaandering, Lynn Garren, Adam Bryant # This file is part of DocDB. @@ -70,12 +70,12 @@ if ($CertificateStatus eq "verified") { print "
  • ",$SecurityGroups{$GroupID}{NAME},"
    • \n"; } } else { - print "
  • None: Contact an adminstrator if this is incorrect
    • \n"; + print "
  • None: Contact an administrator if this is incorrect
    • \n"; } print "\n"; } elsif ($CertificateStatus eq "unverified") { print "You have already applied for access to documents. A new request has not been generated. - If you believe your request has been misplaced or neglected, contact an administator."; + If you believe your request has been misplaced or neglected, contact an administrator.    "; print "The following information may be helpful:
    \n"; print "Certificate Common Name (CN): $CertCN
    \n"; print "Certificate E-mail Address: $CertEmail
    \n"; @@ -157,7 +157,7 @@ if ($CertificateStatus eq "verified") { $Body .= "access to $Project DocDB. If you did not initiate this request, "; $Body .= "please contact the DocDB administrators at $DBWebMasterEmail immediately.\n\n"; $Body .= "If you did request this access, please give the "; - $Body .= "adminstrators a few business days to respond to your request.\n"; + $Body .= "administrators a few business days to respond to your request.\n"; $Body .= "Thank you."; &SendEmail(-body => $Body, -to => \@To, -subject => $Subject); From d2f99194c219e7fe2474cdaada8362512b216b6f Mon Sep 17 00:00:00 2001 From: Eric Vaandering Date: Fri, 3 May 2013 16:29:53 -0500 Subject: [PATCH 020/163] Non-FNAL specific change to certificate authorization Switch from using the first CN of a cert for authorization to using the full DN. We assume the DN is stored in the Username field of the database. You must couple this with an increase in the size of the field: alter table EmailUser modify Username text; --- DocDB/cgi/BulkCertificateInsert | 19 +++++++++++-------- DocDB/cgi/CertificateApplyForm | 16 +++++++--------- DocDB/cgi/CertificateUtilities.pm | 28 +++++++++++++--------------- DocDB/cgi/DocDBHelp.xml | 15 ++++++++++++--- DocDB/cgi/DocDBVersion.pm | 2 +- DocDB/cgi/EmailAdministerForm | 13 +++++++++---- DocDB/cgi/GroupAdminister | 4 ++-- DocDB/cgi/MailNotification.pm | 10 ++++++---- DocDB/cgi/TopicAdminister | 6 +++--- DocDB/cgi/UserAccessApply | 17 +++++------------ 10 files changed, 69 insertions(+), 61 deletions(-) diff --git a/DocDB/cgi/BulkCertificateInsert b/DocDB/cgi/BulkCertificateInsert index 16ad462a..271acc8f 100755 --- a/DocDB/cgi/BulkCertificateInsert +++ b/DocDB/cgi/BulkCertificateInsert @@ -5,7 +5,7 @@ # Author: Eric Vaandering (ewv@fnal.gov) # Modified: -# Copyright 2001-2009 Eric Vaandering, Lynn Garren, Adam Bryant +# Copyright 2001-2013 Eric Vaandering, Lynn Garren, Adam Bryant # This file is part of DocDB. @@ -95,17 +95,16 @@ if ($Action eq "Insert") { my $UsersGroupInsert = $dbh -> prepare("insert into UsersGroup (UsersGroupID,EmailUserID,GroupID) values (0,?,?)"); foreach my $Row (1..$MaxUsers) { - my $Name = $Untaint -> extract (-as_printable => "name$Row") || ""; + my $Username = $Untaint -> extract (-as_printable => "name$Row") || ""; + my $Name = $Untaint -> extract (-as_printable => "commonname$Row") || ""; my $Email = $Untaint -> extract (-as_printable => "email$Row") || ""; - my $Username = $Name; - $Username =~ s/\W//g; if ($Username) { if ($Usernames{$Username}) { push @WarnStack,"The user $Name already exists. Not inserted."; next; } - unless ($Email) { + unless ($Email && $Name) { push @WarnStack,"You must supply a name and e-mail address for the user $Name. Not inserted."; next; } @@ -157,20 +156,24 @@ if ($UseSignoffs) { print "\n"; print ""; -print FormElementTitle(-helplink => 'certname', -helptext => 'Certificate CN'); +print FormElementTitle(-helplink => 'usersname', -helptext => "User's Name"); +print ""; +print FormElementTitle(-helplink => 'certname', -helptext => 'Certificate DN'); print ""; print FormElementTitle(-helplink => 'certemail', -helptext => 'E-mail Address'); print "\n"; foreach my $Row (1..$MaxUsers) { print "\n"; - TextField(-name => "name$Row", -size => 40, -maxlength => $DBColumnSize{EmailUser}{Name} ); + TextField(-name => "commonname$Row", -size => 40, -maxlength => $DBColumnSize{EmailUser}{Name} ); + print "\n"; + TextField(-name => "name$Row", -size => 40, -maxlength => 2048); print "\n"; TextField(-name => "email$Row", -size => 30, -maxlength => $DBColumnSize{EmailUser}{EmailAddress}); print "\n"; } -print ''; +print ''; print $query -> submit (-value => "Insert Users"); print "\n"; diff --git a/DocDB/cgi/CertificateApplyForm b/DocDB/cgi/CertificateApplyForm index 1425a439..a2819099 100755 --- a/DocDB/cgi/CertificateApplyForm +++ b/DocDB/cgi/CertificateApplyForm @@ -52,6 +52,9 @@ print $query -> header( -charset => $HTTP_ENCODING ); my $CertificateStatus = &CertificateStatus(); my $CertEmail = $ENV{SSL_CLIENT_S_DN_Email}; my $CertCN = $ENV{SSL_CLIENT_S_DN_CN}; +my $CertDN = $ENV{SSL_CLIENT_S_DN}; + +push @DebugStack, "DN is $CertDN, CN is $CertCN"; if ($CertificateStatus eq "verified") { print "Your certificate has been verified and you have access to documents from these groups:"; @@ -70,14 +73,7 @@ if ($CertificateStatus eq "verified") { print "Your certificate is valid and you have applied for access to documents. If you believe your request has been misplaced or neglected, contact an administator.

    "; print "The following information may be helpful:
    \n"; - print "Certificate Common Name (CN): $CertCN
    \n"; - print "Certificate E-mail Address: $CertEmail
    \n"; -} elsif ($CertificateStatus eq "mismatch") { - print "Your certificate is valid but a similar certificate already exists - for either your e-mail address or your name (CN). Only one - certificate is allowed per person. Contact an administrator if you - don't know what to do.

    "; - print "The following information may be helpful:
    \n"; + print "Certificate Distinguished Name (DN): $CertDN
    \n"; print "Certificate Common Name (CN): $CertCN
    \n"; print "Certificate E-mail Address: $CertEmail
    \n"; } elsif ($CertificateStatus eq "nocert") { @@ -93,7 +89,9 @@ if ($CertificateStatus eq "verified") { print $query -> start_multipart_form('POST',$UserAccessApply); print "\n"; print "\n"; - print "\n"; + print "\n"; diff --git a/DocDB/cgi/CertificateUtilities.pm b/DocDB/cgi/CertificateUtilities.pm index f68e8843..ba52c9e3 100644 --- a/DocDB/cgi/CertificateUtilities.pm +++ b/DocDB/cgi/CertificateUtilities.pm @@ -3,7 +3,7 @@ # Author: Eric Vaandering (ewv@fnal.gov) # Modified: -# Copyright 2001-2011 Eric Vaandering, Lynn Garren, Adam Bryant +# Copyright 2001-2013 Eric Vaandering, Lynn Garren, Adam Bryant # This file is part of DocDB. @@ -44,23 +44,21 @@ sub FetchEmailUserIDByCert (%) { my $CertEmail = $ENV{SSL_CLIENT_S_DN_Email}; my $CertCN = $ENV{SSL_CLIENT_S_DN_CN}; - - $CertificateCN = $CertCN; - $CertificateEmail = $CertEmail; - - push @DebugStack,"Finding EmailUserID by certificate $CertCN"; + my $CertDN = $ENV{SSL_CLIENT_S_DN}; # If we do http basic with users, this routine will function with minor modifications my $EmailUserSelect; + + push @DebugStack, "Finding EmailUserID and groups by DN $CertDN"; if ($IgnoreVerification) { $EmailUserSelect = $dbh->prepare("select EmailUserID from EmailUser ". - "where Name=?"); + "where Username=?"); } else { $EmailUserSelect = $dbh->prepare("select EmailUserID from EmailUser ". - "where Verified=1 and Name=?"); + "where Verified=1 and Username=?"); } - $EmailUserSelect -> execute($CertCN); + $EmailUserSelect -> execute($CertDN); my ($EmailUserID) = $EmailUserSelect -> fetchrow_array; push @DebugStack,"Found e-mail user: $EmailUserID"; @@ -86,9 +84,8 @@ sub CertificateStatus () { my $CertEmail = $ENV{SSL_CLIENT_S_DN_Email}; my $CertCN = $ENV{SSL_CLIENT_S_DN_CN}; - - push @DebugStack,"Finding Status by certificate"; - + my $CertDN = $ENV{SSL_CLIENT_S_DN}; + unless ($CertCN) { $CertificateStatus = "nocert"; push @DebugStack,"Certificate Status: $CertificateStatus"; @@ -96,11 +93,12 @@ sub CertificateStatus () { } my $EmailUserSelect; + push @DebugStack, "Finding status by DN $CertDN"; $EmailUserSelect = $dbh->prepare("select EmailUserID,Verified from EmailUser ". - "where Name=?"); - $EmailUserSelect -> execute($CertCN); + "where Username=?"); + $EmailUserSelect -> execute($CertDN); + my ($EmailUserID,$Verified) = $EmailUserSelect -> fetchrow_array; - push @DebugStack,"Checking user $CertCN by CN"; if ($Verified) { $CertificateStatus = "verified"; diff --git a/DocDB/cgi/DocDBHelp.xml b/DocDB/cgi/DocDBHelp.xml index 45fa90ba..db11f729 100644 --- a/DocDB/cgi/DocDBHelp.xml +++ b/DocDB/cgi/DocDBHelp.xml @@ -1248,14 +1248,23 @@ or may not be the same as the web username and password. certname - Certificate Common Name (CN) + Certificate Distinguished Name (DN) - This is a unique identifier in the user's client certificate. It is usually - the user's name or login. It must be entered exactly or the user will not be + This is the unique identifier (subject or DN) in the user's client certificate. + It must be entered exactly or the user will not be authenticated when they present their client certificate to DocDB. + + usersname + User's Name (CN) + + Enter the user's common name. Often this is present in a CN section of the certificate DN, but it need + not be entered exactly; it is not used for authentication. + + + certemail E-Mail Address for Certificate User diff --git a/DocDB/cgi/DocDBVersion.pm b/DocDB/cgi/DocDBVersion.pm index f820c80c..31b0cb14 100644 --- a/DocDB/cgi/DocDBVersion.pm +++ b/DocDB/cgi/DocDBVersion.pm @@ -20,6 +20,6 @@ # along with DocDB; if not, write to the Free Software # Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA -$DocDBVersion = "8.7.17"; +$DocDBVersion = "8.7.18"; 1; diff --git a/DocDB/cgi/EmailAdministerForm b/DocDB/cgi/EmailAdministerForm index e5469ae5..fe36d4af 100755 --- a/DocDB/cgi/EmailAdministerForm +++ b/DocDB/cgi/EmailAdministerForm @@ -65,6 +65,11 @@ unless (CanAdminister()) { EndPage(); +my $UsernameHeader = "Username"; +if ($UserValidation eq "certificate") { + $UsernameHeader = "Certificate DN" +} + if ($EmailUserID) { print "

    This form allows you to delete the user, change which groups the user belongs to, "; @@ -121,7 +126,7 @@ print "

    \n"; print "\n"; print "\n"; print "\n"; @@ -135,15 +137,15 @@ sub KeywordDetailedList { print " \n"; print " \n"; print "\n"; - } + } - } + } print "
    Your name (Certificate CN):
      $CertCN

    \n"; + print "

    		Your certificate DN:
      $CertDN

    \n"; + print "

    Your name (certificate CN):
      $CertCN

    \n"; TextField(-name => "email", -helplink => "email", -helptext => "Your E-mail", -size => 20, -maxlength => 64, -default => $CertEmail); print "

    \n"; - EmailUserSelect(-disabled => $TRUE, -default => [$EmailUserID]); + EmailUserSelect(-disabled => $TRUE, -default => [$EmailUserID], -helptext => $UsernameHeader); print "\n"; @@ -192,10 +197,10 @@ if ($EmailUserID) { ### Display of existing groups - my @EmailUserIDs = sort EmailUserIDsByUsername GetEmailUserIDs(); + my @EmailUserIDs = sort EmailUserIDsByName GetEmailUserIDs(); print "\n"; - print "\n"; + print "\n"; #print "\n"; my $Row = 0; @@ -246,7 +251,7 @@ if ($EmailUserID) { my @SecurityGroups = sort keys %SecurityIDs; foreach my $SecurityGroup (@SecurityGroups) { - my @EmailUserIDs = sort EmailUserIDsByUsername FetchEmailUserIDsBySecurityGroup($SecurityIDs{$SecurityGroup}); + my @EmailUserIDs = sort EmailUserIDsByName FetchEmailUserIDsBySecurityGroup($SecurityIDs{$SecurityGroup}); if (@EmailUserIDs) { print "

    $SecurityGroup has these members:

    \n\n"; - } + } print "\n"; ++$Row; } @@ -88,7 +90,7 @@ sub KeywordTable { &KeywordsbyKeywordGroup($KeywordGroupID,$Mode); print "\n"; ++$Col; - } + } print "\n"; print "
    NameUsernameVerified?Can Sign?Groups
    Name$UsernameHeaderVerified?Can Sign?Groups
    Notifications
    \n"; } @@ -104,7 +106,7 @@ sub KeywordDetailedList { my $KeywordGroup = &KeywordGroupInfo($KeywordGroupID,"short"); my $Label = $KeywordGroup; $Label =~ s/\s+//; - + print "     		\n"; print " $KeywordGroup\n"; print " $Link$Text
    \n"; } sub KeywordSelect (%) { # Scrolling selectable list for keyword groups - my (%Params) = @_; - + my (%Params) = @_; + my $Format = $Params{-format} || "short"; # short, long, full my $Multiple = $Params{-multiple} || ""; # Any non-null text is "true" my $Name = $Params{-name} || "keywordlist"; @@ -151,19 +153,19 @@ sub KeywordSelect (%) { # Scrolling selectable list for keyword groups my $Disabled = $Params{-disabled} || "0"; my $Booleans = ""; - + if ($Disabled) { $Booleans .= "-disabled"; - } - + } + # Scrolling selectable list for keywords my @KeywordIDs = sort byKeyword keys %Keywords; my %KeywordLabels = (); foreach my $ID (@KeywordIDs) { if ($Format eq "short") { - $KeywordLabels{$ID} = $Keywords{$ID}{Short}; + $KeywordLabels{$ID} = $Keywords{$ID}{Short}; } elsif ($Format eq "long") { - $KeywordLabels{$ID} = $Keywords{$ID}{Long}; + $KeywordLabels{$ID} = $Keywords{$ID}{Long}; } elsif ($Format eq "full") { $KeywordLabels{$ID} = $Keywords{$ID}{Short}." ["; if ($MaxLabel) { @@ -172,78 +174,78 @@ sub KeywordSelect (%) { # Scrolling selectable list for keyword groups } else { $KeywordLabels{$ID} .= $Keywords{$ID}{Long}; } - $KeywordLabels{$ID} .= "]"; - } + $KeywordLabels{$ID} .= "]"; + } } - } + } print FormElementTitle(-helplink => "keywords", -helptext => "Keywords"); - print $query -> scrolling_list(-name => "keywordlist", -values => \@KeywordIDs, + print $query -> scrolling_list(-name => "keywordlist", -values => \@KeywordIDs, -labels => \%KeywordLabels, -size => 10, -multiple => $Multiple, $Booleans ); }; sub KeywordGroupSelect (%) { # Scrolling selectable list for keyword groups - my (%Params) = @_; - + my (%Params) = @_; + my $Format = $Params{-format} || "short"; # short, full my $Multiple = $Params{-multiple} || ""; # Any non-null text is "true" my $Name = $Params{-name} || "keywordgroup"; my $Remove = $Params{-remove} || ""; my $Disabled = $Params{-disabled} || "0"; - + my $Booleans = ""; - + if ($Disabled) { $Booleans .= "-disabled"; - } - + } + print FormElementTitle(-helplink => "keywordgroups", -helptext => "Keyword Groups"); my @KeyGroupIDs = keys %KeywordGroups; my %GroupLabels = (); - + foreach my $ID (@KeyGroupIDs) { if ($Format eq "full") { $GroupLabels{$ID} = "$KeywordGroups{$ID}{Short} [$KeywordGroups{$ID}{Long}]"; - } else { + } else { $GroupLabels{$ID} = $KeywordGroups{$ID}{Short}; - } - } + } + } if ($Remove) { unshift @KeyGroupIDs,"-1"; $GroupLabels{"-1"} = "Remove existing groups"; } - - print $query -> scrolling_list(-name => $Name, - -values => \@KeyGroupIDs, - -labels => \%GroupLabels, -size => 10, + + print $query -> scrolling_list(-name => $Name, + -values => \@KeyGroupIDs, + -labels => \%GroupLabels, -size => 10, -multiple => $Multiple, $Booleans); }; sub KeywordLinkByID ($;%) { my ($KeywordID,%Params) = @_; - + my $Format = $Params{-format} || "short"; # short, long my $NoLink = $Params{-nolink} || ""; # will just return information &FetchKeyword($KeywordID); my $Keyword = $Keywords{$KeywordID}{Short}; my $Link; - - unless ($NoLink) { + + unless ($NoLink) { $Link .= ""; } - - if ($Format eq "short") { + + if ($Format eq "short") { $Link .= $Keywords{$KeywordID}{Short}; } elsif ($Format eq "long") { $Link .= $Keywords{$KeywordID}{Long}; - } + } - unless ($NoLink) { + unless ($NoLink) { $Link .= ""; } - + return $Link; } @@ -251,26 +253,26 @@ sub KeywordLink ($;%) { # FIXME: Allow parameters of short, long, full a la Lynn my ($Keyword,%Params) = @_; my $Format = $Params{-format} || "short"; # short, full - - my $ret = ""; - $ret .= "$Keyword"; + my $SafeKeyword = SafeHTML( {-text => $Keyword} ); + my $ret = ""; + $ret .= "$SafeKeyword"; $ret .= ""; return $ret; -} +} sub KeywordsBox (%) { - my (%Params) = @_; + my (%Params) = @_; #FIXME: Get rid of global default - + my $Required = $Params{-required} || 0; - my $ElementTitle = &FormElementTitle(-helplink => "keywords" , + my $ElementTitle = &FormElementTitle(-helplink => "keywords" , -helptext => "Keywords" , -extratext => "(space separated) - Keyword Chooser", -required => $Required ); - print $ElementTitle,"\n"; - print $query -> textfield (-name => 'keywords', -default => $KeywordsDefault, + print $ElementTitle,"\n"; + print $query -> textfield (-name => 'keywords', -default => $KeywordsDefault, -size => 70, -maxlength => 240); }; From 93f069f097873f76093be0b2f53c91372c0d355d Mon Sep 17 00:00:00 2001 From: Eric Vaandering Date: Wed, 10 Jul 2013 14:13:54 +0200 Subject: [PATCH 049/163] Make keyword printing safe --- DocDB/cgi/KeywordHTML.pm | 2 ++ 1 file changed, 2 insertions(+) diff --git a/DocDB/cgi/KeywordHTML.pm b/DocDB/cgi/KeywordHTML.pm index 6f0a0367..411cbd78 100644 --- a/DocDB/cgi/KeywordHTML.pm +++ b/DocDB/cgi/KeywordHTML.pm @@ -24,6 +24,8 @@ # along with DocDB; if not, write to the Free Software # Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA +require "HTMLUtilities.pm"; + sub KeywordGroupInfo ($;$) { my ($KeyID,$mode) = @_; From c7b62cc5f7970438a1cdc0cc03a08e3a06396488 Mon Sep 17 00:00:00 2001 From: Eric Vaandering Date: Wed, 10 Jul 2013 14:15:39 +0200 Subject: [PATCH 050/163] Make keyword printing safe --- DocDB/cgi/KeywordHTML.pm | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/DocDB/cgi/KeywordHTML.pm b/DocDB/cgi/KeywordHTML.pm index 411cbd78..5dffcf5a 100644 --- a/DocDB/cgi/KeywordHTML.pm +++ b/DocDB/cgi/KeywordHTML.pm @@ -46,7 +46,7 @@ sub KeywordGroupInfo ($;$) { sub KeywordsbyKeywordGroup ($;$) { - # FIXME: Make KeyLink SafeHTML + # FIXME: Make KeyLink SmartHTML my ($KeywordGroupID,$Mode) = @_; require "Sorts.pm"; @@ -255,7 +255,7 @@ sub KeywordLink ($;%) { # FIXME: Allow parameters of short, long, full a la Lynn my ($Keyword,%Params) = @_; my $Format = $Params{-format} || "short"; # short, full - my $SafeKeyword = SafeHTML( {-text => $Keyword} ); + my $SafeKeyword = SmartHTML( {-text => $Keyword} ); my $ret = ""; $ret .= "$SafeKeyword"; $ret .= ""; From bb706509c2ac1742bfc24933f328091b2f2dc825 Mon Sep 17 00:00:00 2001 From: Eric Vaandering Date: Wed, 10 Jul 2013 14:33:04 +0200 Subject: [PATCH 051/163] Update Title, abstract, notes, pubinfo entry boxes to use SmartHTML --- DocDB/cgi/FormElements.pm | 188 +++++++++++++++++++------------------- DocDB/cgi/RevisionHTML.pm | 10 +- 2 files changed, 101 insertions(+), 97 deletions(-) diff --git a/DocDB/cgi/FormElements.pm b/DocDB/cgi/FormElements.pm index 0d84357e..ee4e959f 100644 --- a/DocDB/cgi/FormElements.pm +++ b/DocDB/cgi/FormElements.pm @@ -1,11 +1,11 @@ # # Name: FormElements.pm -# Description: Various routines which supply input forms for document -# addition, etc. This file is deprecated. Routines are +# Description: Various routines which supply input forms for document +# addition, etc. This file is deprecated. Routines are # being moved out into the various *HTML.pm files. # # Author: Eric Vaandering (ewv@fnal.gov) -# Modified: +# Modified: # # Copyright 2001-2013 Eric Vaandering, Lynn Garren, Adam Bryant @@ -13,7 +13,7 @@ # This file is part of DocDB. # DocDB is free software; you can redistribute it and/or modify -# it under the terms of version 2 of the GNU General Public License +# it under the terms of version 2 of the GNU General Public License # as published by the Free Software Foundation. # DocDB is distributed in the hope that it will be useful, @@ -29,9 +29,9 @@ require "TopicHTML.pm"; sub DaysPulldown (;$) { my ($DefaultDays) = @_; - unless ($DefaultDays) { + unless ($DefaultDays) { $DefaultDays = $LastDays; - } + } my @Days = (1,2,3,5,7,10,14,20,30,45,60,90,120,180 ); print $query -> popup_menu (-name => 'days', -values => \@Days, -default => $DefaultDays, -onChange => "submit()"); @@ -39,7 +39,7 @@ sub DaysPulldown (;$) { sub DateTimePulldown (%) { # Note capitalization my (%Params) = @_; - + my $Name = $Params{-name} || "date"; my $Disabled = $Params{-disabled} || 0; my $DateOnly = $Params{-dateonly} || 0; @@ -47,7 +47,7 @@ sub DateTimePulldown (%) { # Note capitalization my $OneTime = $Params{-onetime} || 0; my $OneLine = $Params{-oneline} || 0; my $Granularity = $Params{-granularity} || 5; - + my $Default = $Params{-default}; my $HelpLink = $Params{-helplink} || ""; @@ -55,13 +55,13 @@ sub DateTimePulldown (%) { # Note capitalization my $Required = $Params{-required} || 0; my $NoBreak = $Params{-nobreak} ; my $ExtraText = $Params{-extratext}; - + my $Booleans = ""; - + if ($Disabled) { $Booleans .= "-disabled"; - } - + } + my ($Sec,$Min,$Hour,$Day,$Mon,$Year) = localtime(time); $Year += 1900; $Min = (int (($Min+($Granularity/2))/$Granularity))*$Granularity; # Nearest $Granularity minutes @@ -69,13 +69,13 @@ sub DateTimePulldown (%) { # Note capitalization my $DefaultHHMM; if ($Default) { my ($DefaultDate,$DefaultTime); - if ($DateOnly) { + if ($DateOnly) { $DefaultDate = $Default; } elsif ($TimeOnly) { $DefaultTime = $Default; } else { ($DefaultDate,$DefaultTime) = split /\s+/,$Default; - } + } ($Year,$Mon,$Day) = split /-/,$DefaultDate; $Day = int($Day); @@ -88,41 +88,41 @@ sub DateTimePulldown (%) { # Note capitalization $Sec = int($Sec); $DefaultHHMM = sprintf "%2.2d:%2.2d",$Hour,$Min; } - + my @Years = (); for (my $i = $FirstYear; $i<=$Year+1; ++$i) { # $FirstYear - current year + 1 push @Years,$i; - } + } my @Days = (); for (my $i = 1; $i<=31; ++$i) { # $FirstYear - current year push @Days,$i; - } + } my @Hours = (); for (my $i = 0; $i<24; ++$i) { push @Hours,$i; - } + } my @Minutes = (); for (my $i = 0; $i<=55; $i=$i+5) { push @Minutes,(sprintf "%2.2d",$i); - } - + } + my @Times = (); for (my $Hour = 0; $Hour<=23; ++$Hour) { for (my $Min = 0; $Min<=59; $Min=$Min+$Granularity) { push @Times,sprintf "%2.2d:%2.2d",$Hour,$Min; - } - } - - my $ElementTitle = &FormElementTitle(-helplink => $HelpLink , + } + } + + my $ElementTitle = &FormElementTitle(-helplink => $HelpLink , -helptext => $HelpText , -extratext => $ExtraText, -text => $Text , -nobreak => $NoBreak , -required => $Required ); - print $ElementTitle,"\n"; + print $ElementTitle,"\n"; unless ($DateOnly) { if ($OneTime) { @@ -135,10 +135,10 @@ sub DateTimePulldown (%) { # Note capitalization } unless ($OneLine || $DateOnly || $TimeOnly) { print "\n"; - } + } if ($OneLine) { print " \n"; - } + } unless ($TimeOnly) { print $query -> popup_menu (-name => $Name."day",-values => \@Days, -default => $Day, $Booleans); print $query -> popup_menu (-name => $Name."month",-values => \@AbrvMonths, -default => $AbrvMonths[$Mon], $Booleans); @@ -150,11 +150,11 @@ sub DateTimePullDown { #FIXME: Replace with DateTimePulldown my ($sec,$min,$hour,$day,$mon,$year) = localtime(time); $year += 1900; $min = (int (($min+3)/5))*5; # Nearest five minutes - + my @days = (); for ($i = 1; $i<=31; ++$i) { push @days,$i; - } + } my @months = ("Jan","Feb","Mar","Apr","May","Jun", "Jul","Aug","Sep","Oct","Nov","Dec"); @@ -162,18 +162,18 @@ sub DateTimePullDown { #FIXME: Replace with DateTimePulldown my @years = (); for ($i = $FirstYear; $i<=$year; ++$i) { # $FirstYear - current year push @years,$i; - } + } my @hours = (); for ($i = 0; $i<24; ++$i) { push @hours,$i; - } + } my @minutes = (); for ($i = 0; $i<=55; $i=$i+5) { push @minutes,(sprintf "%2.2d",$i); - } - + } + print FormElementTitle(-helplink => "overdate", -helptext => "Date & Time"); print $query -> popup_menu (-name => 'overday',-values => \@days, -default => $day); print $query -> popup_menu (-name => 'overmonth',-values => \@months, -default => $months[$mon]); @@ -185,11 +185,11 @@ sub DateTimePullDown { #FIXME: Replace with DateTimePulldown } sub PubInfoBox { - my $ElementTitle = &FormElementTitle(-helplink => "pubinfo", + my $ElementTitle = &FormElementTitle(-helplink => "pubinfo", -helptext => "Other publication information"); - print $ElementTitle,"\n"; - - print $query -> textarea (-name => 'pubinfo', -default => $PubInfoDefault, + print $ElementTitle,"\n"; + my $SafeDefault = SmartHTML({-text => $PubInfoDefault},); + print $query -> textarea (-name => 'pubinfo', -default => $SafeDefault, -columns => 60, -rows => 3); }; @@ -197,20 +197,20 @@ sub InstitutionSelect (;%) { # Scrolling selectable list for institutions require "Sorts.pm"; my (%Params) = @_; - + my $Mode = $Params{-format} || "short"; my $Disabled = $Params{-disabled} || "0"; my $Required = $Params{-required} || $FALSE; - + my $ExtraText; if ($Mode eq "full") {$ExtraText = "(Long descriptions in brackets)";} - - - my $ElementTitle = &FormElementTitle(-helplink => "institution", + + + my $ElementTitle = &FormElementTitle(-helplink => "institution", -helptext => "Institution", -extratext => $ExtraText, -required => $Required); - print $ElementTitle,"\n"; + print $ElementTitle,"\n"; my @InstIDs = sort byInstitution keys %Institutions; my %InstLabels = (); @@ -220,8 +220,8 @@ sub InstitutionSelect (;%) { # Scrolling selectable list for institutions } else { $InstLabels{$ID} = $Institutions{$ID}{SHORT}; } - } - if ($Disabled) { + } + if ($Disabled) { print $query -> scrolling_list(-name => "inst", -values => \@InstIDs, -labels => \%InstLabels, -size => 10, -disabled); @@ -233,37 +233,37 @@ sub InstitutionSelect (;%) { # Scrolling selectable list for institutions sub NameEntryBox (;%) { my (%Params) = @_; - + my $Disabled = $Params{-disabled} || "0"; - + my $Booleans = ""; - + if ($Disabled) { $Booleans .= "-disabled"; - } - + } + print "\n"; print "\n"; print "\n"; print "\n"; print "
    \n"; - my $ElementTitle = FormElementTitle(-helplink => "authorentry", + my $ElementTitle = FormElementTitle(-helplink => "authorentry", -helptext => "First Name", -required => $TRUE); - print $ElementTitle,"\n"; - print $query -> textfield (-name => 'first', + print $ElementTitle,"\n"; + print $query -> textfield (-name => 'first', -size => 20, -maxlength => 32,$Booleans); print "
    \n"; - $ElementTitle = FormElementTitle(-helplink => "authorentry", + $ElementTitle = FormElementTitle(-helplink => "authorentry", -helptext => "Middle Initial(s)"); - print $ElementTitle,"\n"; - print $query -> textfield (-name => 'middle', + print $ElementTitle,"\n"; + print $query -> textfield (-name => 'middle', -size => 10, -maxlength => 16,$Booleans); print "
    \n"; - $ElementTitle = FormElementTitle(-helplink => "authorentry", + $ElementTitle = FormElementTitle(-helplink => "authorentry", -helptext => "Last Name", -required => $TRUE); - print $ElementTitle,"\n"; - print $query -> textfield (-name => 'lastname', + print $ElementTitle,"\n"; + print $query -> textfield (-name => 'lastname', -size => 20, -maxlength => 32,$Booleans); print "
    \n"; @@ -274,7 +274,7 @@ sub UpdateButton { # unless (&CanModify) {return;} - $query -> param('mode','update'); + $query -> param('mode','update'); $query -> param('docid',$DocumentID); print $query -> startform('POST',$DocumentAddForm); @@ -289,13 +289,13 @@ sub UpdateButton { sub UpdateDBButton { my ($DocumentID,$Version) = @_; - + # unless (&CanModify) {return;} $query -> param('mode', 'updatedb'); $query -> param('docid', $DocumentID); $query -> param('version',$Version); - + print $query -> startform('POST',$DocumentAddForm); print "

    \n"; print $query -> hidden(-name => 'mode', -default => 'updatedb'); @@ -314,7 +314,7 @@ sub AddFilesButton { $query -> param('docid',$DocumentID); $query -> param('version',$Version); - + print $query -> startform('POST',$AddFilesForm); print "
    \n"; print $query -> hidden(-name => 'docid', -default => $DocumentID); @@ -325,9 +325,9 @@ sub AddFilesButton { print "\n"; } -sub TextField (%) { +sub TextField (%) { my (%Params) = @_; - + my $HelpLink = $Params{-helplink} ; my $HelpText = $Params{-helptext} ; my $ExtraText = $Params{-extratext}; @@ -339,28 +339,28 @@ sub TextField (%) { my $Size = $Params{-size} || 40; my $MaxLength = $Params{-maxlength} || 240; my $Disabled = $Params{-disabled} || $FALSE; - - my %Options = (); + + my %Options = (); if ($Disabled) { $Options{-disabled} = "disabled"; - } + } - my $ElementTitle = &FormElementTitle(-helplink => $HelpLink , + my $ElementTitle = &FormElementTitle(-helplink => $HelpLink , -helptext => $HelpText , -extratext => $ExtraText, -text => $Text , -nobreak => $NoBreak , -required => $Required , ); - print $ElementTitle,"\n"; - print $query -> textfield (-name => $Name, -default => $Default, + print $ElementTitle,"\n"; + print $query -> textfield (-name => $Name, -default => $Default, -size => $Size, -maxlength => $MaxLength, %Options,); -} +} -sub TextArea (%) { +sub TextArea (%) { require "Utilities.pm"; my (%Params) = @_; - + my $HelpLink = $Params{-helplink} ; my $HelpText = $Params{-helptext} ; my $ExtraText = $Params{-extratext}; @@ -371,21 +371,21 @@ sub TextArea (%) { my $Default = $Params{-default} || ""; my $Columns = $Params{-columns} || 40; my $Rows = $Params{-rows} || 6; - - my $ElementTitle = &FormElementTitle(-helplink => $HelpLink , + + my $ElementTitle = &FormElementTitle(-helplink => $HelpLink , -helptext => $HelpText , -extratext => $ExtraText, -text => $Text , -nobreak => $NoBreak , -required => $Required ); - print $ElementTitle,"\n"; - print $query -> textarea (-name => $Name, -default => &SafeHTML($Default), + print $ElementTitle,"\n"; + print $query -> textarea (-name => $Name, -default => &SafeHTML($Default), -columns => $Columns, -rows => $Rows); -} +} -sub FormElementTitle (%) { +sub FormElementTitle (%) { my (%Params) = @_; - + my $HelpLink = $Params{-helplink} || ""; my $HelpText = $Params{-helptext} || ""; my $ExtraText = $Params{-extratext} || ""; @@ -397,14 +397,14 @@ sub FormElementTitle (%) { my $TitleText = ""; my $Colon = ""; - + unless ($HelpLink || $Text) { return $TitleText; - } - + } + unless ($NoColon) { $Colon = ":"; - } + } unless ($NoBold) { $TitleText .= ""; } @@ -412,26 +412,26 @@ sub FormElementTitle (%) { $TitleText .= ""; $TitleText .= "$HelpText$Colon"; } elsif ($Text) { - $TitleText .= "$Text$Colon"; + $TitleText .= "$Text$Colon"; } unless ($NoBold) { $TitleText .= ""; } - + if ($Required) { $TitleText .= $RequiredMark; - } - + } + if ($ExtraText) { $TitleText .= " $ExtraText"; - } - - if ($NoBreak) { + } + + if ($NoBreak) { # $TitleText .= "\n"; } else { $TitleText .= "
    \n"; - } - + } + return $TitleText; } diff --git a/DocDB/cgi/RevisionHTML.pm b/DocDB/cgi/RevisionHTML.pm index 7618664f..0d448e04 100644 --- a/DocDB/cgi/RevisionHTML.pm +++ b/DocDB/cgi/RevisionHTML.pm @@ -35,7 +35,8 @@ sub TitleBox (%) { -helptext => "Title" , -required => $Required ); print $ElementTitle,"\n"; - print $query -> textfield (-name => 'title', -default => $TitleDefault, + my $SafeDefault = SmartHTML({-text => $TitleDefault},); + print $query -> textfield (-name => 'title', -default => $SafeDefault, -size => 70, -maxlength => 240); }; @@ -54,11 +55,13 @@ sub AbstractBox (%) { -helptext => $HelpText , -required => $Required ); print $ElementTitle,"\n"; - print $query -> textarea (-name => $Name, -default => $AbstractDefault, + my $SafeDefault = SmartHTML({-text => $AbstractDefault},); + print $query -> textarea (-name => $Name, -default => $SafeDefault, -rows => $Rows, -columns => $Columns); }; sub RevisionNoteBox { + # FIXME: Make Javascript OK with SmartHTML my (%Params) = @_; my $Default = $Params{-default} || ""; my $JSInsert = $Params{-jsinsert} || ""; @@ -83,7 +86,8 @@ sub RevisionNoteBox { -extratext => $ExtraText, -required => $Required ); print $ElementTitle,"\n"; - print $query -> textarea (-name => 'revisionnote', -default => $Default, + my $SafeDefault = SmartHTML({-text => $Default},); + print $query -> textarea (-name => 'revisionnote', -default => $SafeDefault, -columns => 60, -rows => 6); }; From 42c6c700be324b3b94063d838df57784ecd32f57 Mon Sep 17 00:00:00 2001 From: Eric Vaandering Date: Wed, 10 Jul 2013 16:03:09 +0200 Subject: [PATCH 052/163] SmartHTML for Author Entry --- DocDB/cgi/AuthorHTML.pm | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/DocDB/cgi/AuthorHTML.pm b/DocDB/cgi/AuthorHTML.pm index 76671910..26e463fc 100644 --- a/DocDB/cgi/AuthorHTML.pm +++ b/DocDB/cgi/AuthorHTML.pm @@ -310,7 +310,7 @@ sub AuthorScroll (%) { my @ActiveIDs = (); foreach my $ID (@AuthorIDs) { if ($Authors{$ID}{ACTIVE} || $All) { - $AuthorLabels{$ID} = $Authors{$ID}{Formal}; + $AuthorLabels{$ID} = SmartHTML({-text=>$Authors{$ID}{Formal}}); push @ActiveIDs,$ID; } } @@ -347,7 +347,7 @@ sub AuthorTextEntry ($;@) { foreach $AuthorID (@Defaults) { FetchAuthor($AuthorID); - $AuthorManDefault .= "$Authors{$AuthorID}{FULLNAME}\n" ; + $AuthorManDefault .= SmartHTML({-text=>$Authors{$AuthorID}{FULLNAME}})."\n" ; } print FormElementTitle(-helplink => $HelpLink, -helptext => $HelpText, From ed4fba5247806ee4e692ed0ca7c8cfc692969444 Mon Sep 17 00:00:00 2001 From: Eric Vaandering Date: Wed, 10 Jul 2013 16:14:00 +0200 Subject: [PATCH 053/163] SmartHTML for KeywordsBox --- DocDB/cgi/KeywordHTML.pm | 1 + 1 file changed, 1 insertion(+) diff --git a/DocDB/cgi/KeywordHTML.pm b/DocDB/cgi/KeywordHTML.pm index 5dffcf5a..197db2b0 100644 --- a/DocDB/cgi/KeywordHTML.pm +++ b/DocDB/cgi/KeywordHTML.pm @@ -274,6 +274,7 @@ sub KeywordsBox (%) { Chooser    ", -required => $Required ); print $ElementTitle,"\n"; + my $SafeDefault = SmartHTML({-text => $KeywordsDefault},); print $query -> textfield (-name => 'keywords', -default => $KeywordsDefault, -size => 70, -maxlength => 240); }; From 0a890ef6a9acc7edb1b32fda1914600388de1058 Mon Sep 17 00:00:00 2001 From: Eric Vaandering Date: Wed, 10 Jul 2013 16:20:14 +0200 Subject: [PATCH 054/163] Do topics with SmartHTML --- DocDB/cgi/TopicHTML.pm | 13 ++++++------- 1 file changed, 6 insertions(+), 7 deletions(-) diff --git a/DocDB/cgi/TopicHTML.pm b/DocDB/cgi/TopicHTML.pm index 43f2d8c6..a9e8edf3 100644 --- a/DocDB/cgi/TopicHTML.pm +++ b/DocDB/cgi/TopicHTML.pm @@ -378,15 +378,17 @@ sub TopicScroll ($) { my %TopicLabels = (); # my @ActiveIDs = @TopicIDs; # Later can select single root topics, etc. + my $SafeShort = SmartHTML({-text=>$Topics{$ID}{Short}}); + my $SafeLong = SmartHTML({-text=>$Topics{$ID}{Long}}); + foreach my $ID (@TopicIDs) { my $Spaces = '-'x(1*(scalar(@{$TopicProvenance{$ID}})-1)); if ($ItemFormat eq "short") { - $TopicLabels{$ID} = $Spaces.CGI::escapeHTML($Topics{$ID}{Short}); + $TopicLabels{$ID} = $Spaces.$SafeShort; } elsif ($ItemFormat eq "long") { - $TopicLabels{$ID} = $Spaces.CGI::escapeHTML($Topics{$ID}{Long}); + $TopicLabels{$ID} = $Spaces.$SafeLong; } elsif ($ItemFormat eq "full") { - $TopicLabels{$ID} = $Spaces.CGI::escapeHTML($Topics{$ID}{Short}. - " [".$Topics{$ID}{Long}."]"); + $TopicLabels{$ID} = $Spaces.$SafeShort." [".$SafeLong."]"); } if (($ItemFormat eq "short" or $ItemFormat eq "long") && @@ -399,13 +401,10 @@ sub TopicScroll ($) { -text => $Text , -extratext => $ExtraText, -required => $Required); - $query -> autoEscape(0); # Turn off and on since sometimes scrolling_list double escape this. - print $query -> scrolling_list(-name => $Name, -values => \@TopicIDs, -size => $Size, -labels => \%TopicLabels, -multiple => $Multiple, -default => \@Defaults, %Options); - $query -> autoEscape(1); } 1; From 54f3ed81c675715ac21b1c5142a3805cfbcab25b Mon Sep 17 00:00:00 2001 From: Eric Vaandering Date: Wed, 10 Jul 2013 09:27:01 -0500 Subject: [PATCH 055/163] Fix mistakes in TopicHTML --- DocDB/cgi/DocDBGlobals.pm | 2 +- DocDB/cgi/TopicHTML.pm | 7 +++---- 2 files changed, 4 insertions(+), 5 deletions(-) diff --git a/DocDB/cgi/DocDBGlobals.pm b/DocDB/cgi/DocDBGlobals.pm index 12ab8805..6cfc53dd 100644 --- a/DocDB/cgi/DocDBGlobals.pm +++ b/DocDB/cgi/DocDBGlobals.pm @@ -30,7 +30,7 @@ use DateTime; $LocalTimezone = DateTime::TimeZone->new(name => 'local'); $TRUE = 1; $FALSE = 0; - +$DebugOutput=1; # Advertising link for DocDB $DocDBHome = "http://docdb-v.sourceforge.net/"; diff --git a/DocDB/cgi/TopicHTML.pm b/DocDB/cgi/TopicHTML.pm index a9e8edf3..bdd2e481 100644 --- a/DocDB/cgi/TopicHTML.pm +++ b/DocDB/cgi/TopicHTML.pm @@ -378,17 +378,16 @@ sub TopicScroll ($) { my %TopicLabels = (); # my @ActiveIDs = @TopicIDs; # Later can select single root topics, etc. - my $SafeShort = SmartHTML({-text=>$Topics{$ID}{Short}}); - my $SafeLong = SmartHTML({-text=>$Topics{$ID}{Long}}); - foreach my $ID (@TopicIDs) { + my $SafeShort = SmartHTML({-text=>$Topics{$ID}{Short}}); + my $SafeLong = SmartHTML({-text=>$Topics{$ID}{Long}}); my $Spaces = '-'x(1*(scalar(@{$TopicProvenance{$ID}})-1)); if ($ItemFormat eq "short") { $TopicLabels{$ID} = $Spaces.$SafeShort; } elsif ($ItemFormat eq "long") { $TopicLabels{$ID} = $Spaces.$SafeLong; } elsif ($ItemFormat eq "full") { - $TopicLabels{$ID} = $Spaces.$SafeShort." [".$SafeLong."]"); + $TopicLabels{$ID} = $Spaces.$SafeShort." [".$SafeLong."]"; } if (($ItemFormat eq "short" or $ItemFormat eq "long") && From b4cdf1c6914ae9d6cd951610eed2f16f5658998d Mon Sep 17 00:00:00 2001 From: Eric Vaandering Date: Thu, 11 Jul 2013 16:33:06 +0200 Subject: [PATCH 056/163] Fix up keyword chooser --- DocDB/cgi/DocDBGlobals.pm | 2 +- DocDB/cgi/KeywordHTML.pm | 11 +++++++---- 2 files changed, 8 insertions(+), 5 deletions(-) diff --git a/DocDB/cgi/DocDBGlobals.pm b/DocDB/cgi/DocDBGlobals.pm index 6cfc53dd..12ab8805 100644 --- a/DocDB/cgi/DocDBGlobals.pm +++ b/DocDB/cgi/DocDBGlobals.pm @@ -30,7 +30,7 @@ use DateTime; $LocalTimezone = DateTime::TimeZone->new(name => 'local'); $TRUE = 1; $FALSE = 0; -$DebugOutput=1; + # Advertising link for DocDB $DocDBHome = "http://docdb-v.sourceforge.net/"; diff --git a/DocDB/cgi/KeywordHTML.pm b/DocDB/cgi/KeywordHTML.pm index 197db2b0..506506ea 100644 --- a/DocDB/cgi/KeywordHTML.pm +++ b/DocDB/cgi/KeywordHTML.pm @@ -231,17 +231,20 @@ sub KeywordLinkByID ($;%) { my $NoLink = $Params{-nolink} || ""; # will just return information &FetchKeyword($KeywordID); - my $Keyword = $Keywords{$KeywordID}{Short}; + my $SafeShortKeyword = SmartHTML( {-text => $Keywords{$KeywordID}{Short}} ); + my $SafeLongKeyword = SmartHTML( {-text => $Keywords{$KeywordID}{long}} ); my $Link; + # FIXME_XSS: Check to make sure this kind of search still works. + # May need to remove special characters or adapt search atoms unless ($NoLink) { - $Link .= ""; + $Link .= ""; } if ($Format eq "short") { - $Link .= $Keywords{$KeywordID}{Short}; + $Link .= $SafeShortKeyword; } elsif ($Format eq "long") { - $Link .= $Keywords{$KeywordID}{Long}; + $Link .= $SafeLongKeyword; } unless ($NoLink) { From 8dd2727802b5fca11cbcc2e52deda160f0188575 Mon Sep 17 00:00:00 2001 From: Eric Vaandering Date: Thu, 11 Jul 2013 16:42:47 +0200 Subject: [PATCH 057/163] Fix Keyword Chooser --- DocDB/cgi/KeywordHTML.pm | 12 +++++++----- 1 file changed, 7 insertions(+), 5 deletions(-) diff --git a/DocDB/cgi/KeywordHTML.pm b/DocDB/cgi/KeywordHTML.pm index 506506ea..8c73d0e8 100644 --- a/DocDB/cgi/KeywordHTML.pm +++ b/DocDB/cgi/KeywordHTML.pm @@ -34,11 +34,11 @@ sub KeywordGroupInfo ($;$) { &FetchKeywordGroup($KeyID); my $info; if ($mode eq "short") { - $info = $KeywordGroups{$KeyID}{Short}; + $info = SmartHTML({-text=>$KeywordGroups{$KeyID}{Short}}); } elsif ($mode eq "long") { - $info = $KeywordGroups{$KeyID}{Long}; + $info = SmartHTML({-text=>$KeywordGroups{$KeyID}{Long}}); } else { - $info = $KeywordGroups{$KeyID}{Short}; + $info = SmartHTML({-text=>$KeywordGroups{$KeyID}{Short}}); } return $info; @@ -46,7 +46,8 @@ sub KeywordGroupInfo ($;$) { sub KeywordsbyKeywordGroup ($;$) { - # FIXME: Make KeyLink SmartHTML + # FIXME_XSS: Check to make sure this kind of search still works. + # May need to remove special characters or adapt search atoms my ($KeywordGroupID,$Mode) = @_; require "Sorts.pm"; @@ -59,8 +60,9 @@ sub KeywordsbyKeywordGroup ($;$) { foreach my $KeywordID (@KeywordIDs) { my $KeyLink; if ($Mode eq "chooser") { + my $SafeKeyword = SmartHTML({-text=>$KeywordGroups{$KeyID}{Short}}); $KeyLink = "$Keywords{$KeywordID}{Short}"; + "onclick=\"InsertKeyword('$SafeKeyword');\">$SafeKeyword"; } else { $KeyLink = &KeywordLinkByID($KeywordID,-format => "short"); } From bf42e07c39f601402899ef15a10e6d0f7f6d9a69 Mon Sep 17 00:00:00 2001 From: Eric Vaandering Date: Thu, 11 Jul 2013 17:12:54 +0200 Subject: [PATCH 058/163] Can't untaint single_upload either --- DocDB/cgi/ProcessDocumentAdd | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/DocDB/cgi/ProcessDocumentAdd b/DocDB/cgi/ProcessDocumentAdd index 4e5f0099..ea502a39 100755 --- a/DocDB/cgi/ProcessDocumentAdd +++ b/DocDB/cgi/ProcessDocumentAdd @@ -144,7 +144,7 @@ my @RequestedTopicIDs = @{ $Untaint -> extract(-as_listofint => "topics") || und # Zip/tarfile params -my $SingleUpload = $Untaint -> extract(-as_printable => "single_upload") || ""; +my $SingleUpload = $query -> param("single_upload"); # Filehandle my $SingleHTTP = $Untaint -> extract(-as_printable => "single_http") || ""; my $MainFile = $Untaint -> extract(-as_printable => "mainfile") || ""; my $Description = $Untaint -> extract(-as_safehtml => "filedesc") || ""; From 01c97b3e0db4f8c004e3bf5b10826421bad1b3be Mon Sep 17 00:00:00 2001 From: Eric Vaandering Date: Thu, 11 Jul 2013 17:18:07 +0200 Subject: [PATCH 059/163] Use correct types for override variables --- DocDB/cgi/ProcessDocumentAdd | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/DocDB/cgi/ProcessDocumentAdd b/DocDB/cgi/ProcessDocumentAdd index ea502a39..551b4a8e 100755 --- a/DocDB/cgi/ProcessDocumentAdd +++ b/DocDB/cgi/ProcessDocumentAdd @@ -119,9 +119,9 @@ my $DocTypeID = $Untaint -> extract(-as_integer => "doctype") || 0; my $RequesterID = $Untaint -> extract(-as_integer => "requester") || 0; my $SessionTalkID = $Untaint -> extract(-as_integer => "sessiontalkid") || 0; -my $Overdate = $Untaint -> extract(-as_integer => "overdate") || 0; +my $Overdate = $Untaint -> extract(-as_safehtml => "overdate") || 0; my $Overday = $Untaint -> extract(-as_integer => "overday") || 0; -my $Overmonth = $Untaint -> extract(-as_integer => "overmonth") || 0; +my $Overmonth = $Untaint -> extract(-as_safehtml => "overmonth") || 0; my $Overyear = $Untaint -> extract(-as_integer => "overyear") || 0; my $Overmin = $Untaint -> extract(-as_integer => "overmin") || 0; my $Overhour = $Untaint -> extract(-as_integer => "overhour") || 0; From 24c3f23df41d626c51839db9e601f189d343b1cc Mon Sep 17 00:00:00 2001 From: Eric Vaandering Date: Thu, 11 Jul 2013 10:22:06 -0500 Subject: [PATCH 060/163] Fix keyword hash --- DocDB/cgi/KeywordHTML.pm | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/DocDB/cgi/KeywordHTML.pm b/DocDB/cgi/KeywordHTML.pm index 8c73d0e8..47cd8085 100644 --- a/DocDB/cgi/KeywordHTML.pm +++ b/DocDB/cgi/KeywordHTML.pm @@ -60,7 +60,7 @@ sub KeywordsbyKeywordGroup ($;$) { foreach my $KeywordID (@KeywordIDs) { my $KeyLink; if ($Mode eq "chooser") { - my $SafeKeyword = SmartHTML({-text=>$KeywordGroups{$KeyID}{Short}}); + my $SafeKeyword = SmartHTML({-text=>$Keywords{$KeywordID}{Short}}); $KeyLink = "$SafeKeyword"; } else { From 4649945f8ec82598f4e9ed180e93c28af4b7912f Mon Sep 17 00:00:00 2001 From: Eric Vaandering Date: Mon, 22 Jul 2013 15:33:36 -0500 Subject: [PATCH 061/163] Clean up params a bit --- DocDB/cgi/ProcessDocumentAdd | 5 ++--- 1 file changed, 2 insertions(+), 3 deletions(-) diff --git a/DocDB/cgi/ProcessDocumentAdd b/DocDB/cgi/ProcessDocumentAdd index 551b4a8e..a3295735 100755 --- a/DocDB/cgi/ProcessDocumentAdd +++ b/DocDB/cgi/ProcessDocumentAdd @@ -71,8 +71,7 @@ GetSecurityGroups(); ### Set up, give user initial information -#%params = $query -> Vars; # TODO remove -my $Untaint = CGI::Untaint -> new($query -> Vars); +my $Untaint = CGI::Untaint -> new($query -> Vars); my $Mode = $Untaint -> extract(-as_printable => "mode") || ""; $mode = $Mode; #FIXME: Remove when not needed @@ -86,7 +85,7 @@ if ($Mode eq "reserve") { &DocDBHeader("$Project Document Modification Results","Document Modification Results",-scripts => ["PopUps"]); } -### Pull info out of params into local variables +### Pull info out of parameters into local variables # "Hidden" things From 8e589679d1cac4317cb445aa370415545e19bd6c Mon Sep 17 00:00:00 2001 From: Eric Vaandering Date: Mon, 22 Jul 2013 16:47:55 -0500 Subject: [PATCH 062/163] Fix author add script, administer forms, and file addition --- DocDB/cgi/AddFiles | 43 +++++++++++++++++++++------------------- DocDB/cgi/AddFilesForm | 1 + DocDB/cgi/AdministerForm | 1 + DocDB/cgi/AdministerHome | 1 + DocDB/cgi/AuthorAdd | 13 ++++++------ DocDB/cgi/AuthorAddForm | 6 ++++-- 6 files changed, 37 insertions(+), 28 deletions(-) diff --git a/DocDB/cgi/AddFiles b/DocDB/cgi/AddFiles index aaa9dbb8..259451f6 100755 --- a/DocDB/cgi/AddFiles +++ b/DocDB/cgi/AddFiles @@ -61,7 +61,7 @@ $dbh = DBI -> connect('DBI:mysql:'.$db_name.':'.$db_host,$db_rwuser,$db_rwpass ### Set up, give user initial information -%params = $query -> Vars; +my $Untaint = CGI::Untaint -> new($query -> Vars); print $query -> header( -charset => $HTTP_ENCODING ); &DocDBHeader("$Project File Addition Results","File Addition Results"); @@ -73,12 +73,12 @@ print $query -> header( -charset => $HTTP_ENCODING ); ### Get document and revision ID -my $DocumentID = $params{docid}; -my $Version = $params{version}; -my $Replace = $params{replace}; -my $MaxFiles = $params{maxfiles}; -my $SubmitAgree = $params{submitagree}; -my $PreserveSigs = $params{preservesigs}; +my $DocumentID = $Untaint -> extract(-as_integer => "docid") || 0; +my $Version = $Untaint -> extract(-as_integer => "version") || 0; +my $Replace = $Untaint -> extract(-as_printable => "replace") || ""; +my $MaxFiles = $Untaint -> extract(-as_integer => "maxfiles") || 0; +my $Replace = $Untaint -> extract(-as_printable => "submitagree") || ""; +my $Replace = $Untaint -> extract(-as_printable => "preservesigs") || ""; my $DocRevID; @@ -86,11 +86,8 @@ my $DocRevID; if ($DocumentID && $Version) { $DocRevID = &FetchRevisionByDocumentAndVersion($DocumentID,$Version); - unless ($DocRevID) { - push @ErrorStack,"No such document exists."; - } - unless (&CanModify($DocumentID,$Version)) { - push @ErrorStack,"You are not authorized to modify this document."; + unless ($DocRevID && CanModify($DocumentID,$Version)) { + push @ErrorStack,"You are not authorized to modify this document or it does not exist."; } } else { push @ErrorStack,"You must supply document and version numbers to add files."; @@ -110,6 +107,8 @@ if ($PreserveSigs && !CanPreserveSigs()) { my $UpdateLink = $DocumentAddForm."?mode=update&docid=$DocumentID"; # Fill in file hash +my $HttpUser = $Untaint -> extract(-as_printable => "http_user") || ""; +my $HttpPass = $Untaint -> extract(-as_printable => "http_pass") || ""; my %Files = (); my $NeedURLs = 0; @@ -117,9 +116,13 @@ my $AddNewFile = 0; for (my $i = 1; $i<= $MaxFiles; ++$i) { my $Key = $i; # Probably something better later - if ($params{"upload$i"}) { + my $UploadI = $query -> param("upload$i"); + my $UrlI = $Untaint -> extract(-as_printable => "url$i") || ""; + my $MainI = $Untaint -> extract(-as_printable => "main$i") || ""; + my $DescriptionI = $Untaint -> extract(-as_safehtml => "filedesc$i") || ""; + if ($UploadI) { $AddNewFile = 1; - $Files{$Key}{File} = $query -> param("upload$i"); + $Files{$Key}{File} = $UploadI; if (&ExistsUpload($DocRevID,$Files{$Key}{File})) { if ($Replace) { push @WarnStack,"The file $short_file already existed and has been @@ -131,12 +134,12 @@ for (my $i = 1; $i<= $MaxFiles; ++$i) { document, not add files."; } } - } elsif ($params{"url$i"}) { + } elsif ($UrlI) { $NeedURLs = 1; $AddNewFile = 1; - $Files{$Key}{URL} = $params{"url$i"}; - $Files{$Key}{User} = $params{http_user}; - $Files{$Key}{Pass} = $params{http_pass}; + $Files{$Key}{URL} = $UrlI; + $Files{$Key}{User} = $HttpUser; + $Files{$Key}{Pass} = $HttpPass; if (&ExistsURL($DocRevID,$Files{$Key}{URL})) { if ($Replace) { push @WarnStack,"The file $short_file already existed and has been @@ -150,13 +153,13 @@ for (my $i = 1; $i<= $MaxFiles; ++$i) { } } - if ($params{"main$i"}) { + if ($MainI) { $Files{$Key}{Main} = 1; } else { $Files{$Key}{Main} = 0; } - $Files{$Key}{Description} = $params{"filedesc$i"}; + $Files{$Key}{Description} = $DescriptionI; } unless ($AddNewFile) { diff --git a/DocDB/cgi/AddFilesForm b/DocDB/cgi/AddFilesForm index 8af0c11d..e92be391 100755 --- a/DocDB/cgi/AddFilesForm +++ b/DocDB/cgi/AddFilesForm @@ -48,6 +48,7 @@ require "HTMLUtilities.pm"; require "Scripts.pm"; $query = new CGI; # Global for subroutines +$query -> autoEscape(0); $dbh = DBI->connect('DBI:mysql:'.$db_name.':'.$db_host,$db_rouser,$db_ropass); &GetSecurityGroups; diff --git a/DocDB/cgi/AdministerForm b/DocDB/cgi/AdministerForm index 1e98992e..b0efae94 100755 --- a/DocDB/cgi/AdministerForm +++ b/DocDB/cgi/AdministerForm @@ -52,6 +52,7 @@ require "HTMLUtilities.pm"; require "Sorts.pm"; $query = new CGI; # Global for subroutines +$query -> autoEscape(0); $dbh = DBI -> connect('DBI:mysql:'.$db_name.':'.$db_host,$db_rouser,$db_ropass); &GetSecurityGroups; diff --git a/DocDB/cgi/AdministerHome b/DocDB/cgi/AdministerHome index 9f8fb540..fabaab58 100755 --- a/DocDB/cgi/AdministerHome +++ b/DocDB/cgi/AdministerHome @@ -37,6 +37,7 @@ require "SecurityHTML.pm"; #require "MeetingSecurityUtilities.pm"; $query = new CGI; # Global for subroutines +$query -> autoEscape(0); $dbh = DBI->connect('DBI:mysql:'.$db_name.':'.$db_host,$db_rouser,$db_ropass); GetSecurityGroups(); diff --git a/DocDB/cgi/AuthorAdd b/DocDB/cgi/AuthorAdd index 7d1d74a1..24faf37f 100755 --- a/DocDB/cgi/AuthorAdd +++ b/DocDB/cgi/AuthorAdd @@ -1,10 +1,11 @@ #! /usr/bin/env perl # +# Name: AuthorAdd # Description: Adds an author into the DB list of authors. # Called by submission from AddAuthorForm # # Author: Eric Vaandering (ewv@fnal.gov) -# Modified: +# Modified: Eric Vaandering (ewv@fnal.gov) # # Copyright 2001-2013 Eric Vaandering, Lynn Garren, Adam Bryant @@ -38,12 +39,12 @@ $dbh = DBI->connect('DBI:mysql:'.$db_name.':'.$db_host,$db_rwuser,$db_rwpass); GetSecurityGroups(); -%params = $query -> Vars; +my $Untaint = CGI::Untaint -> new($query -> Vars); -$InstitutionID = $params{inst}; -$FirstName = $params{first}; -$MiddleInitials = $params{middle}; -$LastName = $params{lastname}; +my $InstitutionID = $Untaint -> extract(-as_integer => "inst") || 0; +my $FirstName = $Untaint -> extract(-as_safehtml => "first") || 0; +my $MiddleInitials = $Untaint -> extract(-as_safehtml => "middle") || 0; +my $LastName = $Untaint -> extract(-as_safehtml => "lastname") || 0; print $query -> header( -charset => $HTTP_ENCODING ); DocDBHeader("Author Addition Results"); diff --git a/DocDB/cgi/AuthorAddForm b/DocDB/cgi/AuthorAddForm index 39eafe51..0eca817d 100755 --- a/DocDB/cgi/AuthorAddForm +++ b/DocDB/cgi/AuthorAddForm @@ -1,9 +1,10 @@ #! /usr/bin/env perl # -# Description: A simple for to allow new author addition (no changes possible) +# Description: A simple script to allow new author addition (no changes possible) # +# Name: AuthorAddForm # Author: Eric Vaandering (ewv@fnal.gov) -# Modified: +# Modified: Eric Vaandering (ewv@fnal.gov) # # Copyright 2001-2013 Eric Vaandering, Lynn Garren, Adam Bryant @@ -36,6 +37,7 @@ require "HTMLUtilities.pm"; require "Sorts.pm"; $query = new CGI; # Global for subroutines +$query -> autoEscape(0); $dbh = DBI -> connect('DBI:mysql:'.$db_name.':'.$db_host,$db_rouser,$db_ropass); GetInstitutions(); From 9a5dc7866e8476dfe6c4b22df357dc9b6237e5c8 Mon Sep 17 00:00:00 2001 From: Eric Vaandering Date: Mon, 29 Jul 2013 14:25:33 -0500 Subject: [PATCH 063/163] Update more scripts with untaint --- DocDB/cgi/AdministerHome | 5 +++-- DocDB/cgi/AuthorAdminister | 22 ++++++++++++---------- DocDB/cgi/BulkCertificateInsert | 8 ++++---- DocDB/cgi/ConfirmTalkHint | 14 +++++--------- DocDB/cgi/CustomListForm | 27 ++++++++++++++------------- 5 files changed, 38 insertions(+), 38 deletions(-) diff --git a/DocDB/cgi/AdministerHome b/DocDB/cgi/AdministerHome index fabaab58..96400731 100755 --- a/DocDB/cgi/AdministerHome +++ b/DocDB/cgi/AdministerHome @@ -1,5 +1,8 @@ #! /usr/bin/env perl # +# Name: AdministerHome +# Description: A "home page" for the various administration pages +# # Author: Lynn Garren (garren@fnal.gov) # Modified: Eric Vaandering (ewv@fnal.gov) @@ -30,11 +33,9 @@ require "Scripts.pm"; require "ResponseElements.pm"; require "FormElements.pm"; require "Messages.pm"; -#require "Cookies.pm"; require "Security.pm"; require "SecuritySQL.pm"; require "SecurityHTML.pm"; -#require "MeetingSecurityUtilities.pm"; $query = new CGI; # Global for subroutines $query -> autoEscape(0); diff --git a/DocDB/cgi/AuthorAdminister b/DocDB/cgi/AuthorAdminister index f44acd79..f88e0192 100755 --- a/DocDB/cgi/AuthorAdminister +++ b/DocDB/cgi/AuthorAdminister @@ -38,24 +38,26 @@ require "AuthorSQL.pm"; require "Messages.pm"; $query = new CGI; # Global for subroutines +$query -> autoEscape(0); -%params = $query -> Vars; +my $Untaint = CGI::Untaint -> new($query -> Vars); @ErrorStack = (); @WarnStack = (); # Parameters to script -$Password = $params{password}; -my $Username = $params{admuser}; -$Action = $params{admaction}; +my $Password = $Untaint -> extract(-as_printable => "password") || ""; +my $Username = $Untaint -> extract(-as_printable => "admuser") || ""; +my $Action = $Untaint -> extract(-as_printable => "admaction") || ""; -my $AuthorID = $params{authors}; -my $ConsolidateID = $params{targetauthor}; -$FirstName = $params{first}; -$Middle = $params{middle}; -$LastName = $params{lastname}; -$InstitutionID = $params{inst}; +my $AuthorID = $Untaint -> extract(-as_integer => "authors") || 0; +my $ConsolidateID = $Untaint -> extract(-as_integer => "targetauthor") || 0; +my $InstitutionID = $Untaint -> extract(-as_integer => "inst") || 0; + +my $FirstName = $Untaint -> extract(-as_safehtml => "first") || 0; +my $Middle = $Untaint -> extract(-as_safehtml => "middle") || 0; +my $LastName = $Untaint -> extract(-as_safehtml => "lastname") || 0; $dbh = DBI->connect('DBI:mysql:'.$db_name.':'.$db_host,$Username,$Password); diff --git a/DocDB/cgi/BulkCertificateInsert b/DocDB/cgi/BulkCertificateInsert index 271acc8f..85f2c8f7 100755 --- a/DocDB/cgi/BulkCertificateInsert +++ b/DocDB/cgi/BulkCertificateInsert @@ -3,7 +3,7 @@ # Description: Allows an administrator to create entries for certificate users in EmailUser # # Author: Eric Vaandering (ewv@fnal.gov) -# Modified: +# Modified: Eric Vaandering (ewv@fnal.gov) # Copyright 2001-2013 Eric Vaandering, Lynn Garren, Adam Bryant @@ -41,18 +41,18 @@ require "SecuritySQL.pm"; require "SecurityHTML.pm"; $query = new CGI; # Global for subroutines +$query -> autoEscape(0); # Parameters to script my $Untaint = CGI::Untaint -> new($query -> Vars); -my %CGIParams = $query -> Vars; my $Password = $Untaint -> extract (-as_printable => "password") || ""; my $Username = $Untaint -> extract (-as_printable => "admuser") || ""; my $Action = $Untaint -> extract (-as_printable => "admaction") || ""; my $Force = $Untaint -> extract (-as_printable => "admforce") || ""; my $CanSign = $Untaint -> extract (-as_printable => "CanSign") || ""; -my @GroupIDs = split /\0/,$CGIParams{group}; +my @GroupIDs = @{ $Untaint -> extract(-as_listofint => "group") || undef }; if ($CanSign) {$CanSign = $TRUE;} @@ -96,7 +96,7 @@ if ($Action eq "Insert") { foreach my $Row (1..$MaxUsers) { my $Username = $Untaint -> extract (-as_printable => "name$Row") || ""; - my $Name = $Untaint -> extract (-as_printable => "commonname$Row") || ""; + my $Name = $Untaint -> extract (-as_safehtml => "commonname$Row") || ""; my $Email = $Untaint -> extract (-as_printable => "email$Row") || ""; if ($Username) { diff --git a/DocDB/cgi/ConfirmTalkHint b/DocDB/cgi/ConfirmTalkHint index 0288fc32..b7ed53ce 100755 --- a/DocDB/cgi/ConfirmTalkHint +++ b/DocDB/cgi/ConfirmTalkHint @@ -4,7 +4,7 @@ # and a document # # Author: Eric Vaandering (ewv@fnal.gov) -# Modified: +# Modified: Eric Vaandering (ewv@fnal.gov) # # Copyright 2001-2013 Eric Vaandering, Lynn Garren, Adam Bryant @@ -45,19 +45,15 @@ require "Security.pm"; require "SQLChecks.pm"; $query = new CGI; # Global for subroutines +$query -> autoEscape(0); -%params = $query -> Vars; +my $Untaint = CGI::Untaint -> new($query -> Vars); @ErrorStack = (); @WarnStack = (); -$DocumentID = $params{documentid}; -$SessionTalkID = $params{sessiontalkid}; - -$DocumentID =~ s/^\s+//; # Remove leading and trailing spaces -$DocumentID =~ s/\s+$//; -$SessionTalkID =~ s/^\s+//; -$SessionTalkID =~ s/\s+$//; +my $DocumentID = $Untaint -> extract(-as_integer => "documentid") || 0; +my $SessionTalkID = $Untaint -> extract(-as_integer => "sessiontalkid") || 0; unless ($DocumentID) { push @ErrorStack,"You are must supply a document number!"; diff --git a/DocDB/cgi/CustomListForm b/DocDB/cgi/CustomListForm index 8053ad56..5afedac6 100755 --- a/DocDB/cgi/CustomListForm +++ b/DocDB/cgi/CustomListForm @@ -55,16 +55,17 @@ require "MeetingHTML.pm"; require "TopicHTML.pm"; $query = new CGI; # Global for subroutines +$query -> autoEscape(0); -%params = $query -> Vars; +my $Untaint = CGI::Untaint -> new($query -> Vars); -my $Scope = $params{scope}; -my @EventGroupIDs = split /\0/,$params{eventgroups}; -my @EventIDs = split /\0/,$params{events}; -my @Defaults = split /\0/,$params{defaultlists}; -my @TopicIDs = split /\0/,$params{topics}; -my @DocTypeIDs = split /\0/,$params{doctype}; -my $DefaultEventID = $params{eventid}; +my $Scope = $Untaint -> extract(-as_printable => "scope") || ""; +my @EventGroupIDs = @{ $Untaint -> extract(-as_listofint => "eventgroups") || undef }; +my @EventIDs = @{ $Untaint -> extract(-as_listofint => "events") || undef }; +my @Defaults = @{ $Untaint -> extract(-as_listofwords => "defaultlists") || undef }; +my @TopicIDs = @{ $Untaint -> extract(-as_listofint => "topics") || undef }; +my @DocTypeIDs = @{ $Untaint -> extract(-as_listofint => "doctype") || undef }; +my $DefaultEventID = $Untaint -> extract(-as_integer => "eventid") || 0; my $MaxFields = 15; my @Cookies = (); @@ -98,13 +99,13 @@ if (CanAdminister()) { my %FieldList = (); foreach my $FieldCount (1..$MaxFields) { - my $Field = $params{"field$FieldCount"}; + my $Field = $Untaint -> extract(-as_printable => "field$FieldCount") || ""; if ($Field && $Field ne "xxxx") { push @ActionStack,"Field \"$Field\" added to the display"; - $FieldList{$Field}{Row} = $params{"row$FieldCount"}; - $FieldList{$Field}{Column} = $params{"col$FieldCount"}; - $FieldList{$Field}{RowSpan} = $params{"rowspan$FieldCount"}; - $FieldList{$Field}{ColSpan} = $params{"colspan$FieldCount"}; + $FieldList{$Field}{Row} = $Untaint -> extract(-as_integer => "row$FieldCount") || 0; + $FieldList{$Field}{Column} = $Untaint -> extract(-as_integer => "col$FieldCount") || 0; + $FieldList{$Field}{RowSpan} = $Untaint -> extract(-as_integer => "rowspan$FieldCount") || 0; + $FieldList{$Field}{ColSpan} = $Untaint -> extract(-as_integer => "colspan$FieldCount") || 0; } } From 20fae3f86f2ea3b1617378961dffffdb9c91977b Mon Sep 17 00:00:00 2001 From: Eric Vaandering Date: Mon, 29 Jul 2013 14:37:54 -0500 Subject: [PATCH 064/163] Untaint scripts starting with D --- DocDB/cgi/DeleteConfirm | 7 +++---- DocDB/cgi/DeleteDocument | 13 +++++-------- DocDB/cgi/DisplayMeeting | 10 +++++----- DocDB/cgi/DocDBInstructions | 6 ++++-- DocDB/cgi/DocTypeAdminister | 16 ++++++++-------- DocDB/cgi/DocumentDatabase | 3 +-- 6 files changed, 26 insertions(+), 29 deletions(-) diff --git a/DocDB/cgi/DeleteConfirm b/DocDB/cgi/DeleteConfirm index b460031a..2bc0577d 100755 --- a/DocDB/cgi/DeleteConfirm +++ b/DocDB/cgi/DeleteConfirm @@ -42,15 +42,14 @@ require "Security.pm"; require "RevisionHTML.pm"; $query = new CGI; # Global for subroutines +$query -> autoEscape(0); $dbh = DBI->connect('DBI:mysql:'.$db_name.':'.$db_host,$db_rouser,$db_ropass); &GetSecurityGroups; -%params = $query -> Vars; +my $Untaint = CGI::Untaint -> new($query -> Vars); -$DocumentID = $params{docid}; -$DocumentID =~ s/^\s+//; # Remove leading and trailing spaces -$DocumentID =~ s/\s+$//; +my $DocumentID = $Untaint -> extract(-as_integer => "documentid") || 0; @ErrorStack = (); diff --git a/DocDB/cgi/DeleteDocument b/DocDB/cgi/DeleteDocument index 3dfef2c4..12e48535 100755 --- a/DocDB/cgi/DeleteDocument +++ b/DocDB/cgi/DeleteDocument @@ -34,15 +34,12 @@ require "FSUtilities.pm"; require "HTMLUtilities.pm"; $query = new CGI; # Global for subroutines +$query -> autoEscape(0); +my $Untaint = CGI::Untaint -> new($query -> Vars); -%params = $query -> Vars; - -$DocumentID = $params{docid}; -$DocumentID =~ s/^\s+//; # Remove leading and trailing spaces -$DocumentID =~ s/\s+$//; - -my $Password = $params{password}; -my $Username = $params{admuser}; +my $DocumentID = $Untaint -> extract(-as_integer => "documentid") || 0; +my $Password = $Untaint -> extract(-as_printable => "password") || ""; +my $Username = $Untaint -> extract(-as_printable => "admuser") || ""; @ErrorStack = (); diff --git a/DocDB/cgi/DisplayMeeting b/DocDB/cgi/DisplayMeeting index 550f1782..3b3c4c25 100755 --- a/DocDB/cgi/DisplayMeeting +++ b/DocDB/cgi/DisplayMeeting @@ -53,12 +53,12 @@ require "EventUtilities.pm"; require "Utilities.pm"; $query = new CGI; # Global for subroutines +$query -> autoEscape(0); +my $Untaint = CGI::Untaint -> new($query -> Vars); -%params = $query -> Vars; - -my $SessionID = $params{sessionid}; -my $SessionSeparatorID = $params{sessionseparatorid}; -my $EventID = $params{conferenceid}; +my $SessionID = $Untaint -> extract(-as_integer => "sessionid") || 0; +my $SessionSeparatorID = $Untaint -> extract(-as_integer => "sessionseparatorid") || 0; +my $EventID = $Untaint -> extract(-as_integer => "conferenceid") || 0; @ErrorStack = (); @WarnStack = (); diff --git a/DocDB/cgi/DocDBInstructions b/DocDB/cgi/DocDBInstructions index 2bcd8b58..3dbce48f 100755 --- a/DocDB/cgi/DocDBInstructions +++ b/DocDB/cgi/DocDBInstructions @@ -35,12 +35,14 @@ require "SecuritySQL.pm"; require "Security.pm"; $query = new CGI; # Global for subroutines +$query -> autoEscape(0); $dbh = DBI->connect('DBI:mysql:'.$db_name.':'.$db_host,$db_rouser,$db_ropass); &GetSecurityGroups; -%params = $query -> Vars; -$InstructionSet = $params{set} || "general"; +my $Untaint = CGI::Untaint -> new($query -> Vars); + +my $InstructionSet = $Untaint -> extract(-as_printable => "general") || ""; # Title diff --git a/DocDB/cgi/DocTypeAdminister b/DocDB/cgi/DocTypeAdminister index a834e61b..f325f433 100755 --- a/DocDB/cgi/DocTypeAdminister +++ b/DocDB/cgi/DocTypeAdminister @@ -37,18 +37,18 @@ require "DocTypeHTML.pm"; require "Messages.pm"; $query = new CGI; # Global for subroutines - -%params = $query -> Vars; +$query -> autoEscape(0); +my $Untaint = CGI::Untaint -> new($query -> Vars); # Parameters to script -$Password = $params{password}; -my $Username = $params{admuser}; -$Action = $params{admaction}; +my $Password = $Untaint -> extract(-as_printable => "password") || ""; +my $Username = $Untaint -> extract(-as_printable => "admuser") || ""; +my $Action = $Untaint -> extract(-as_printable => "admaction") || ""; -my $DocTypeID = $params{doctype}; -my $ShortName = $params{name}; -my $LongName = $params{longdesc}; +my $DocTypeID = $Untaint -> extract(-as_integer => "doctype") || 0; +my $ShortName = $Untaint -> extract(-as_safehtml => "name") || 0; +my $LongName = $Untaint -> extract(-as_safehtml => "longdesc") || 0; $dbh = DBI->connect('DBI:mysql:'.$db_name.':'.$db_host,$Username,$Password); diff --git a/DocDB/cgi/DocumentDatabase b/DocDB/cgi/DocumentDatabase index 92c54bdd..2c1439a9 100755 --- a/DocDB/cgi/DocumentDatabase +++ b/DocDB/cgi/DocumentDatabase @@ -47,6 +47,7 @@ require "XRefSQL.pm"; require "Messages.pm"; $query = new CGI; # Global for subroutines +$query -> autoEscape(0); $dbh = DBI->connect('DBI:mysql:'.$db_name.':'.$db_host,$db_rouser,$db_ropass); GetSecurityGroups(); @@ -56,8 +57,6 @@ if ($UserValidation eq "certificate") { $CertificateStatus = CertificateStatus(); } -# %params = $query -> Vars; # No parameters (yet?) - print $query->header( -charset => $HTTP_ENCODING ); if ($UserValidation eq "certificate" && $CertificateStatus ne "verified") { DocDBHeader("$Project Document Database","Document Database", -scripts => ["PopUps"], -refresh => "5;url=$CertificateApplyForm"); From 8c3115c9b1e3706b7b04dfd9e4c56f067bd14811 Mon Sep 17 00:00:00 2001 From: Eric Vaandering Date: Mon, 29 Jul 2013 15:34:25 -0500 Subject: [PATCH 065/163] Untaint scripts starting with E --- DocDB/cgi/EditTalkInfo | 31 ++++++++++----------------- DocDB/cgi/EmailAdminister | 28 +++++++++++++----------- DocDB/cgi/EmailAdministerForm | 5 +++-- DocDB/cgi/EmailCreate | 9 ++++---- DocDB/cgi/EmailLogin | 1 + DocDB/cgi/EventAdministerForm | 26 +++++++++++----------- DocDB/cgi/ExternalDocDBAdministerForm | 24 ++++++++++----------- 7 files changed, 60 insertions(+), 64 deletions(-) diff --git a/DocDB/cgi/EditTalkInfo b/DocDB/cgi/EditTalkInfo index 69c193dc..ee36365d 100755 --- a/DocDB/cgi/EditTalkInfo +++ b/DocDB/cgi/EditTalkInfo @@ -38,31 +38,22 @@ require "MeetingSecurityUtilities.pm"; require "HTMLUtilities.pm"; require "DBUtilities.pm"; -#require "DocumentSQL.pm"; -#require "RevisionSQL.pm"; require "TalkSQL.pm"; require "MeetingSQL.pm"; require "TalkHintSQL.pm"; -#require "TalkHintUtilities.pm"; -#require "DocumentUtilities.pm"; -#require "FormElements.pm"; - -#require "DocumentHTML.pm"; -#require "TalkHTML.pm"; -#require "AuthorHTML.pm"; -#require "TopicHTML.pm"; $query = new CGI; -my %Params = $query -> Vars; - -my $SessionOrderID = $Params{sessionorderid}; -my $Title = $Params{talktitle}; -my $DocumentID = $Params{docid}; -my $Confirmed = $Params{talkconfirm}; -my $Length = $Params{talktime}; -my $Note = $Params{talknote}; -my @AuthorHints = split /\0/,$Params{authors}; -my @TopicHints = split /\0/,$Params{topics}; +$query -> autoEscape(0); +my $Untaint = CGI::Untaint -> new($query -> Vars); + +my $SessionOrderID = $Untaint -> extract(-as_integer => "sessionorderid") || 0; +my $Title = $Untaint -> extract(-as_safehtml => "talktitle") || ""; +my $DocumentID = $Untaint -> extract(-as_integer => "docid") || 0; +my $Confirmed = $Untaint -> extract(-as_safehtml => "talkconfirm") || ""; +my $Length = $Untaint -> extract(-as_safehtml => "talktime") || ""; +my $Note = $Untaint -> extract(-as_safehtml => "talknote") || ""; +my @AuthorHints = @{ $Untaint -> extract(-as_listofint => "authors") || undef }; +my @TopicHints = @{ $Untaint -> extract(-as_listofint => "topics") || undef }; if ($Confirmed) { $Confirmed = $TRUE; } diff --git a/DocDB/cgi/EmailAdminister b/DocDB/cgi/EmailAdminister index 1a406ab4..27d95930 100755 --- a/DocDB/cgi/EmailAdminister +++ b/DocDB/cgi/EmailAdminister @@ -42,22 +42,24 @@ require "Messages.pm"; require "EmailUserHTML.pm"; $query = new CGI; # Global for subroutines +$query -> autoEscape(0); +my $Untaint = CGI::Untaint -> new($query -> Vars); # Parameters to script -%params = $query -> Vars; -my $Password = $params{password}; -my $Username = $params{admuser}; -my $Action = $params{admaction}; - -my $EmailUserID = $params{emailuserid}; -my $SingleUser = $params{singleuser}; -my $NewPassword = $params{resetpw}; -my $ClearGroups = ($params{cleargroups} eq "on"); -my $ClearUser = ($params{clearuser} eq "on"); -my $UserSign = ($params{usersign} eq "on"); -my $VerifyUser = ($params{verifyuser} eq "on"); -my @UsersGroupIDs = split /\0/,$params{usergroups}; +my $Password = $Untaint -> extract(-as_printable => "password") || ""; +my $Username = $Untaint -> extract(-as_printable => "admuser") || ""; +my $Action = $Untaint -> extract(-as_printable => "admaction") || ""; + +my $EmailUserID = $Untaint -> extract(-as_integer => "emailuserid") || 0; +my $SingleUser = $Untaint -> extract(-as_safehtml => "singleuser") || ""; +my $NewPassword = $Untaint -> extract(-as_printable => "resetpw") || ""; + +my $ClearGroups = ($Untaint -> extract(-as_printable => "cleargroups") eq "on"); +my $ClearUser = ($Untaint -> extract(-as_printable => "clearuser") eq "on"); +my $UserSign = ($Untaint -> extract(-as_printable => "usersign") eq "on"); +my $VerifyUser = ($Untaint -> extract(-as_printable => "verifyuser") eq "on"); +my @UsersGroupIDs = @{ $Untaint -> extract(-as_listofint => "usergroups") || undef }; $dbh = DBI->connect('DBI:mysql:'.$db_name.':'.$db_host,$Username,$Password); diff --git a/DocDB/cgi/EmailAdministerForm b/DocDB/cgi/EmailAdministerForm index 7fce2bf0..0e49d632 100755 --- a/DocDB/cgi/EmailAdministerForm +++ b/DocDB/cgi/EmailAdministerForm @@ -45,11 +45,12 @@ require "SecuritySQL.pm"; require "NotificationSQL.pm"; $query = new CGI; # Global for subroutines +$query -> autoEscape(0); $dbh = DBI -> connect('DBI:mysql:'.$db_name.':'.$db_host,$db_rouser,$db_ropass); -%params = $query -> Vars; +my $Untaint = CGI::Untaint -> new($query -> Vars); -my $EmailUserID = $params{emailuserid} || 0; +my $EmailUserID = $Untaint -> extract(-as_integer => "emailuserid") || 0; GetSecurityGroups(); diff --git a/DocDB/cgi/EmailCreate b/DocDB/cgi/EmailCreate index be00e04b..92c7cfed 100755 --- a/DocDB/cgi/EmailCreate +++ b/DocDB/cgi/EmailCreate @@ -31,16 +31,17 @@ require "HTMLUtilities.pm"; require "ResponseElements.pm"; $query = new CGI; # Global for subroutines +$query -> autoEscape(0); $dbh = DBI->connect('DBI:mysql:'.$db_name.':'.$db_host,$db_rwuser,$db_rwpass); @ErrorStack = (); -%params = $query -> Vars; +my $Untaint = CGI::Untaint -> new($query -> Vars); # Collect parameters -my $UserName = $params{username}; -my $Password = $params{password}; -my $PassConf = $params{passconf}; +my $UserName = $Untaint -> extract(-as_safehtml => "username") || ""; +my $Password = $Untaint -> extract(-as_printable => "password") || ""; +my $PassConf = $Untaint -> extract(-as_printable => "passconf") || ""; $UserName =~ s/\s+//g; $Password =~ s/\s+//g; $PassConf =~ s/\s+//g; diff --git a/DocDB/cgi/EmailLogin b/DocDB/cgi/EmailLogin index 33aa12b7..49c5cd7b 100755 --- a/DocDB/cgi/EmailLogin +++ b/DocDB/cgi/EmailLogin @@ -32,6 +32,7 @@ require "ResponseElements.pm"; require "EmailSecurity.pm"; $query = new CGI; # Global for subroutines +$query -> autoEscape(0); $dbh = DBI->connect('DBI:mysql:'.$db_name.':'.$db_host,$db_rouser,$db_ropass); diff --git a/DocDB/cgi/EventAdministerForm b/DocDB/cgi/EventAdministerForm index 9e874cc6..76d02c62 100755 --- a/DocDB/cgi/EventAdministerForm +++ b/DocDB/cgi/EventAdministerForm @@ -48,19 +48,19 @@ require "MeetingHTML.pm"; require "TopicHTML.pm"; # For description boxes $query = new CGI; # Global for subroutines - -%params = $query -> Vars; - -my $Password = $params{password}; -my $Username = $params{admuser}; -my $Action = $params{admaction}; -my $Force = $params{admforce}; - -my $SubForm = $params{subform}; -my $EventGroupID = int($params{eventgroups}); -my $EventID = int($params{events}); -my $ShortDescription = $params{shortdesc}; -my $LongDescription = $params{longdesc}; +$query -> autoEscape(0); +my $Untaint = CGI::Untaint -> new($query -> Vars); + +my $Password = $Untaint -> extract(-as_printable => "password") || ""; +my $Username = $Untaint -> extract(-as_printable => "admuser") || ""; +my $Action = $Untaint -> extract(-as_printable => "admaction") || ""; +my $Force = $Untaint -> extract(-as_printable => "admforce") || ""; + +my $SubForm = $Untaint -> extract(-as_printable => "subform") || ""; +my $EventGroupID = $Untaint -> extract(-as_integer => "eventgroups") || 0; +my $EventID = $Untaint -> extract(-as_integer => "events") || 0; +my $ShortDescription = $Untaint -> extract(-as_safehtml => "shortdesc") || ""; +my $LongDescription = $Untaint -> extract(-as_safehtml => "longdesc") || ""; $query -> delete_all(); diff --git a/DocDB/cgi/ExternalDocDBAdministerForm b/DocDB/cgi/ExternalDocDBAdministerForm index 27f79e26..9ebd525d 100755 --- a/DocDB/cgi/ExternalDocDBAdministerForm +++ b/DocDB/cgi/ExternalDocDBAdministerForm @@ -44,21 +44,21 @@ require "XRefHTML.pm"; require "XRefSQL.pm"; $query = new CGI; # Global for subroutines +$query -> autoEscape(0); +my $Untaint = CGI::Untaint -> new($query -> Vars); -%params = $query -> Vars; +my $Password = $Untaint -> extract(-as_printable => "password") || ""; +my $Username = $Untaint -> extract(-as_printable => "admuser") || ""; +my $Action = $Untaint -> extract(-as_printable => "admaction") || ""; +my $Force = $Untaint -> extract(-as_printable => "admforce") || ""; -my $Password = $params{password}; -my $Username = $params{admuser}; -my $Action = $params{admaction}; -my $Force = $params{admforce}; +my $SubForm = $Untaint -> extract(-as_printable => "subform") || ""; -my $SubForm = $params{subform}; - -my $ExternalDocDBID = $params{externaldocdbs}; -my $ProjectName = $params{project}; -my $Description = $params{desc}; -my $PublicURL = $params{puburl}; -my $PrivateURL = $params{privurl}; +my $ExternalDocDBID = $Untaint -> extract(-as_integer => "externaldocdbs") || 0; +my $ProjectName = $Untaint -> extract(-as_safehtml => "project") || ""; +my $Description = $Untaint -> extract(-as_safehtml => "desc") || ""; +my $PublicURL = $Untaint -> extract(-as_safehtml => "puburl") || ""; +my $PrivateURL = $Untaint -> extract(-as_safehtml => "privurl") || ""; $query -> delete_all(); From c4e2e22d48258eeb453c7ccbd94e88511682d990 Mon Sep 17 00:00:00 2001 From: Eric Vaandering Date: Mon, 29 Jul 2013 16:54:40 -0500 Subject: [PATCH 066/163] Untaint more admin scripts --- DocDB/cgi/GroupAdminister | 32 ++++++++++++++++---------------- DocDB/cgi/GroupAdministerForm | 1 + DocDB/cgi/InstitutionAdminister | 16 ++++++++-------- DocDB/cgi/JournalAdminister | 22 +++++++++++----------- 4 files changed, 36 insertions(+), 35 deletions(-) diff --git a/DocDB/cgi/GroupAdminister b/DocDB/cgi/GroupAdminister index 2d4d5a15..585a16b2 100755 --- a/DocDB/cgi/GroupAdminister +++ b/DocDB/cgi/GroupAdminister @@ -38,28 +38,28 @@ require "GroupHTML.pm"; require "Messages.pm"; $query = new CGI; # Global for subroutines - -%CGIParams = $query -> Vars; +$query -> autoEscape(0); +my $Untaint = CGI::Untaint -> new($query -> Vars); @ErrorStack = (); @WarnStack = (); # Parameters to script -my $Password = $CGIParams{password}; -my $Username = $CGIParams{admuser}; -my $Action = $CGIParams{admaction}; - -my $Description = $CGIParams{description}; -my $Name = $CGIParams{name}; -my $ParentID = $CGIParams{parent}; -my @ChildIDs = split /\0/,$CGIParams{child}; -my $View = $CGIParams{view}; -my $Create = $CGIParams{create}; -my $Admin = $CGIParams{admin}; -my $NoPerm = $CGIParams{remove}; -my $RemoveChildren = $CGIParams{removesubs}; -my $Force = $CGIParams{admforce}; +my $Password = $Untaint -> extract(-as_printable => "password") || ""; +my $Username = $Untaint -> extract(-as_printable => "admuser") || ""; +my $Action = $Untaint -> extract(-as_printable => "admaction") || ""; +my $Force = $Untaint -> extract(-as_printable => "admforce") || ""; + +my $Description = $Untaint -> extract(-as_safehtml => "description") || ""; +my $Name = $Untaint -> extract(-as_safehtml => "name") || ""; +my $ParentID = $Untaint -> extract(-as_integer => "ParentID") || 0; +my @ChildIDs = @{ $Untaint -> extract(-as_listofint => "child") || undef }; +my $View = $Untaint -> extract(-as_printable => "view") || ""; +my $Create = $Untaint -> extract(-as_printable => "create") || ""; +my $Admin = $Untaint -> extract(-as_printable => "admin") || ""; +my $NoPerm = $Untaint -> extract(-as_printable => "remove") || ""; +my $RemoveChildren = $Untaint -> extract(-as_printable => "removesubs") || ""; if ($View) {$View = 1;} # Make sure they are in format MySQL is expecting if ($Create) {$Create = 1;} diff --git a/DocDB/cgi/GroupAdministerForm b/DocDB/cgi/GroupAdministerForm index e295cfca..bf216923 100755 --- a/DocDB/cgi/GroupAdministerForm +++ b/DocDB/cgi/GroupAdministerForm @@ -40,6 +40,7 @@ require "HTMLUtilities.pm"; require "Sorts.pm"; $query = new CGI; # Global for subroutines +$query -> autoEscape(0); $dbh = DBI -> connect('DBI:mysql:'.$db_name.':'.$db_host,$db_rouser,$db_ropass); GetSecurityGroups(); diff --git a/DocDB/cgi/InstitutionAdminister b/DocDB/cgi/InstitutionAdminister index 79652e2c..d8268ea3 100755 --- a/DocDB/cgi/InstitutionAdminister +++ b/DocDB/cgi/InstitutionAdminister @@ -37,21 +37,21 @@ require "AuthorHTML.pm"; require "Messages.pm"; $query = new CGI; # Global for subroutines - -%params = $query -> Vars; +$query -> autoEscape(0); +my $Untaint = CGI::Untaint -> new($query -> Vars); @ErrorStack = (); @WarnStack = (); # Parameters to script -$Password = $params{password}; -my $Username = $params{admuser}; -$Action = $params{admaction}; +my $Password = $Untaint -> extract(-as_printable => "password") || ""; +my $Username = $Untaint -> extract(-as_printable => "admuser") || ""; +my $Action = $Untaint -> extract(-as_printable => "admaction") || ""; -$InstitutionID = $params{inst}; -$LongName = $params{longdesc}; -$ShortName = $params{shortdesc}; +my $InstitutionID = $Untaint -> extract(-as_integer => "inst") || 0; +my $LongName = $Untaint -> extract(-as_safehtml => "longdesc") || ""; +my $ShortName = $Untaint -> extract(-as_safehtml => "shortdesc") || ""; $dbh = DBI->connect('DBI:mysql:'.$db_name.':'.$db_host,$Username,$Password); diff --git a/DocDB/cgi/JournalAdminister b/DocDB/cgi/JournalAdminister index e059b30c..13a271b1 100755 --- a/DocDB/cgi/JournalAdminister +++ b/DocDB/cgi/JournalAdminister @@ -36,24 +36,24 @@ require "JournalHTML.pm"; require "Messages.pm"; $query = new CGI; # Global for subroutines - -%params = $query -> Vars; +$query -> autoEscape(0); +my $Untaint = CGI::Untaint -> new($query -> Vars); @ErrorStack = (); @WarnStack = (); # Parameters to script -$Password = $params{password}; -my $Username = $params{admuser}; -$Action = $params{admaction}; +my $Password = $Untaint -> extract(-as_printable => "password") || ""; +my $Username = $Untaint -> extract(-as_printable => "admuser") || ""; +my $Action = $Untaint -> extract(-as_printable => "admaction") || ""; -$JournalID = $params{journal}; -$FullName = $params{name}; -$Abbreviation = $params{abbr}; -$Acronym = $params{acronym}; -$Publisher = $params{pub}; -$URL = $params{url}; +my $JournalID = $Untaint -> extract(-as_integer => "journal") || 0; +my $FullName = $Untaint -> extract(-as_safehtml => "name") || ""; +my $Abbreviation = $Untaint -> extract(-as_safehtml => "abbr") || ""; +my $Acronym = $Untaint -> extract(-as_safehtml => "acronym") || ""; +my $Publisher = $Untaint -> extract(-as_safehtml => "pub") || ""; +my $URL = $Untaint -> extract(-as_safehtml => "url") || ""; $dbh = DBI->connect('DBI:mysql:'.$db_name.':'.$db_host,$Username,$Password); From f1502fc11997aded75f6bf0d8e69cb74ae01302c Mon Sep 17 00:00:00 2001 From: Eric Vaandering Date: Mon, 29 Jul 2013 17:01:35 -0500 Subject: [PATCH 067/163] Untaint keyword admin scripts --- DocDB/cgi/KeywordAdministerForm | 1 + DocDB/cgi/KeywordGroupAdminister | 16 ++++++++-------- DocDB/cgi/KeywordListAdminister | 20 ++++++++++---------- 3 files changed, 19 insertions(+), 18 deletions(-) diff --git a/DocDB/cgi/KeywordAdministerForm b/DocDB/cgi/KeywordAdministerForm index 4657b629..89aeebfb 100755 --- a/DocDB/cgi/KeywordAdministerForm +++ b/DocDB/cgi/KeywordAdministerForm @@ -41,6 +41,7 @@ require "HTMLUtilities.pm"; require "Sorts.pm"; $query = new CGI; # Global for subroutines +$query -> autoEscape(0); $dbh = DBI -> connect('DBI:mysql:'.$db_name.':'.$db_host,$db_rouser,$db_ropass); &GetKeywords; diff --git a/DocDB/cgi/KeywordGroupAdminister b/DocDB/cgi/KeywordGroupAdminister index 37fc9225..3587dddf 100755 --- a/DocDB/cgi/KeywordGroupAdminister +++ b/DocDB/cgi/KeywordGroupAdminister @@ -37,21 +37,21 @@ require "KeywordHTML.pm"; require "Messages.pm"; $query = new CGI; # Global for subroutines - -%params = $query -> Vars; +$query -> autoEscape(0); +my $Untaint = CGI::Untaint -> new($query -> Vars); @ErrorStack = (); @WarnStack = (); # Parameters to script -$Password = $params{password}; -my $Username = $params{admuser}; -$Action = $params{admaction}; +my $Password = $Untaint -> extract(-as_printable => "password") || ""; +my $Username = $Untaint -> extract(-as_printable => "admuser") || ""; +my $Action = $Untaint -> extract(-as_printable => "admaction") || ""; -$KeywordGroupID = $params{keywordgroup}; -$LongName = $params{longdesc}; -$ShortName = $params{shortdesc}; +my $KeywordGroupID = $Untaint -> extract(-as_integer => "keywordgroup") || 0; +my $LongName = $Untaint -> extract(-as_safehtml => "longdesc") || ""; +my $ShortName = $Untaint -> extract(-as_safehtml => "shortdesc") || ""; $dbh = DBI->connect('DBI:mysql:'.$db_name.':'.$db_host,$Username,$Password); diff --git a/DocDB/cgi/KeywordListAdminister b/DocDB/cgi/KeywordListAdminister index fbf292c9..d3b7b722 100755 --- a/DocDB/cgi/KeywordListAdminister +++ b/DocDB/cgi/KeywordListAdminister @@ -39,22 +39,22 @@ require "KeywordSQL.pm"; require "Messages.pm"; $query = new CGI; # Global for subroutines - -%params = $query -> Vars; +$query -> autoEscape(0); +my $Untaint = CGI::Untaint -> new($query -> Vars); @ErrorStack = (); @WarnStack = (); # Parameters to script -my $Password = $params{password}; -my $Username = $params{admuser}; -my $Action = $params{admaction}; - -my $KeywordID = $params{keywordlist}; -my @KeywordGroupIDs = split /\0/,$params{keywordgroup}; -my $LongName = $params{longdesc}; -my $ShortName = $params{shortdesc}; +my $Password = $Untaint -> extract(-as_printable => "password") || ""; +my $Username = $Untaint -> extract(-as_printable => "admuser") || ""; +my $Action = $Untaint -> extract(-as_printable => "admaction") || ""; + +my $KeywordID = $Untaint -> extract(-as_integer => "keywordlist") || 0; +my @KeywordGroupIDs = @{ $Untaint -> extract(-as_listofint => "keywordgroup") || undef }; +my $LongName = $Untaint -> extract(-as_safehtml => "longdesc") || ""; +my $ShortName = $Untaint -> extract(-as_safehtml => "shortdesc") || ""; $dbh = DBI->connect('DBI:mysql:'.$db_name.':'.$db_host,$Username,$Password); From 8fe717615984b9418ca801d86b66ce5628beff23 Mon Sep 17 00:00:00 2001 From: Eric Vaandering Date: Tue, 30 Jul 2013 11:09:04 -0500 Subject: [PATCH 068/163] Start of routine to do rlike searches --- DocDB/cgi/SearchAtoms.pm | 31 +++++++++++++++++++++++++++++++ 1 file changed, 31 insertions(+) diff --git a/DocDB/cgi/SearchAtoms.pm b/DocDB/cgi/SearchAtoms.pm index 27eceaa6..3413c2f1 100644 --- a/DocDB/cgi/SearchAtoms.pm +++ b/DocDB/cgi/SearchAtoms.pm @@ -23,6 +23,8 @@ # along with DocDB; if not, write to the Free Software # Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA +use HTML::Entities qw(encode_entities_numeric); + %SearchWeights = ( # These weights are used to order documents from the simple search "Author" => 4, "Topic" => 3, @@ -52,6 +54,7 @@ sub TextSearch { my @Words = split /\s+/,$Words; foreach my $Word (@Words) { if ($Mode eq "anysub" || $Mode eq "allsub") { + my $RegExp = RegExpSearchAtom($Word); $Word =~ tr/[A-Z]/[a-z]/; push @Atoms,"LOWER($Field) like \"%$Word%\""; } elsif ($Mode eq "anyword" || $Mode eq "allword") { @@ -74,6 +77,34 @@ sub TextSearch { return $Phrase; } +sub RegExpSearchAtom { + my ($Word, $RequireWord) = @_; + + my @RegExpParts = (); + my $RegExpAtom = ''; + + my $SimpleWord = $Word; + $SimpleWord = s/^\w+//g; + if ($SimpleWord eq $Word) { # No special characters found + push @RegExpParts, $Word; + } else { + print STDERR "Special characters found, gotta figure this out\n"; + } + + if ($RequireWord) { + $RegExpAtom .= '[[:<:]]'; + } + $RegExpAtom .= '('; + $RegExpAtom .= join '|', @RegExpParts; + $RegExpAtom .= ')'; + if ($RequireWord) { + $RegExpAtom .= '[[:>:]]'; + } + my $SafeAtom = $dbh->quote($RegExpAtom); + print STDERR "Searching for $SafeAtom\n"; + return $SafeAtom; +} + sub IDSearch { my ($Table,$Field,$Mode,@IDs) = @_; From f7a314c7653f6fd8c621690293275a0596a7ec38 Mon Sep 17 00:00:00 2001 From: Eric Vaandering Date: Tue, 30 Jul 2013 11:26:48 -0500 Subject: [PATCH 069/163] Start adding special character handling to search --- DocDB/cgi/SearchAtoms.pm | 9 +++++++-- 1 file changed, 7 insertions(+), 2 deletions(-) diff --git a/DocDB/cgi/SearchAtoms.pm b/DocDB/cgi/SearchAtoms.pm index 3413c2f1..7f98665e 100644 --- a/DocDB/cgi/SearchAtoms.pm +++ b/DocDB/cgi/SearchAtoms.pm @@ -58,6 +58,7 @@ sub TextSearch { $Word =~ tr/[A-Z]/[a-z]/; push @Atoms,"LOWER($Field) like \"%$Word%\""; } elsif ($Mode eq "anyword" || $Mode eq "allword") { + my $RegExp = RegExpSearchAtom($Word, $TRUE); $Word =~ tr/[A-Z]/[a-z]/; push @Atoms,"LOWER($Field) REGEXP \"\[\[:<:\]\]$Word\[\[:>:\]\]\""; } @@ -84,11 +85,15 @@ sub RegExpSearchAtom { my $RegExpAtom = ''; my $SimpleWord = $Word; - $SimpleWord = s/^\w+//g; + $SimpleWord =~ s/^\w+//g; if ($SimpleWord eq $Word) { # No special characters found push @RegExpParts, $Word; } else { - print STDERR "Special characters found, gotta figure this out\n"; + print STDERR "Special characters found in $Word becomes $SimpleWord, gotta figure this out\n"; + # First take care of regexp special characters + my $RESafeWord = $Word; + $RESafeWord =~ s/(\[\\\^\$\.\|\?\*\+\(\))/\\\1/; + push @RegExpParts, $RESafeWord; } if ($RequireWord) { From c81ddaae33bd92d507a9268d7249047d570a07d1 Mon Sep 17 00:00:00 2001 From: Eric Vaandering Date: Tue, 30 Jul 2013 13:23:51 -0500 Subject: [PATCH 070/163] All five formats --- DocDB/cgi/SearchAtoms.pm | 16 ++++++++++++---- 1 file changed, 12 insertions(+), 4 deletions(-) diff --git a/DocDB/cgi/SearchAtoms.pm b/DocDB/cgi/SearchAtoms.pm index 7f98665e..1bc6196c 100644 --- a/DocDB/cgi/SearchAtoms.pm +++ b/DocDB/cgi/SearchAtoms.pm @@ -85,15 +85,23 @@ sub RegExpSearchAtom { my $RegExpAtom = ''; my $SimpleWord = $Word; - $SimpleWord =~ s/^\w+//g; + $SimpleWord =~ s/\W//g; if ($SimpleWord eq $Word) { # No special characters found push @RegExpParts, $Word; } else { print STDERR "Special characters found in $Word becomes $SimpleWord, gotta figure this out\n"; # First take care of regexp special characters - my $RESafeWord = $Word; - $RESafeWord =~ s/(\[\\\^\$\.\|\?\*\+\(\))/\\\1/; - push @RegExpParts, $RESafeWord; + my $Escaped = $Word; + $Escaped =~ s/([\[\\\^\$\.\|\?\*\+\(\)])/\\\1/g; # Prepend \ to regexp safe characters [\^$.|?*+() + push @RegExpParts, $Escaped; + push @RegExpParts, HTML::Entities::encode($Word); # & + push @RegExpParts, HTML::Entities::encode_entities_numeric($Word); # « + $Escaped = $Word; + $Escaped =~ s{(\W)}{"%".sprintf("%x", unpack(U,$1))}ge; # %20 + push @RegExpParts, $Escaped + $Escaped = $Word; + $Escaped =~ s{(\W)}{"&#".unpack(U,$1).";"}ge; # Ӓ + push @RegExpParts, $Escaped } if ($RequireWord) { From 2e36ee8a4e9f0e753f0dd8fcb3cddd1a3f44941e Mon Sep 17 00:00:00 2001 From: Eric Vaandering Date: Tue, 30 Jul 2013 13:39:09 -0500 Subject: [PATCH 071/163] Filter duplicates --- DocDB/cgi/SearchAtoms.pm | 20 ++++++++++++++------ 1 file changed, 14 insertions(+), 6 deletions(-) diff --git a/DocDB/cgi/SearchAtoms.pm b/DocDB/cgi/SearchAtoms.pm index 1bc6196c..c15a60a8 100644 --- a/DocDB/cgi/SearchAtoms.pm +++ b/DocDB/cgi/SearchAtoms.pm @@ -93,15 +93,23 @@ sub RegExpSearchAtom { # First take care of regexp special characters my $Escaped = $Word; $Escaped =~ s/([\[\\\^\$\.\|\?\*\+\(\)])/\\\1/g; # Prepend \ to regexp safe characters [\^$.|?*+() + print STDERR " adding $Escaped\n"; push @RegExpParts, $Escaped; - push @RegExpParts, HTML::Entities::encode($Word); # & - push @RegExpParts, HTML::Entities::encode_entities_numeric($Word); # « + + $Escaped = HTML::Entities::encode($Word); # & + if ($Escaped ne $Word) { + push @RegExpParts, $Escaped; + } + $Escaped = HTML::Entities::encode_entities_numeric($Word); # « + if ($Escaped ne $Word) { + push @RegExpParts, $Escaped; + } $Escaped = $Word; - $Escaped =~ s{(\W)}{"%".sprintf("%x", unpack(U,$1))}ge; # %20 - push @RegExpParts, $Escaped + $Escaped =~ s{(\W)}{"%".sprintf("%x", unpack(U,$1))}ge; # %20 + push @RegExpParts, $Escaped; $Escaped = $Word; - $Escaped =~ s{(\W)}{"&#".unpack(U,$1).";"}ge; # Ӓ - push @RegExpParts, $Escaped + $Escaped =~ s{(\W)}{"&#".unpack(U,$1).";"}ge; # Ӓ + push @RegExpParts, $Escaped; } if ($RequireWord) { From dd4f47889c748d4ca8764eb4e42eca2af29e3ca4 Mon Sep 17 00:00:00 2001 From: Eric Vaandering Date: Tue, 30 Jul 2013 13:58:59 -0500 Subject: [PATCH 072/163] Switch to regexp --- DocDB/cgi/SearchAtoms.pm | 10 ++++++---- 1 file changed, 6 insertions(+), 4 deletions(-) diff --git a/DocDB/cgi/SearchAtoms.pm b/DocDB/cgi/SearchAtoms.pm index c15a60a8..46d17928 100644 --- a/DocDB/cgi/SearchAtoms.pm +++ b/DocDB/cgi/SearchAtoms.pm @@ -55,12 +55,14 @@ sub TextSearch { foreach my $Word (@Words) { if ($Mode eq "anysub" || $Mode eq "allsub") { my $RegExp = RegExpSearchAtom($Word); - $Word =~ tr/[A-Z]/[a-z]/; - push @Atoms,"LOWER($Field) like \"%$Word%\""; +# $Word =~ tr/[A-Z]/[a-z]/; +# push @Atoms,"LOWER($Field) like \"%$Word%\""; + push @Atoms, "$Field rlike $RegExp"; } elsif ($Mode eq "anyword" || $Mode eq "allword") { my $RegExp = RegExpSearchAtom($Word, $TRUE); - $Word =~ tr/[A-Z]/[a-z]/; - push @Atoms,"LOWER($Field) REGEXP \"\[\[:<:\]\]$Word\[\[:>:\]\]\""; +# $Word =~ tr/[A-Z]/[a-z]/; +# push @Atoms,"LOWER($Field) REGEXP \"\[\[:<:\]\]$Word\[\[:>:\]\]\""; + push @Atoms, "$Field rlike $RegExp"; } } } From 1b097011526eed19b0eb5535f14bb3aae1fdbadf Mon Sep 17 00:00:00 2001 From: Eric Vaandering Date: Tue, 30 Jul 2013 14:41:24 -0500 Subject: [PATCH 073/163] allow special characters for text fields in search --- DocDB/cgi/Search.pm | 24 +++++++++++++----------- DocDB/cgi/SearchAtoms.pm | 16 ++++++---------- 2 files changed, 19 insertions(+), 21 deletions(-) diff --git a/DocDB/cgi/Search.pm b/DocDB/cgi/Search.pm index 57a2fa21..8b56b6eb 100644 --- a/DocDB/cgi/Search.pm +++ b/DocDB/cgi/Search.pm @@ -100,15 +100,15 @@ sub LocalSearch ($) { ### Purify input (remove punctuation) - $SimpleText =~ s/[^\s\w+-\.]//go; - $TitleSearch =~ s/[^\s\w+-\.]//go; - $AbstractSearch =~ s/[^\s\w+-\.]//go; - $KeywordSearch =~ s/[^\s\w+-\.]//go; - $RevisionNoteSearch =~ s/[^\s\w+-\.]//go; - $PubInfoSearch =~ s/[^\s\w+-\.]//go; - $FileSearch =~ s/[^\s\w+-\.]//go; - $FileDescSearch =~ s/[^\s\w+-\.]//go; - $FileContSearch =~ s/[^\s\w+-\.]//go; +# $SimpleText =~ s/[^\s\w+-\.]//go; +# $TitleSearch =~ s/[^\s\w+-\.]//go; +# $AbstractSearch =~ s/[^\s\w+-\.]//go; +# $KeywordSearch =~ s/[^\s\w+-\.]//go; +# $RevisionNoteSearch =~ s/[^\s\w+-\.]//go; +# $PubInfoSearch =~ s/[^\s\w+-\.]//go; +# $FileSearch =~ s/[^\s\w+-\.]//go; +# $FileDescSearch =~ s/[^\s\w+-\.]//go; + $FileContSearch =~ s/[^\s\w+-\.]//go; # No idea what they'd do with special characters, best to remove GetTopics(); GetSecurityGroups(); @@ -125,6 +125,8 @@ sub LocalSearch ($) { } if ($SimpleText) { # Break up words and set parameters for rest of search + my $SimpleAlphaNumeric = $SimpleText; + $SimpleAlphaNumeric =~ s/[^\s\w+-\.]//go; # FIXME: Upgrade Match* routines to handle special characters @RequesterSearchIDs = (); @AuthorSearchIDs = (); @TypeSearchIDs = (); @@ -132,7 +134,7 @@ sub LocalSearch ($) { @EventSearchIDs = (); @EventGroupSearchIDs = (); - my @Words = split /\s+/,$SimpleText; + my @Words = split /\s+/,$SimpleAlphaNumeric; foreach my $Word (@Words) { push @AuthorSearchIDs ,MatchAuthor( {-either => $Word} ); push @TypeSearchIDs ,MatchDocType( {-short => $Word} ); @@ -153,7 +155,7 @@ sub LocalSearch ($) { $PubInfoSearch = $SimpleText; $FileSearch = $SimpleText; $FileDescSearch = $SimpleText; - $FileContSearch = $SimpleText; + $FileContSearch = $SimpleAlphaNumeric # No idea what they'd do with special characters, best to remove $TitleSearchMode = "anyword"; $AbstractSearchMode = "anyword"; $KeywordSearchMode = "anyword"; diff --git a/DocDB/cgi/SearchAtoms.pm b/DocDB/cgi/SearchAtoms.pm index 46d17928..f968d7cb 100644 --- a/DocDB/cgi/SearchAtoms.pm +++ b/DocDB/cgi/SearchAtoms.pm @@ -55,13 +55,9 @@ sub TextSearch { foreach my $Word (@Words) { if ($Mode eq "anysub" || $Mode eq "allsub") { my $RegExp = RegExpSearchAtom($Word); -# $Word =~ tr/[A-Z]/[a-z]/; -# push @Atoms,"LOWER($Field) like \"%$Word%\""; push @Atoms, "$Field rlike $RegExp"; } elsif ($Mode eq "anyword" || $Mode eq "allword") { my $RegExp = RegExpSearchAtom($Word, $TRUE); -# $Word =~ tr/[A-Z]/[a-z]/; -# push @Atoms,"LOWER($Field) REGEXP \"\[\[:<:\]\]$Word\[\[:>:\]\]\""; push @Atoms, "$Field rlike $RegExp"; } } @@ -91,24 +87,24 @@ sub RegExpSearchAtom { if ($SimpleWord eq $Word) { # No special characters found push @RegExpParts, $Word; } else { - print STDERR "Special characters found in $Word becomes $SimpleWord, gotta figure this out\n"; - # First take care of regexp special characters - my $Escaped = $Word; - $Escaped =~ s/([\[\\\^\$\.\|\?\*\+\(\)])/\\\1/g; # Prepend \ to regexp safe characters [\^$.|?*+() - print STDERR " adding $Escaped\n"; + my $Escaped = $Word; # First take care of regexp special characters + $Escaped =~ s/([\[\\\^\$\.\|\?\*\+\(\)])/\\\1/g; # Prepend \ to regexp safe characters [\^$.|?*+() push @RegExpParts, $Escaped; $Escaped = HTML::Entities::encode($Word); # & if ($Escaped ne $Word) { push @RegExpParts, $Escaped; } + $Escaped = HTML::Entities::encode_entities_numeric($Word); # « if ($Escaped ne $Word) { push @RegExpParts, $Escaped; } + $Escaped = $Word; $Escaped =~ s{(\W)}{"%".sprintf("%x", unpack(U,$1))}ge; # %20 push @RegExpParts, $Escaped; + $Escaped = $Word; $Escaped =~ s{(\W)}{"&#".unpack(U,$1).";"}ge; # Ӓ push @RegExpParts, $Escaped; @@ -123,8 +119,8 @@ sub RegExpSearchAtom { if ($RequireWord) { $RegExpAtom .= '[[:>:]]'; } + my $SafeAtom = $dbh->quote($RegExpAtom); - print STDERR "Searching for $SafeAtom\n"; return $SafeAtom; } From 791c95b558ea08710a9677b03f72776a8f2c62d2 Mon Sep 17 00:00:00 2001 From: Eric Vaandering Date: Tue, 30 Jul 2013 14:42:54 -0500 Subject: [PATCH 074/163] allow special characters for text fields in search --- DocDB/cgi/Search.pm | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/DocDB/cgi/Search.pm b/DocDB/cgi/Search.pm index 8b56b6eb..56294139 100644 --- a/DocDB/cgi/Search.pm +++ b/DocDB/cgi/Search.pm @@ -155,7 +155,7 @@ sub LocalSearch ($) { $PubInfoSearch = $SimpleText; $FileSearch = $SimpleText; $FileDescSearch = $SimpleText; - $FileContSearch = $SimpleAlphaNumeric # No idea what they'd do with special characters, best to remove + $FileContSearch = $SimpleAlphaNumeric; # No idea what they'd do with special characters, best to remove $TitleSearchMode = "anyword"; $AbstractSearchMode = "anyword"; $KeywordSearchMode = "anyword"; From 8263139acf1e2ceded76145f16303bebb9680d94 Mon Sep 17 00:00:00 2001 From: Eric Vaandering Date: Tue, 30 Jul 2013 15:31:26 -0500 Subject: [PATCH 075/163] allow special characters for text fields in search --- DocDB/cgi/Search | 2 ++ 1 file changed, 2 insertions(+) diff --git a/DocDB/cgi/Search b/DocDB/cgi/Search index 0a6a13ed..8ce310de 100755 --- a/DocDB/cgi/Search +++ b/DocDB/cgi/Search @@ -36,9 +36,11 @@ require "HTMLUtilities.pm"; require "Search.pm"; $query = new CGI; # Global for subroutines +$query -> autoEscape(0); $dbh = DBI->connect('DBI:mysql:'.$db_name.':'.$db_host,$db_rouser,$db_ropass); ### Set up, give user initial information +# Need these unsanitized to perform searches. Never printed anyhow. my %CGIParams = $query -> Vars; ### Pull info out of params into local variables From 2e7be2169781d4f5031ea2071875baefcf66dcc7 Mon Sep 17 00:00:00 2001 From: Eric Vaandering Date: Tue, 30 Jul 2013 15:33:16 -0500 Subject: [PATCH 076/163] Update SearchForm --- DocDB/cgi/SearchForm | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/DocDB/cgi/SearchForm b/DocDB/cgi/SearchForm index 5f6fc4ef..dd338580 100755 --- a/DocDB/cgi/SearchForm +++ b/DocDB/cgi/SearchForm @@ -43,6 +43,7 @@ require "HTMLUtilities.pm"; require "MeetingHTML.pm"; $query = new CGI; # Global for subroutines +$query -> autoEscape(0); $dbh = DBI->connect('DBI:mysql:'.$db_name.':'.$db_host,$db_rouser,$db_ropass); GetAuthors(); @@ -51,7 +52,7 @@ GetSecurityGroups(); GetJournals(); GetDocTypes(); -%params = $query -> Vars; +#%params = $query -> Vars; print $query -> header( -charset => $HTTP_ENCODING ); From fc27369cadc9e4d6234be674cc60d7df1297bac1 Mon Sep 17 00:00:00 2001 From: Eric Vaandering Date: Wed, 31 Jul 2013 15:16:08 -0500 Subject: [PATCH 077/163] Fix document link, add CGI::Untaint to scripts modified so far --- DocDB/cgi/AddFiles | 4 +- DocDB/cgi/AuthorAdd | 22 ++++----- DocDB/cgi/AuthorAdminister | 2 +- DocDB/cgi/ConfirmTalkHint | 16 +++---- DocDB/cgi/CustomListForm | 1 + DocDB/cgi/DeleteConfirm | 2 +- DocDB/cgi/DeleteDocument | 2 +- DocDB/cgi/DisplayMeeting | 2 +- DocDB/cgi/DocDBInstructions | 2 +- DocDB/cgi/DocTypeAdminister | 24 +++++----- DocDB/cgi/DocumentHTML.pm | 4 +- DocDB/cgi/EditTalkInfo | 17 +++---- DocDB/cgi/EmailAdminister | 2 +- DocDB/cgi/EmailAdministerForm | 1 + DocDB/cgi/EmailCreate | 18 ++++---- DocDB/cgi/EventAdministerForm | 1 + DocDB/cgi/ExternalDocDBAdministerForm | 45 +++++++++--------- DocDB/cgi/GroupAdminister | 66 +++++++++++++-------------- DocDB/cgi/InstitutionAdminister | 28 ++++++------ DocDB/cgi/JournalAdminister | 32 ++++++------- DocDB/cgi/KeywordGroupAdminister | 28 ++++++------ DocDB/cgi/KeywordListAdminister | 42 ++++++++--------- 22 files changed, 184 insertions(+), 177 deletions(-) diff --git a/DocDB/cgi/AddFiles b/DocDB/cgi/AddFiles index 259451f6..ddba2bf4 100755 --- a/DocDB/cgi/AddFiles +++ b/DocDB/cgi/AddFiles @@ -26,7 +26,7 @@ # Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA use Benchmark; -use CGI; +use CGI::Untaint; use DBI; $StartTime = new Benchmark; @@ -74,7 +74,7 @@ print $query -> header( -charset => $HTTP_ENCODING ); ### Get document and revision ID my $DocumentID = $Untaint -> extract(-as_integer => "docid") || 0; -my $Version = $Untaint -> extract(-as_integer => "version") || 0; +my $Version = $Untaint -> extract(-as_integer => "version") || 0; my $Replace = $Untaint -> extract(-as_printable => "replace") || ""; my $MaxFiles = $Untaint -> extract(-as_integer => "maxfiles") || 0; my $Replace = $Untaint -> extract(-as_printable => "submitagree") || ""; diff --git a/DocDB/cgi/AuthorAdd b/DocDB/cgi/AuthorAdd index 24faf37f..5ea8a8d2 100755 --- a/DocDB/cgi/AuthorAdd +++ b/DocDB/cgi/AuthorAdd @@ -1,8 +1,8 @@ #! /usr/bin/env perl # # Name: AuthorAdd -# Description: Adds an author into the DB list of authors. -# Called by submission from AddAuthorForm +# Description: Adds an author into the DB list of authors. +# Called by submission from AddAuthorForm # # Author: Eric Vaandering (ewv@fnal.gov) # Modified: Eric Vaandering (ewv@fnal.gov) @@ -13,7 +13,7 @@ # This file is part of DocDB. # DocDB is free software; you can redistribute it and/or modify -# it under the terms of version 2 of the GNU General Public License +# it under the terms of version 2 of the GNU General Public License # as published by the Free Software Foundation. # DocDB is distributed in the hope that it will be useful, @@ -25,7 +25,7 @@ # along with DocDB; if not, write to the Free Software # Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA -use CGI; +use CGI::Untaint; use DBI; require "DocDBGlobals.pm"; @@ -58,24 +58,24 @@ unless (CanCreate()) { } unless ($InstitutionID && $FirstName && $LastName) { push @ErrorStack,"You must supply a first and last name and an institution."; -} - +} + EndPage(@ErrorStack); my $AuthorInsert = $dbh->prepare( "insert into Author ". - "(AuthorID, FirstName, MiddleInitials, LastName, InstitutionID,Active) ". + "(AuthorID, FirstName, MiddleInitials, LastName, InstitutionID,Active) ". "values (0, ?, ?, ?, ?, 1)"); - + $AuthorInsert -> execute($FirstName,$MiddleInitials,$LastName,$InstitutionID); my $AuthorID = $AuthorInsert -> {mysql_insertid}; # Works with MySQL only - + if ($AuthorID) { - push @ActionStack,"$FirstName $MiddleInitials $LastName has been added as an author. You can add another author."; + push @ActionStack,"$FirstName $MiddleInitials $LastName has been added as an author. You can add another author."; } else { unless (@ErrorStack) { push @ErrorStack,"Something unknown went wrong. Contact an administrator."; - } + } } ActionReport(); diff --git a/DocDB/cgi/AuthorAdminister b/DocDB/cgi/AuthorAdminister index f88e0192..55a04f87 100755 --- a/DocDB/cgi/AuthorAdminister +++ b/DocDB/cgi/AuthorAdminister @@ -27,7 +27,7 @@ # Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA -use CGI; +use CGI::Untaint; use DBI; require "DocDBGlobals.pm"; diff --git a/DocDB/cgi/ConfirmTalkHint b/DocDB/cgi/ConfirmTalkHint index b7ed53ce..a9b1e65d 100755 --- a/DocDB/cgi/ConfirmTalkHint +++ b/DocDB/cgi/ConfirmTalkHint @@ -1,6 +1,6 @@ #! /usr/bin/env perl # -# Description: Script to confirm a match between a talk entered in the agenda +# Description: Script to confirm a match between a talk entered in the agenda # and a document # # Author: Eric Vaandering (ewv@fnal.gov) @@ -12,7 +12,7 @@ # This file is part of DocDB. # DocDB is free software; you can redistribute it and/or modify -# it under the terms of version 2 of the GNU General Public License +# it under the terms of version 2 of the GNU General Public License # as published by the Free Software Foundation. # DocDB is distributed in the hope that it will be useful, @@ -25,7 +25,7 @@ # Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA -use CGI; +use CGI::Untaint; use DBI; require "DocDBGlobals.pm"; @@ -57,11 +57,11 @@ my $SessionTalkID = $Untaint -> extract(-as_integer => "sessiontalkid") || 0; unless ($DocumentID) { push @ErrorStack,"You are must supply a document number!"; -} +} unless ($SessionTalkID) { push @ErrorStack,"You are must supply a Session Number!"; -} +} print $query -> header( -charset => $HTTP_ENCODING ); &DocDBHeader("Confirming document match","",-nobody => $TRUE); @@ -69,7 +69,7 @@ print $query -> header( -charset => $HTTP_ENCODING ); $dbh = DBI->connect('DBI:mysql:'.$db_name.':'.$db_host,$db_rwuser,$db_rwpass); unless ($dbh) { push @ErrorStack,$Msg_NoConnect; -} +} &EndPage(@ErrorStack); &FetchDocument($DocumentID); @@ -101,9 +101,9 @@ my $RevisionEventCheck = $dbh -> prepare("select RevEventID from RevisionEvent w $RevisionEventCheck -> execute($DocRevID,$ConferenceID); my ($RevisionEventID) = $RevisionEventCheck -> fetchrow_array; unless ($RevisionEventID) { - my $Insert = $dbh -> prepare("insert into RevisionEvent (RevEventID,DocRevID,ConferenceID) values (0,?,?)"); + my $Insert = $dbh -> prepare("insert into RevisionEvent (RevEventID,DocRevID,ConferenceID) values (0,?,?)"); $Insert -> execute($DocRevID,$ConferenceID); -} +} print "

    The match has been confirmed.
    Press the button below to reload the original page.

    \n"; diff --git a/DocDB/cgi/CustomListForm b/DocDB/cgi/CustomListForm index 5afedac6..349b58cd 100755 --- a/DocDB/cgi/CustomListForm +++ b/DocDB/cgi/CustomListForm @@ -28,6 +28,7 @@ use CGI qw(-nosticky); +use CGI::Untaint; use DBI; require "DocDBGlobals.pm"; diff --git a/DocDB/cgi/DeleteConfirm b/DocDB/cgi/DeleteConfirm index 2bc0577d..82f15b44 100755 --- a/DocDB/cgi/DeleteConfirm +++ b/DocDB/cgi/DeleteConfirm @@ -25,7 +25,7 @@ # along with DocDB; if not, write to the Free Software # Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA -use CGI; +use CGI::Untaint; use DBI; require "DocDBGlobals.pm"; diff --git a/DocDB/cgi/DeleteDocument b/DocDB/cgi/DeleteDocument index 12e48535..01ea1b31 100755 --- a/DocDB/cgi/DeleteDocument +++ b/DocDB/cgi/DeleteDocument @@ -24,7 +24,7 @@ # along with DocDB; if not, write to the Free Software # Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA -use CGI; +use CGI::Untaint; use DBI; require "DocDBGlobals.pm"; diff --git a/DocDB/cgi/DisplayMeeting b/DocDB/cgi/DisplayMeeting index 3b3c4c25..d239f6a4 100755 --- a/DocDB/cgi/DisplayMeeting +++ b/DocDB/cgi/DisplayMeeting @@ -26,7 +26,7 @@ # Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA use Benchmark; -use CGI; +use CGI::Untaint; use DBI; $StartTime = new Benchmark; diff --git a/DocDB/cgi/DocDBInstructions b/DocDB/cgi/DocDBInstructions index 3dbce48f..cbc44330 100755 --- a/DocDB/cgi/DocDBInstructions +++ b/DocDB/cgi/DocDBInstructions @@ -25,7 +25,7 @@ # along with DocDB; if not, write to the Free Software # Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA -use CGI; +use CGI::Untaint; use DBI; require "DocDBGlobals.pm"; diff --git a/DocDB/cgi/DocTypeAdminister b/DocDB/cgi/DocTypeAdminister index f325f433..b1e44679 100755 --- a/DocDB/cgi/DocTypeAdminister +++ b/DocDB/cgi/DocTypeAdminister @@ -1,19 +1,19 @@ #! /usr/bin/env perl # # Name: DocTypeAdminister.pm -# Description: This script is called by AdministerForm and does administration +# Description: This script is called by AdministerForm and does administration # on document types in the DB. This script adds, modifies and # deletes document types. # # Author: Eric Vaandering (ewv@fnal.gov) -# Modified: +# Modified: # Copyright 2001-2013 Eric Vaandering, Lynn Garren, Adam Bryant # This file is part of DocDB. # DocDB is free software; you can redistribute it and/or modify -# it under the terms of version 2 of the GNU General Public License +# it under the terms of version 2 of the GNU General Public License # as published by the Free Software Foundation. # DocDB is distributed in the hope that it will be useful, @@ -25,7 +25,7 @@ # along with DocDB; if not, write to the Free Software # Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA -use CGI; +use CGI::Untaint; use DBI; require "DocDBGlobals.pm"; @@ -40,7 +40,7 @@ $query = new CGI; # Global for subroutines $query -> autoEscape(0); my $Untaint = CGI::Untaint -> new($query -> Vars); -# Parameters to script +# Parameters to script my $Password = $Untaint -> extract(-as_printable => "password") || ""; my $Username = $Untaint -> extract(-as_printable => "admuser") || ""; @@ -54,7 +54,7 @@ $dbh = DBI->connect('DBI:mysql:'.$db_name.':'.$db_host,$Username,$Password); unless ($dbh) { push @ErrorStack,$Msg_AdminNoConnect; -} +} EndPage(); print $query -> header( -charset => $HTTP_ENCODING ); @@ -62,7 +62,7 @@ DocDBHeader("Modified List of Document Types"); unless (CanAdminister()) { push @ErrorStack,$Msg_AdminNoLogin; -} +} EndPage(); GetDocTypes(); @@ -81,14 +81,14 @@ if ($Action eq "Delete") { # Delete institutions } EndPage(); -# Deal with name changes +# Deal with name changes - if ($ShortName) { + if ($ShortName) { push @ActionStack,"Changed document type's short name to $ShortName"; my $DocTypeUpdate = $dbh->prepare("update DocumentType set ShortType=? where DocTypeID=?"); $DocTypeUpdate -> execute($ShortName,$DocTypeID); } - if ($LongName) { + if ($LongName) { push @ActionStack,"Changed document type's long name to $LongName"; my $DocTypeUpdate = $dbh -> prepare("update DocumentType set LongType=? where DocTypeID=?"); $DocTypeUpdate -> execute($LongName,$DocTypeID); @@ -100,7 +100,7 @@ if ($Action eq "Delete") { # Delete institutions $DocTypeID = $DocTypeInsert -> {mysql_insertid}; # Works with MySQL only } else { push @ErrorStack,"No valid action was specified."; -} +} # For modify or new fetch institution information and display. @@ -109,5 +109,5 @@ EndPage(); DocDBNavBar(); DocDBFooter($DBWebMasterEmail,$DBWebMasterName); - + exit; diff --git a/DocDB/cgi/DocumentHTML.pm b/DocDB/cgi/DocumentHTML.pm index 85dcd1d1..a0505635 100644 --- a/DocDB/cgi/DocumentHTML.pm +++ b/DocDB/cgi/DocumentHTML.pm @@ -23,6 +23,8 @@ # along with DocDB; if not, write to the Free Software # Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA +require "HTMLUtilities.pm"; + sub DocumentTable (%) { require "DocumentSQL.pm"; require "RevisionSQL.pm"; @@ -383,7 +385,7 @@ sub DocumentLink (%) { $Link .= $DocumentID."-v".$Version; $Link .= $EndElement; } elsif ($TitleLink) { # Use the document Title - $Link .= $DocRevisions{$DocRevID}{Title}; + $Link .= SmartHTML({-text => $DocRevisions{$DocRevID}{Title} }); $Link .= $EndElement; if ($UseSignoffs && !$NoApprovalStatus) { # Put document status on next line require "SignoffUtilities.pm"; diff --git a/DocDB/cgi/EditTalkInfo b/DocDB/cgi/EditTalkInfo index ee36365d..a80b955e 100755 --- a/DocDB/cgi/EditTalkInfo +++ b/DocDB/cgi/EditTalkInfo @@ -5,14 +5,14 @@ # and display it since it could get crowded in the normal table. # # Author: Eric Vaandering (ewv@fnal.gov) -# Modified: +# Modified: # Copyright 2001-2013 Eric Vaandering, Lynn Garren, Adam Bryant # This file is part of DocDB. # DocDB is free software; you can redistribute it and/or modify -# it under the terms of version 2 of the GNU General Public License +# it under the terms of version 2 of the GNU General Public License # as published by the Free Software Foundation. # DocDB is distributed in the hope that it will be useful, @@ -26,7 +26,8 @@ # FIXME: XHTML -use CGI qw(-nosticky); +use CGI qw(-nosticky); +use CGI::Untaint; use DBI; require "DocDBGlobals.pm"; @@ -42,7 +43,7 @@ require "TalkSQL.pm"; require "MeetingSQL.pm"; require "TalkHintSQL.pm"; -$query = new CGI; +$query = new CGI; $query -> autoEscape(0); my $Untaint = CGI::Untaint -> new($query -> Vars); @@ -57,7 +58,7 @@ my @TopicHints = @{ $Untaint -> extract(-as_listofint => "topics") || undef }; if ($Confirmed) { $Confirmed = $TRUE; } - + CreateConnection(-type => "rw"); EndPage(-startpage => $TRUE); @@ -90,14 +91,14 @@ EndPage(-startpage => $TRUE); if ($TalkSeparatorID) { # Modify a talk separator my $TalkSeparatorUpdate = $dbh -> prepare( "update TalkSeparator set ". - "Time=?, Title=?, Note=? ". + "Time=?, Title=?, Note=? ". "where TalkSeparatorID=?"); $TalkSeparatorUpdate -> execute($Length,$Title,$Note,$TalkSeparatorID); push @ActionStack,"Modified break: $Title"; } elsif ($SessionTalkID) { # Modify a talk my $SessionTalkUpdate = $dbh -> prepare( "update SessionTalk set ". - "DocumentID=?, Confirmed=?, Time=?, HintTitle=?, Note=? ". + "DocumentID=?, Confirmed=?, Time=?, HintTitle=?, Note=? ". "where SessionTalkID=?"); $SessionTalkUpdate -> execute($DocumentID,$Confirmed,$Length,$Title,$Note,$SessionTalkID); if ($Confirmed) { @@ -107,7 +108,7 @@ if ($TalkSeparatorID) { # Modify a talk separator InsertAuthorHints($SessionTalkID,@AuthorHints); push @ActionStack,"Modified talk: $Title"; } - + # Start page print $query -> header( -charset => $HTTP_ENCODING ); diff --git a/DocDB/cgi/EmailAdminister b/DocDB/cgi/EmailAdminister index 27d95930..4abad034 100755 --- a/DocDB/cgi/EmailAdminister +++ b/DocDB/cgi/EmailAdminister @@ -29,7 +29,7 @@ # along with DocDB; if not, write to the Free Software # Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA -use CGI; +use CGI::Untaint; use DBI; require "DocDBGlobals.pm"; diff --git a/DocDB/cgi/EmailAdministerForm b/DocDB/cgi/EmailAdministerForm index 0e49d632..40e20641 100755 --- a/DocDB/cgi/EmailAdministerForm +++ b/DocDB/cgi/EmailAdministerForm @@ -28,6 +28,7 @@ # Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA use CGI qw(-nosticky); +use CGI::Untaint; use DBI; require "DocDBGlobals.pm"; diff --git a/DocDB/cgi/EmailCreate b/DocDB/cgi/EmailCreate index 92c7cfed..2afe657e 100755 --- a/DocDB/cgi/EmailCreate +++ b/DocDB/cgi/EmailCreate @@ -3,7 +3,7 @@ # Description: Creates a new e-mail notification account # # Author: Eric Vaandering (ewv@fnal.gov) -# Modified: +# Modified: # # Copyright 2001-2013 Eric Vaandering, Lynn Garren, Adam Bryant @@ -11,7 +11,7 @@ # This file is part of DocDB. # DocDB is free software; you can redistribute it and/or modify -# it under the terms of version 2 of the GNU General Public License +# it under the terms of version 2 of the GNU General Public License # as published by the Free Software Foundation. # DocDB is distributed in the hope that it will be useful, @@ -23,9 +23,9 @@ # along with DocDB; if not, write to the Free Software # Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA -use CGI; +use CGI::Untaint; use DBI; - + require "DocDBGlobals.pm"; require "HTMLUtilities.pm"; require "ResponseElements.pm"; @@ -66,7 +66,7 @@ if ($UserExists) { } # Start the page - + print $query -> header( -charset => $HTTP_ENCODING ); &DocDBHeader("Notification Account Creation"); @@ -74,7 +74,7 @@ print $query -> header( -charset => $HTTP_ENCODING ); unless (@ErrorStack) { srand (time ^ $$ ^ unpack "%32L*", `ps -eaf`); - + my $Salt = ((0..9,'a'..'z','A'..'Z','.','/')[(int rand (64))]). ((0..9,'a'..'z','A'..'Z','.','/')[(int rand (64))]); @@ -82,10 +82,10 @@ unless (@ErrorStack) { my $UserInsert = $dbh -> prepare( "insert into EmailUser (EmailUserID,Username,Password) ". "values (0, ?, ?)"); - $UserInsert -> execute($UserName,$EncryptedPassword); - + $UserInsert -> execute($UserName,$EncryptedPassword); + print "User $UserName created. Do not forget your password, there is no way to - retrieve it.

    \n"; + retrieve it.

    \n"; } EndPage(@ErrorStack); diff --git a/DocDB/cgi/EventAdministerForm b/DocDB/cgi/EventAdministerForm index 76d02c62..4d75f404 100755 --- a/DocDB/cgi/EventAdministerForm +++ b/DocDB/cgi/EventAdministerForm @@ -28,6 +28,7 @@ use CGI qw(-nosticky); +use CGI::Untaint; use DBI; require "DocDBGlobals.pm"; diff --git a/DocDB/cgi/ExternalDocDBAdministerForm b/DocDB/cgi/ExternalDocDBAdministerForm index 9ebd525d..5921f581 100755 --- a/DocDB/cgi/ExternalDocDBAdministerForm +++ b/DocDB/cgi/ExternalDocDBAdministerForm @@ -1,10 +1,10 @@ #! /usr/bin/env perl # # Name: ExternalDocDBAdministerForm -# Description: Allows the administrator to add knowledge of other DocDBs. +# Description: Allows the administrator to add knowledge of other DocDBs. # # Author: Eric Vaandering (ewv@fnal.gov) -# Modified: +# Modified: # # Copyright 2001-2013 Eric Vaandering, Lynn Garren, Adam Bryant @@ -12,7 +12,7 @@ # This file is part of DocDB. # DocDB is free software; you can redistribute it and/or modify -# it under the terms of version 2 of the GNU General Public License +# it under the terms of version 2 of the GNU General Public License # as published by the Free Software Foundation. # DocDB is distributed in the hope that it will be useful, @@ -26,6 +26,7 @@ use CGI qw(-nosticky); +use CGI::Untaint; use DBI; require "DocDBGlobals.pm"; @@ -75,7 +76,7 @@ GetSecurityGroups(); print $query -> header( -charset => $HTTP_ENCODING ); DocDBHeader("Administer External DocDBs","", - -scripts => ["PopUps","ExternalDocDBAdminDisable"]); + -scripts => ["PopUps","ExternalDocDBAdminDisable"]); unless (CanAdminister()) { push @ErrorStack,"You are not allowed to access administrative functions."; @@ -95,40 +96,40 @@ if ($SubForm eq "externaldocdb") { $Delete -> execute($ExternalDocDBID); push @ActionStack,"Deleted reference to external DocDB"; } elsif ($Action eq "Modify") { - if ($ProjectName) { + if ($ProjectName) { push @ActionStack,"Updated project name of $ExternalDocDBs{$ExternalDocDBID}{Project}"; my $Update = $dbh->prepare("update ExternalDocDB set Project=? where ExternalDocDBID=?"); $Update -> execute($ProjectName,$ExternalDocDBID); } - if ($Description) { + if ($Description) { push @ActionStack,"Updated description of $ExternalDocDBs{$ExternalDocDBID}{Project}"; my $Update = $dbh->prepare("update ExternalDocDB set Description=? where ExternalDocDBID=?"); $Update -> execute($Description,$ExternalDocDBID); } - if ($PrivateURL) { + if ($PrivateURL) { push @ActionStack,"Updated private URL of $ExternalDocDBs{$ExternalDocDBID}{Project}"; my $Update = $dbh->prepare("update ExternalDocDB set PrivateURL=? where ExternalDocDBID=?"); $Update -> execute($PrivateURL,$ExternalDocDBID); } - if ($PublicURL) { + if ($PublicURL) { push @ActionStack,"Updated public URL of $ExternalDocDBs{$ExternalDocDBID}{Project}"; my $Update = $dbh->prepare("update ExternalDocDB set PublicURL=? where ExternalDocDBID=?"); $Update -> execute($PublicURL,$ExternalDocDBID); } - } elsif ($Action eq "New") { + } elsif ($Action eq "New") { push @ActionStack,"New external DocDB for $ProjectName added"; - my $Insert = $dbh -> prepare("insert into ExternalDocDB (Project,Description,PrivateURL,PublicURL) values (?,?,?,?)"); + my $Insert = $dbh -> prepare("insert into ExternalDocDB (Project,Description,PrivateURL,PublicURL) values (?,?,?,?)"); $Insert -> execute($ProjectName,$Description,$PrivateURL,$PublicURL); } else { push @WarnStack,"No valid action was specified."; - } + } } - -if (@ActionStack) { + +if (@ActionStack) { ClearExternalDocDBs(); GetAllExternalDocDBs(); ActionReport(); -} +} EndPage(); @@ -157,7 +158,7 @@ print $query -> start_multipart_form('POST',"$ExternalDocDBAdministerForm", "name=\"externaldocdb\" id=\"externaldocdb\""); print "\n"; print "\n"; -print "\n"; @@ -165,33 +166,33 @@ print "\n"; print "\n"; print "\n"; -print "\n"; +print "\n"; print "\n"; print "\n"; -print "\n"; print "\n"; print "\n"; -print "\n"; print "\n"; print "\n"; -print "\n"; print "\n"; print "\n"; -print "\n"; print "\n"; diff --git a/DocDB/cgi/GroupAdminister b/DocDB/cgi/GroupAdminister index 585a16b2..dde15cbd 100755 --- a/DocDB/cgi/GroupAdminister +++ b/DocDB/cgi/GroupAdminister @@ -1,20 +1,20 @@ #! /usr/bin/env perl # -# Name: GroupAdminister -# Description: This script is called by GroupAdministerForm and does -# administration on Groups in the DB. This script adds, modifies +# Name: GroupAdminister +# Description: This script is called by GroupAdministerForm and does +# administration on Groups in the DB. This script adds, modifies # and deletes groups. It also displays all the groups and their -# relationships since this can be difficult to understand. +# relationships since this can be difficult to understand. # # Author: Eric Vaandering (ewv@fnal.gov) -# Modified: +# Modified: # Copyright 2001-2013 Eric Vaandering, Lynn Garren, Adam Bryant # This file is part of DocDB. # DocDB is free software; you can redistribute it and/or modify -# it under the terms of version 2 of the GNU General Public License +# it under the terms of version 2 of the GNU General Public License # as published by the Free Software Foundation. # DocDB is distributed in the hope that it will be useful, @@ -26,7 +26,7 @@ # along with DocDB; if not, write to the Free Software # Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA -use CGI; +use CGI::Untaint; use DBI; require "DocDBGlobals.pm"; @@ -44,7 +44,7 @@ my $Untaint = CGI::Untaint -> new($query -> Vars); @ErrorStack = (); @WarnStack = (); -# Parameters to script +# Parameters to script my $Password = $Untaint -> extract(-as_printable => "password") || ""; my $Username = $Untaint -> extract(-as_printable => "admuser") || ""; @@ -71,7 +71,7 @@ $dbh = DBI->connect('DBI:mysql:'.$db_name.':'.$db_host,$Username,$Password); unless ($dbh) { push @ErrorStack,$Msg_AdminNoConnect; -} +} print $query -> header( -charset => $HTTP_ENCODING ); DocDBHeader("Modified Groups"); @@ -80,7 +80,7 @@ EndPage(@ErrorStack); unless (CanAdminister()) { push @ErrorStack,$Msg_AdminNoLogin; -} +} EndPage(@ErrorStack); GetSecurityGroups(); @@ -109,29 +109,29 @@ if ($Action eq "Delete") { # Delete group ($Count) = $RSC -> fetchrow_array; if ($Count) { push @WarnStack,"Action would change view list on $Count document(s)."; - } + } $TotalCount += $Count; ($Count) = $RMC -> fetchrow_array; if ($Count) { push @WarnStack,"Action would change modify list on $Count document(s)."; - } + } $TotalCount += $Count; ($Count) = $MSC -> fetchrow_array; if ($Count) { push @WarnStack,"Action would change view list on $Count event(s)."; - } + } $TotalCount += $Count; ($Count) = $MMC -> fetchrow_array; if ($Count) { push @WarnStack,"Action would change modify list on $Count event(s)."; - } + } $TotalCount += $Count; ($Count) = $EUC -> fetchrow_array; if ($Count) { push @WarnStack,"Action would change groups for $Count user(s)."; - } + } $TotalCount += $Count; - } + } if ($Force || !$TotalCount) { my $RSD = $dbh -> prepare("delete from RevisionSecurity where GroupID=?"); @@ -144,7 +144,7 @@ if ($Action eq "Delete") { # Delete group $Count = $RSD -> execute($ParentID); if (int($Count)) { push @ActionStack,"Group removed from view list on $Count document(s)."; - } + } $Count = $RMD -> execute($ParentID); if (int($Count)) { push @ActionStack,"Group removed from modify list on $Count document(s)."; @@ -169,7 +169,7 @@ if ($Action eq "Delete") { # Delete group push @ActionStack,"$SecurityGroups{$ParentID}{NAME} has been deleted."; push @ActionStack,"Remove group from .htpasswd file and run scripts/Resecure if applicable."; } else { - push @ErrorStack,"Action could lead to unintended consequences. + push @ErrorStack,"Action could lead to unintended consequences. Use the force option if you want to proceed."; } } @@ -179,15 +179,15 @@ if ($Action eq "Delete") { # Delete group } EndPage(@ErrorStack); -# Deal with name changes +# Deal with name changes - if ($Name) { + if ($Name) { push @ActionStack,"Updating group name."; my $GroupUpdate = $dbh->prepare( "update SecurityGroup set Name=? where GroupID=?"); $GroupUpdate -> execute($Name,$ParentID); } - if ($Description) { + if ($Description) { push @ActionStack,"Updating group description."; my $GroupUpdate = $dbh->prepare( "update SecurityGroup set Description=? where GroupID=?"); @@ -210,32 +210,32 @@ if ($Action eq "Delete") { # Delete group push @ActionStack,"Adding subordinate."; $HierarchyInsert -> execute($ChildID,$ParentID); } - } + } } -# Update permissions - +# Update permissions + if ($NoPerm) { my $GroupUpdate = $dbh->prepare( "update SecurityGroup set CanCreate=0,CanAdminister=0,CanView=0,CanConfig=0 where GroupID=?"); $GroupUpdate -> execute($ParentID); - } + } if ($View) { my $GroupUpdate = $dbh->prepare( "update SecurityGroup set CanView=1 where GroupID=?"); $GroupUpdate -> execute($ParentID); - } + } if ($Create) { my $GroupUpdate = $dbh->prepare( "update SecurityGroup set CanCreate=1 where GroupID=?"); $GroupUpdate -> execute($ParentID); - } + } if ($Admin) { my $GroupUpdate = $dbh->prepare( "update SecurityGroup set CanAdminister=1 where GroupID=?"); $GroupUpdate -> execute($ParentID); - } - + } + } elsif ($Action eq "New") { # Create new groups push @ActionStack,"Adding a new group."; my $GroupInsert = $dbh->prepare( @@ -252,10 +252,10 @@ if ($Action eq "Delete") { # Delete group if ($ChildID && $ChildID != $ParentID) { $HierarchyInsert -> execute($ChildID,$ParentID); } - } + } } else { push @ErrorStack,"No valid action was specified."; -} +} # For modify or new fetch institution information and display. @@ -285,9 +285,9 @@ if ($Action eq "Modify" || $Action eq "New") { print "\n"; print "\n"; print "
    \n"; +print "\n"; AdministerActions(-form => "externaldocdb"); print $query -> hidden(-name => "subform", -default => "externaldocdb"); print "
    \n"; - ExternalDocDBSelect(-disabled => true, -format => "full"); -print "\n"; + ExternalDocDBSelect(-disabled => true, -format => "full"); +print "\n"; TextField(-name => "project", -disabled => "true", -helptext => "Project", -helplink => "extdocdb"); print "
    \n"; +print "\n"; TextField(-name => "desc", -disabled => "true", -helptext => "Description", -helplink => "extdocdb"); print "
    \n"; +print "\n"; TextField(-name => "puburl", -disabled => "true", -helptext => "Public URL", -helplink => "extdocdb"); print "
    \n"; +print "\n"; TextField(-name => "privurl", -disabled => "true", -helptext => "Private URL", -helplink => "extdocdb"); print "
    \n"; +print "\n"; AdminRegardless(); print "
    \n"; -} +} DocDBNavBar(); DocDBFooter($DBWebMasterEmail,$DBWebMasterName); - + exit; diff --git a/DocDB/cgi/InstitutionAdminister b/DocDB/cgi/InstitutionAdminister index d8268ea3..02f05011 100755 --- a/DocDB/cgi/InstitutionAdminister +++ b/DocDB/cgi/InstitutionAdminister @@ -3,17 +3,17 @@ # Description: This script is called by AdministerForm and does administration # on Institutions in the DB. This script adds, modifies and deletes # institutions. It will not delete institutions if there are authors -# associated with that institution. +# associated with that institution. # # Author: Eric Vaandering (ewv@fnal.gov) -# Modified: +# Modified: # Copyright 2001-2013 Eric Vaandering, Lynn Garren, Adam Bryant # This file is part of DocDB. # DocDB is free software; you can redistribute it and/or modify -# it under the terms of version 2 of the GNU General Public License +# it under the terms of version 2 of the GNU General Public License # as published by the Free Software Foundation. # DocDB is distributed in the hope that it will be useful, @@ -25,7 +25,7 @@ # along with DocDB; if not, write to the Free Software # Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA -use CGI; +use CGI::Untaint; use DBI; require "DocDBGlobals.pm"; @@ -43,7 +43,7 @@ my $Untaint = CGI::Untaint -> new($query -> Vars); @ErrorStack = (); @WarnStack = (); -# Parameters to script +# Parameters to script my $Password = $Untaint -> extract(-as_printable => "password") || ""; my $Username = $Untaint -> extract(-as_printable => "admuser") || ""; @@ -57,7 +57,7 @@ $dbh = DBI->connect('DBI:mysql:'.$db_name.':'.$db_host,$Username,$Password); unless ($dbh) { push @ErrorStack,$Msg_AdminNoConnect; -} +} print $query -> header( -charset => $HTTP_ENCODING ); &DocDBHeader("Modified List of Institutions"); @@ -65,13 +65,13 @@ print $query -> header( -charset => $HTTP_ENCODING ); unless (&CanAdminister) { push @ErrorStack,$Msg_AdminNoLogin; -} +} &EndPage(@ErrorStack); &GetInstitutions; if ($Action eq "Delete") { # Delete institutions - @AuthorIDs = &GetInstitutionAuthors($InstitutionID); + @AuthorIDs = &GetInstitutionAuthors($InstitutionID); if (!$InstitutionID) { push @ErrorStack,$Msg_ModInstEmpty; } elsif (@AuthorIDs) { @@ -89,15 +89,15 @@ if ($Action eq "Delete") { # Delete institutions } &EndPage(@ErrorStack); -# Deal with name changes +# Deal with name changes - if ($ShortName) { + if ($ShortName) { print "Updating short institution name.
    \n"; my $InstitutionUpdate = $dbh->prepare( "update Institution set ShortName=? where InstitutionID=?"); $InstitutionUpdate -> execute($ShortName,$InstitutionID); } - if ($LongName) { + if ($LongName) { print "Updating long institution name.
    \n"; my $InstitutionUpdate = $dbh->prepare( "update Institution set LongName=? where InstitutionID=?"); @@ -113,7 +113,7 @@ if ($Action eq "Delete") { # Delete institutions $InstitutionID = $InstitutionInsert -> {mysql_insertid}; # Works with MySQL only } else { push @ErrorStack,"No valid action was specified."; -} +} # For modify or new fetch institution information and display. @@ -124,7 +124,7 @@ if ($Action eq "Modify" || $Action eq "New") { print "Short institution name: $Institutions{$InstitutionID}{SHORT}
    \n"; print "Long institution name: $Institutions{$InstitutionID}{LONG}
    \n"; print "

    \n"; -} +} print "

    \n"; @@ -133,5 +133,5 @@ print "

    \n"; &DocDBNavBar; &DocDBFooter($DBWebMasterEmail,$DBWebMasterName); - + exit; diff --git a/DocDB/cgi/JournalAdminister b/DocDB/cgi/JournalAdminister index 13a271b1..b19936c5 100755 --- a/DocDB/cgi/JournalAdminister +++ b/DocDB/cgi/JournalAdminister @@ -2,17 +2,17 @@ # # Description: This script is called by AdministerForm and does administration # on journals in the DB. This script adds, modifies and deletes -# journals. +# journals. # # Author: Eric Vaandering (ewv@fnal.gov) -# Modified: +# Modified: # Copyright 2001-2013 Eric Vaandering, Lynn Garren, Adam Bryant # This file is part of DocDB. # DocDB is free software; you can redistribute it and/or modify -# it under the terms of version 2 of the GNU General Public License +# it under the terms of version 2 of the GNU General Public License # as published by the Free Software Foundation. # DocDB is distributed in the hope that it will be useful, @@ -24,7 +24,7 @@ # along with DocDB; if not, write to the Free Software # Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA -use CGI; +use CGI::Untaint; use DBI; require "DocDBGlobals.pm"; @@ -42,7 +42,7 @@ my $Untaint = CGI::Untaint -> new($query -> Vars); @ErrorStack = (); @WarnStack = (); -# Parameters to script +# Parameters to script my $Password = $Untaint -> extract(-as_printable => "password") || ""; my $Username = $Untaint -> extract(-as_printable => "admuser") || ""; @@ -59,7 +59,7 @@ $dbh = DBI->connect('DBI:mysql:'.$db_name.':'.$db_host,$Username,$Password); unless ($dbh) { push @ErrorStack,$Msg_AdminNoConnect; -} +} print $query -> header( -charset => $HTTP_ENCODING ); &DocDBHeader("Modified List of Institutions"); @@ -67,7 +67,7 @@ print $query -> header( -charset => $HTTP_ENCODING ); unless (&CanAdminister) { push @ErrorStack,$Msg_AdminNoLogin; -} +} &EndPage(@ErrorStack); &GetJournals; @@ -86,33 +86,33 @@ if ($Action eq "Delete") { # Delete institutions } &EndPage(@ErrorStack); -# Deal with name changes +# Deal with name changes - if ($FullName) { + if ($FullName) { print "Updating journal name.
    \n"; my $JournalUpdate = $dbh->prepare( "update Journal set Name=? where JournalID=?"); $JournalUpdate -> execute($FullName,$JournalID); } - if ($Abbreviation) { + if ($Abbreviation) { print "Updating journal abbreviation.
    \n"; my $JournalUpdate = $dbh->prepare( "update Journal set Abbreviation=? where JournalID=?"); $JournalUpdate -> execute($Abbreviation,$JournalID); } - if ($Acronym) { + if ($Acronym) { print "Updating journal acronym.
    \n"; my $JournalUpdate = $dbh->prepare( "update Journal set Acronym=? where JournalID=?"); $JournalUpdate -> execute($Acronym,$JournalID); } - if ($Publisher) { + if ($Publisher) { print "Updating journal publisher.
    \n"; my $JournalUpdate = $dbh->prepare( "update Journal set Publisher=? where JournalID=?"); $JournalUpdate -> execute($Publisher,$JournalID); } - if ($URL) { + if ($URL) { print "Updating journal URL.
    \n"; my $JournalUpdate = $dbh->prepare( "update Journal set URL=? where JournalID=?"); @@ -129,7 +129,7 @@ if ($Action eq "Delete") { # Delete institutions $JournalID = $JournalInsert -> {mysql_insertid}; # Works with MySQL only } else { push @ErrorStack,"No valid action was specified."; -} +} # For modify or new fetch institution information and display. @@ -142,7 +142,7 @@ if ($Action eq "Modify" || $Action eq "New") { print "Publisher: $Journals{$JournalID}{Publisher}
    \n"; print "URL: $Journals{$JournalID}{URL}
    \n"; print "

    \n"; -} +} print "

    \n"; @@ -151,5 +151,5 @@ print "

    \n"; &DocDBNavBar; &DocDBFooter($DBWebMasterEmail,$DBWebMasterName); - + exit; diff --git a/DocDB/cgi/KeywordGroupAdminister b/DocDB/cgi/KeywordGroupAdminister index 3587dddf..321f9d32 100755 --- a/DocDB/cgi/KeywordGroupAdminister +++ b/DocDB/cgi/KeywordGroupAdminister @@ -3,17 +3,17 @@ # Description: This script is called by KeywordAdministerForm and does administration # on Keyword Groups in the DB. This script adds, modifies and deletes # these groups. It will not delete groups if there are associated -# keywords. +# keywords. # # Author: Lynn Garren (garren@fnal.gov) -# Modified: +# Modified: # Copyright 2001-2013 Eric Vaandering, Lynn Garren, Adam Bryant # This file is part of DocDB. # DocDB is free software; you can redistribute it and/or modify -# it under the terms of version 2 of the GNU General Public License +# it under the terms of version 2 of the GNU General Public License # as published by the Free Software Foundation. # DocDB is distributed in the hope that it will be useful, @@ -25,7 +25,7 @@ # along with DocDB; if not, write to the Free Software # Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA -use CGI; +use CGI::Untaint; use DBI; require "DocDBGlobals.pm"; @@ -43,7 +43,7 @@ my $Untaint = CGI::Untaint -> new($query -> Vars); @ErrorStack = (); @WarnStack = (); -# Parameters to script +# Parameters to script my $Password = $Untaint -> extract(-as_printable => "password") || ""; my $Username = $Untaint -> extract(-as_printable => "admuser") || ""; @@ -57,7 +57,7 @@ $dbh = DBI->connect('DBI:mysql:'.$db_name.':'.$db_host,$Username,$Password); unless ($dbh) { push @ErrorStack,$Msg_AdminNoConnect; -} +} print $query -> header( -charset => $HTTP_ENCODING ); &DocDBHeader("Modified List of Keyword Groups"); @@ -66,13 +66,13 @@ print $query -> header( -charset => $HTTP_ENCODING ); unless (&CanAdminister) { push @ErrorStack,$Msg_AdminNoLogin; -} +} &EndPage(@ErrorStack); &GetKeywords; if ($Action eq "Delete") { # Delete keyword groups - @KeywordListIDs = &GetKeywordsByKeywordGroupID($KeywordGroupID); + @KeywordListIDs = &GetKeywordsByKeywordGroupID($KeywordGroupID); if (!$KeywordGroupID) { push @ErrorStack,$Msg_ModKeyGrEmpty; } elsif (@KeywordListIDs) { # Not sure we want this anymore @@ -90,15 +90,15 @@ if ($Action eq "Delete") { # Delete keyword groups } &EndPage(@ErrorStack); -# Deal with name changes +# Deal with name changes - if ($ShortName) { + if ($ShortName) { print "Updating short description.
    \n"; my $KeywordGroupUpdate = $dbh->prepare( "update KeywordGroup set ShortDescription=? where KeywordGroupID=?"); $KeywordGroupUpdate -> execute($ShortName,$KeywordGroupID); } - if ($LongName) { + if ($LongName) { print "Updating long description.
    \n"; my $KeywordGroupUpdate = $dbh->prepare( "update KeywordGroup set LongDescription=? where KeywordGroupID=?"); @@ -114,7 +114,7 @@ if ($Action eq "Delete") { # Delete keyword groups $KeywordGroupID = $KeywordGroupInsert -> {mysql_insertid}; # Works with MySQL only } else { push @ErrorStack,"No valid action was specified."; -} +} # For modify or new fetch information and display. @@ -124,7 +124,7 @@ if ($Action eq "Modify" || $Action eq "New") { print "Short description: $KeywordGroups{$KeywordGroupID}{Short}
    \n"; print "Long description: $KeywordGroups{$KeywordGroupID}{Long}
    \n"; print "

    \n"; -} +} print "

    \n"; $keyadminform = "Administer Keywords"; @@ -139,5 +139,5 @@ print "

    \n"; &DocDBNavBar; &DocDBFooter($DBWebMasterEmail,$DBWebMasterName); - + exit; diff --git a/DocDB/cgi/KeywordListAdminister b/DocDB/cgi/KeywordListAdminister index d3b7b722..0ef831a5 100755 --- a/DocDB/cgi/KeywordListAdminister +++ b/DocDB/cgi/KeywordListAdminister @@ -1,7 +1,7 @@ #! /usr/bin/env perl # # Description: This script is called by KeywordAdministerForm and does administration -# on the Keyword table in the DB. +# on the Keyword table in the DB. # # Author: Lynn Garren (garren@fnal.gov) # Modified: Eric Vaandering (ewv@fnal.gov) @@ -11,7 +11,7 @@ # This file is part of DocDB. # DocDB is free software; you can redistribute it and/or modify -# it under the terms of version 2 of the GNU General Public License +# it under the terms of version 2 of the GNU General Public License # as published by the Free Software Foundation. # DocDB is distributed in the hope that it will be useful, @@ -26,7 +26,7 @@ # FIXME: Check for no groups, warn # FIXME: Check for duplicate keyword, warn -use CGI; +use CGI::Untaint; use DBI; require "DocDBGlobals.pm"; @@ -45,8 +45,8 @@ my $Untaint = CGI::Untaint -> new($query -> Vars); @ErrorStack = (); @WarnStack = (); -# Parameters to script - +# Parameters to script + my $Password = $Untaint -> extract(-as_printable => "password") || ""; my $Username = $Untaint -> extract(-as_printable => "admuser") || ""; my $Action = $Untaint -> extract(-as_printable => "admaction") || ""; @@ -60,7 +60,7 @@ $dbh = DBI->connect('DBI:mysql:'.$db_name.':'.$db_host,$Username,$Password); unless ($dbh) { push @ErrorStack,$Msg_AdminNoConnect; -} +} print $query -> header( -charset => $HTTP_ENCODING ); &DocDBHeader("Modified List of Keywords"); @@ -68,10 +68,10 @@ print $query -> header( -charset => $HTTP_ENCODING ); unless (&CanAdminister) { push @ErrorStack,$Msg_AdminNoLogin; -} +} &EndPage(@ErrorStack); -if ($Action eq "Delete") { +if ($Action eq "Delete") { unless ($KeywordID) { push @ErrorStack,$Msg_ModKeywdEmpty; @@ -79,9 +79,9 @@ if ($Action eq "Delete") { &EndPage(@ErrorStack); &FetchKeyword($KeywordID); my $KeywordLink = &KeywordLinkByID($KeywordID); - + &DeleteKeyword($KeywordID); # Delete KeywordID from Keyword table - + print "$KeywordLink has been removed from the database.
    \n"; } elsif ($Action eq "Modify") { unless ($KeywordID) { @@ -89,29 +89,29 @@ if ($Action eq "Delete") { } &EndPage(@ErrorStack); -# Deal with name changes +# Deal with name changes - if ($ShortName) { + if ($ShortName) { print "Updating short keyword name.
    \n"; my $KeywordUpdate = $dbh->prepare( "update Keyword set ShortDescription=? where KeywordID=?"); $KeywordUpdate -> execute($ShortName,$KeywordID); } - if ($LongName) { + if ($LongName) { print "Updating long keyword name.
    \n"; my $KeywordUpdate = $dbh->prepare( "update Keyword set LongDescription=? where KeywordID=?"); $KeywordUpdate -> execute($LongName,$KeywordID); } -# Deal with KeywordGroup changes +# Deal with KeywordGroup changes @KeywordGroupIDs = sort numerically @KeywordGroupIDs; # Want to get -1: remove first foreach my $KeywordGroupID (@KeywordGroupIDs) { if ($KeywordGroupID == -1) { # Remove existing KeywordGrouping entries my $GroupingDelete = $dbh -> prepare("delete from KeywordGrouping where KeywordID=?"); $GroupingDelete -> execute($KeywordID); - } elsif ($KeywordGroupID) { + } elsif ($KeywordGroupID) { my $GroupingSelect = $dbh -> prepare( "select KeywordGroupingID from KeywordGrouping where KeywordID=? and KeywordGroupID=?"); $GroupingSelect -> execute($KeywordID,$KeywordGroupID); @@ -130,11 +130,11 @@ if ($Action eq "Delete") { print "Adding a new keyword.
    \n"; my $KeywordInsert = $dbh->prepare( - "insert into Keyword (KeywordID, ShortDescription, LongDescription) ". + "insert into Keyword (KeywordID, ShortDescription, LongDescription) ". "values (0,?,?)"); my $KeywordGroupingInsert = $dbh->prepare( - "insert into KeywordGrouping (KeywordGroupingID, KeywordGroupID, KeywordID) ". + "insert into KeywordGrouping (KeywordGroupingID, KeywordGroupID, KeywordID) ". "values (0,?,?)"); $KeywordInsert -> execute($ShortName,$LongName); @@ -142,10 +142,10 @@ if ($Action eq "Delete") { foreach my $KeywordGroupID (@KeywordGroupIDs) { $KeywordGroupingInsert -> execute($KeywordGroupID,$KeywordID); - } + } } else { push @ErrorStack,"No valid action was specified."; -} +} # For modify or new fetch information and display. @@ -158,7 +158,7 @@ if ($Action eq "Modify" || $Action eq "New") { print "Short description: $ShortLink
    \n"; print "Long description: $LongLink
    \n"; print "

    \n"; -} +} print "

    \n"; $keyadminform = "Administer Keywords"; @@ -173,5 +173,5 @@ print "

    \n"; &DocDBNavBar; &DocDBFooter($DBWebMasterEmail,$DBWebMasterName); - + exit; From c24fdadaaaf83f164279f3ca2c6d641c8e7d16d9 Mon Sep 17 00:00:00 2001 From: Eric Vaandering Date: Wed, 31 Jul 2013 15:19:31 -0500 Subject: [PATCH 078/163] Need both CGI and CGI::Untaint --- DocDB/cgi/AddFiles | 1 + DocDB/cgi/AuthorAdd | 1 + DocDB/cgi/AuthorAdminister | 1 + DocDB/cgi/ConfirmTalkHint | 1 + DocDB/cgi/DeleteConfirm | 1 + DocDB/cgi/DeleteDocument | 1 + DocDB/cgi/DisplayMeeting | 1 + DocDB/cgi/DocTypeAdminister | 1 + DocDB/cgi/EmailAdminister | 1 + DocDB/cgi/EmailCreate | 1 + DocDB/cgi/GroupAdminister | 1 + DocDB/cgi/InstitutionAdminister | 1 + DocDB/cgi/JournalAdminister | 1 + DocDB/cgi/KeywordGroupAdminister | 1 + DocDB/cgi/KeywordListAdminister | 1 + 15 files changed, 15 insertions(+) diff --git a/DocDB/cgi/AddFiles b/DocDB/cgi/AddFiles index ddba2bf4..dbb84006 100755 --- a/DocDB/cgi/AddFiles +++ b/DocDB/cgi/AddFiles @@ -26,6 +26,7 @@ # Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA use Benchmark; +use CGI; use CGI::Untaint; use DBI; diff --git a/DocDB/cgi/AuthorAdd b/DocDB/cgi/AuthorAdd index 5ea8a8d2..ffc06a80 100755 --- a/DocDB/cgi/AuthorAdd +++ b/DocDB/cgi/AuthorAdd @@ -25,6 +25,7 @@ # along with DocDB; if not, write to the Free Software # Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA +use CGI; use CGI::Untaint; use DBI; diff --git a/DocDB/cgi/AuthorAdminister b/DocDB/cgi/AuthorAdminister index 55a04f87..404ef4ac 100755 --- a/DocDB/cgi/AuthorAdminister +++ b/DocDB/cgi/AuthorAdminister @@ -27,6 +27,7 @@ # Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA +use CGI; use CGI::Untaint; use DBI; diff --git a/DocDB/cgi/ConfirmTalkHint b/DocDB/cgi/ConfirmTalkHint index a9b1e65d..78a6174a 100755 --- a/DocDB/cgi/ConfirmTalkHint +++ b/DocDB/cgi/ConfirmTalkHint @@ -25,6 +25,7 @@ # Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA +use CGI; use CGI::Untaint; use DBI; diff --git a/DocDB/cgi/DeleteConfirm b/DocDB/cgi/DeleteConfirm index 82f15b44..24cabe89 100755 --- a/DocDB/cgi/DeleteConfirm +++ b/DocDB/cgi/DeleteConfirm @@ -25,6 +25,7 @@ # along with DocDB; if not, write to the Free Software # Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA +use CGI; use CGI::Untaint; use DBI; diff --git a/DocDB/cgi/DeleteDocument b/DocDB/cgi/DeleteDocument index 01ea1b31..392adcbf 100755 --- a/DocDB/cgi/DeleteDocument +++ b/DocDB/cgi/DeleteDocument @@ -24,6 +24,7 @@ # along with DocDB; if not, write to the Free Software # Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA +use CGI; use CGI::Untaint; use DBI; diff --git a/DocDB/cgi/DisplayMeeting b/DocDB/cgi/DisplayMeeting index d239f6a4..cbaafc15 100755 --- a/DocDB/cgi/DisplayMeeting +++ b/DocDB/cgi/DisplayMeeting @@ -26,6 +26,7 @@ # Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA use Benchmark; +use CGI; use CGI::Untaint; use DBI; diff --git a/DocDB/cgi/DocTypeAdminister b/DocDB/cgi/DocTypeAdminister index b1e44679..e5a0896b 100755 --- a/DocDB/cgi/DocTypeAdminister +++ b/DocDB/cgi/DocTypeAdminister @@ -25,6 +25,7 @@ # along with DocDB; if not, write to the Free Software # Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA +use CGI; use CGI::Untaint; use DBI; diff --git a/DocDB/cgi/EmailAdminister b/DocDB/cgi/EmailAdminister index 4abad034..abedec20 100755 --- a/DocDB/cgi/EmailAdminister +++ b/DocDB/cgi/EmailAdminister @@ -29,6 +29,7 @@ # along with DocDB; if not, write to the Free Software # Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA +use CGI; use CGI::Untaint; use DBI; diff --git a/DocDB/cgi/EmailCreate b/DocDB/cgi/EmailCreate index 2afe657e..4b734e19 100755 --- a/DocDB/cgi/EmailCreate +++ b/DocDB/cgi/EmailCreate @@ -23,6 +23,7 @@ # along with DocDB; if not, write to the Free Software # Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA +use CGI; use CGI::Untaint; use DBI; diff --git a/DocDB/cgi/GroupAdminister b/DocDB/cgi/GroupAdminister index dde15cbd..da3335fb 100755 --- a/DocDB/cgi/GroupAdminister +++ b/DocDB/cgi/GroupAdminister @@ -26,6 +26,7 @@ # along with DocDB; if not, write to the Free Software # Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA +use CGI; use CGI::Untaint; use DBI; diff --git a/DocDB/cgi/InstitutionAdminister b/DocDB/cgi/InstitutionAdminister index 02f05011..b78d56bb 100755 --- a/DocDB/cgi/InstitutionAdminister +++ b/DocDB/cgi/InstitutionAdminister @@ -25,6 +25,7 @@ # along with DocDB; if not, write to the Free Software # Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA +use CGI; use CGI::Untaint; use DBI; diff --git a/DocDB/cgi/JournalAdminister b/DocDB/cgi/JournalAdminister index b19936c5..8fa56d59 100755 --- a/DocDB/cgi/JournalAdminister +++ b/DocDB/cgi/JournalAdminister @@ -24,6 +24,7 @@ # along with DocDB; if not, write to the Free Software # Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA +use CGI; use CGI::Untaint; use DBI; diff --git a/DocDB/cgi/KeywordGroupAdminister b/DocDB/cgi/KeywordGroupAdminister index 321f9d32..38ddfecd 100755 --- a/DocDB/cgi/KeywordGroupAdminister +++ b/DocDB/cgi/KeywordGroupAdminister @@ -25,6 +25,7 @@ # along with DocDB; if not, write to the Free Software # Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA +use CGI; use CGI::Untaint; use DBI; diff --git a/DocDB/cgi/KeywordListAdminister b/DocDB/cgi/KeywordListAdminister index 0ef831a5..fee0b9ac 100755 --- a/DocDB/cgi/KeywordListAdminister +++ b/DocDB/cgi/KeywordListAdminister @@ -26,6 +26,7 @@ # FIXME: Check for no groups, warn # FIXME: Check for duplicate keyword, warn +use CGI; use CGI::Untaint; use DBI; From 3861cde7b6e0b6a4d818a86c9a0e56900d78f055 Mon Sep 17 00:00:00 2001 From: Eric Vaandering Date: Wed, 31 Jul 2013 15:20:22 -0500 Subject: [PATCH 079/163] Need both CGI and CGI::Untaint --- DocDB/cgi/DocDBInstructions | 1 + 1 file changed, 1 insertion(+) diff --git a/DocDB/cgi/DocDBInstructions b/DocDB/cgi/DocDBInstructions index cbc44330..7bca007e 100755 --- a/DocDB/cgi/DocDBInstructions +++ b/DocDB/cgi/DocDBInstructions @@ -25,6 +25,7 @@ # along with DocDB; if not, write to the Free Software # Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA +use CGI; use CGI::Untaint; use DBI; From 5b175d00fc2655d7734e846434f1701c815d8422 Mon Sep 17 00:00:00 2001 From: Eric Vaandering Date: Wed, 31 Jul 2013 16:24:37 -0500 Subject: [PATCH 080/163] Fix instructions --- DocDB/cgi/DocDBInstructions | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/DocDB/cgi/DocDBInstructions b/DocDB/cgi/DocDBInstructions index 7bca007e..c298303c 100755 --- a/DocDB/cgi/DocDBInstructions +++ b/DocDB/cgi/DocDBInstructions @@ -43,7 +43,7 @@ $dbh = DBI->connect('DBI:mysql:'.$db_name.':'.$db_host,$db_rouser,$db_ropass); my $Untaint = CGI::Untaint -> new($query -> Vars); -my $InstructionSet = $Untaint -> extract(-as_printable => "general") || ""; +my $InstructionSet = $Untaint -> extract(-as_printable => "set") || "general"; # Title From fab40b02bb07449d919be9007613fca092d175e7 Mon Sep 17 00:00:00 2001 From: Eric Vaandering Date: Wed, 31 Jul 2013 16:39:47 -0500 Subject: [PATCH 081/163] Fix selects for Institution and doctype, ListBy for DocType --- DocDB/cgi/DocTypeHTML.pm | 42 ++++++++++++++++++++------------------- DocDB/cgi/FormElements.pm | 6 ++++-- DocDB/cgi/ListBy | 6 ++++-- 3 files changed, 30 insertions(+), 24 deletions(-) diff --git a/DocDB/cgi/DocTypeHTML.pm b/DocDB/cgi/DocTypeHTML.pm index 312e7355..8f2c3ec3 100644 --- a/DocDB/cgi/DocTypeHTML.pm +++ b/DocDB/cgi/DocTypeHTML.pm @@ -1,17 +1,17 @@ -# +# # Name: DocTypeHTML.pm -# Description: Routines with form elements and other HTML generating +# Description: Routines with form elements and other HTML generating # code pertaining to DocumentTypes. # # Author: Eric Vaandering (ewv@fnal.gov) -# Modified: +# Modified: Eric Vaandering (ewv@fnal.gov) # Copyright 2001-2013 Eric Vaandering, Lynn Garren, Adam Bryant # This file is part of DocDB. # DocDB is free software; you can redistribute it and/or modify -# it under the terms of version 2 of the GNU General Public License +# it under the terms of version 2 of the GNU General Public License # as published by the Free Software Foundation. # DocDB is distributed in the hope that it will be useful, @@ -30,48 +30,50 @@ sub DocTypeSelect (;%) { # Scrolling selectable list for doc type search my $Format = exists $ArgRef->{-format} ? $ArgRef->{-format} : "full"; # my $HelpLink = exists $ArgRef->{-helplink} ? $ArgRef->{-helplink} : ""; # my $HelpText = exists $ArgRef->{-helptext} ? $ArgRef->{-helptext} : " my (%Params) = @_; - + my $Booleans = ""; - + if ($Disabled) { $Booleans .= "-disabled"; - } - + } + my %DocTypeLabels = (); foreach my $DocTypeID (keys %DocumentTypes) { + my $LongName = SmartHTML({-text => $DocumentTypes{$DocTypeID}{LONG}},); + my $ShortName = SmartHTML({-text => $DocumentTypes{$DocTypeID}{SHORT}},); if ($Format eq "short") { - $DocTypeLabels{$DocTypeID} = "$DocumentTypes{$DocTypeID}{SHORT}"; + $DocTypeLabels{$DocTypeID} = $ShortName; } elsif ($Format eq "full") { - $DocTypeLabels{$DocTypeID} = "$DocumentTypes{$DocTypeID}{SHORT} [$DocumentTypes{$DocTypeID}{LONG}]"; + $DocTypeLabels{$DocTypeID} = "$ShortName [$LongName]"; } - } - print FormElementTitle(-helplink => "doctype", -helptext => "Document type"); - print $query -> scrolling_list(-size => 10, -name => "doctype", -multiple => $Multiple, + } + print FormElementTitle(-helplink => "doctype", -helptext => "Document type"); + print $query -> scrolling_list(-size => 10, -name => "doctype", -multiple => $Multiple, -values => \%DocTypeLabels, $Booleans); }; sub DocTypeEntryBox (;%) { my (%Params) = @_; - + my $Disabled = $Params{-disabled} || "0"; - + my $Booleans = ""; - + if ($Disabled) { $Booleans .= "-disabled"; - } - + } + print "\n"; print "\n"; print "\n"; print "\n"; diff --git a/DocDB/cgi/FormElements.pm b/DocDB/cgi/FormElements.pm index ee4e959f..78f13fea 100644 --- a/DocDB/cgi/FormElements.pm +++ b/DocDB/cgi/FormElements.pm @@ -215,10 +215,12 @@ sub InstitutionSelect (;%) { # Scrolling selectable list for institutions my @InstIDs = sort byInstitution keys %Institutions; my %InstLabels = (); foreach my $ID (@InstIDs) { + my $LongName = SmartHTML({-text => $Institutions{$ID}{LONG}},); + my $ShortName = SmartHTML({-text => $Institutions{$ID}{SHORT}},); if ($Mode eq "full") { - $InstLabels{$ID} = $Institutions{$ID}{SHORT}." [".$Institutions{$ID}{LONG}."]"; + $InstLabels{$ID} = $ShortName." [".$LongName."]"; } else { - $InstLabels{$ID} = $Institutions{$ID}{SHORT}; + $InstLabels{$ID} = $ShortName; } } if ($Disabled) { diff --git a/DocDB/cgi/ListBy b/DocDB/cgi/ListBy index 2a67c14d..52a68ec4 100755 --- a/DocDB/cgi/ListBy +++ b/DocDB/cgi/ListBy @@ -196,8 +196,10 @@ if ($Days) { FetchDocType ($TypeID); $FieldListOptions{-doctypeid} = $TypeID; $Title = "Document List by Type"; - $Message = "These documents of type - $DocumentTypes{$TypeID}{SHORT} are available:"; + + $Message = "These documents of type "; + $Message .= SmartHTML({-text => $DocumentTypes{$TypeID}{SHORT},}); + $Message .= " are available:"; $List = $dbh -> prepare("select DISTINCT(DocumentRevision.DocumentID) from ". "DocumentRevision where DocumentRevision.DocTypeID=?"); From 288f1a1ff076017dfe158847ffe4926ebe9cc52d Mon Sep 17 00:00:00 2001 From: Eric Vaandering Date: Wed, 31 Jul 2013 16:50:18 -0500 Subject: [PATCH 082/163] Try to fix institution --- DocDB/cgi/InstitutionAdminister | 1 + 1 file changed, 1 insertion(+) diff --git a/DocDB/cgi/InstitutionAdminister b/DocDB/cgi/InstitutionAdminister index b78d56bb..d2c5ea3c 100755 --- a/DocDB/cgi/InstitutionAdminister +++ b/DocDB/cgi/InstitutionAdminister @@ -33,6 +33,7 @@ require "DocDBGlobals.pm"; require "ResponseElements.pm"; require "Security.pm"; require "HTMLUtilities.pm"; +require "UntaintInput.pm"; require "AuthorSQL.pm"; require "AuthorHTML.pm"; require "Messages.pm"; From daa6a2e978abfa71ed5478c7603e018003662e68 Mon Sep 17 00:00:00 2001 From: Eric Vaandering Date: Wed, 31 Jul 2013 16:56:44 -0500 Subject: [PATCH 083/163] Add UntaintInput to each script --- DocDB/cgi/AddFiles | 1 + DocDB/cgi/AdministerForm | 1 + DocDB/cgi/AuthorAdd | 1 + DocDB/cgi/AuthorAdminister | 1 + DocDB/cgi/BulkCertificateInsert | 1 + DocDB/cgi/ConfirmTalkHint | 1 + DocDB/cgi/CustomListForm | 1 + DocDB/cgi/DeleteConfirm | 1 + DocDB/cgi/DeleteDocument | 1 + DocDB/cgi/DisplayMeeting | 1 + DocDB/cgi/DocDBInstructions | 1 + DocDB/cgi/DocTypeAdminister | 1 + DocDB/cgi/EditTalkInfo | 1 + DocDB/cgi/EmailAdminister | 1 + DocDB/cgi/EmailAdministerForm | 1 + DocDB/cgi/EmailCreate | 1 + DocDB/cgi/EventAdministerForm | 1 + DocDB/cgi/ExternalDocDBAdministerForm | 1 + DocDB/cgi/GroupAdminister | 1 + DocDB/cgi/JournalAdminister | 1 + DocDB/cgi/KeywordGroupAdminister | 1 + DocDB/cgi/KeywordListAdminister | 1 + DocDB/cgi/ListBy | 1 + 23 files changed, 23 insertions(+) diff --git a/DocDB/cgi/AddFiles b/DocDB/cgi/AddFiles index dbb84006..437235f3 100755 --- a/DocDB/cgi/AddFiles +++ b/DocDB/cgi/AddFiles @@ -41,6 +41,7 @@ require "MiscSQL.pm"; require "FSUtilities.pm"; require "WebUtilities.pm"; require "HTMLUtilities.pm"; +require "UntaintInput.pm"; require "FileUtilities.pm"; require "Security.pm"; diff --git a/DocDB/cgi/AdministerForm b/DocDB/cgi/AdministerForm index b0efae94..f9f53a83 100755 --- a/DocDB/cgi/AdministerForm +++ b/DocDB/cgi/AdministerForm @@ -49,6 +49,7 @@ require "MiscSQL.pm"; require "ResponseElements.pm"; require "HTMLUtilities.pm"; +require "UntaintInput.pm"; require "Sorts.pm"; $query = new CGI; # Global for subroutines diff --git a/DocDB/cgi/AuthorAdd b/DocDB/cgi/AuthorAdd index ffc06a80..35888586 100755 --- a/DocDB/cgi/AuthorAdd +++ b/DocDB/cgi/AuthorAdd @@ -34,6 +34,7 @@ require "ResponseElements.pm"; require "SecuritySQL.pm"; require "Security.pm"; require "HTMLUtilities.pm"; +require "UntaintInput.pm"; $query = new CGI; # Global for subroutines $dbh = DBI->connect('DBI:mysql:'.$db_name.':'.$db_host,$db_rwuser,$db_rwpass); diff --git a/DocDB/cgi/AuthorAdminister b/DocDB/cgi/AuthorAdminister index 404ef4ac..b61036a0 100755 --- a/DocDB/cgi/AuthorAdminister +++ b/DocDB/cgi/AuthorAdminister @@ -35,6 +35,7 @@ require "DocDBGlobals.pm"; require "ResponseElements.pm"; require "Security.pm"; require "HTMLUtilities.pm"; +require "UntaintInput.pm"; require "AuthorSQL.pm"; require "Messages.pm"; diff --git a/DocDB/cgi/BulkCertificateInsert b/DocDB/cgi/BulkCertificateInsert index 85f2c8f7..69958624 100755 --- a/DocDB/cgi/BulkCertificateInsert +++ b/DocDB/cgi/BulkCertificateInsert @@ -36,6 +36,7 @@ require "Messages.pm"; require "DBUtilities.pm"; require "DBColumnSizes.pm"; require "HTMLUtilities.pm"; +require "UntaintInput.pm"; require "SecuritySQL.pm"; require "SecurityHTML.pm"; diff --git a/DocDB/cgi/ConfirmTalkHint b/DocDB/cgi/ConfirmTalkHint index 78a6174a..5040d4cc 100755 --- a/DocDB/cgi/ConfirmTalkHint +++ b/DocDB/cgi/ConfirmTalkHint @@ -42,6 +42,7 @@ require "MeetingSecurityUtilities.pm"; require "FSUtilities.pm"; require "HTMLUtilities.pm"; +require "UntaintInput.pm"; require "Security.pm"; require "SQLChecks.pm"; diff --git a/DocDB/cgi/CustomListForm b/DocDB/cgi/CustomListForm index 349b58cd..e37afa3f 100755 --- a/DocDB/cgi/CustomListForm +++ b/DocDB/cgi/CustomListForm @@ -43,6 +43,7 @@ require "DocDBFields.pm"; require "DBUtilities.pm"; require "HTMLUtilities.pm"; +require "UntaintInput.pm"; require "MeetingSecurityUtilities.pm"; require "ConfigSQL.pm"; diff --git a/DocDB/cgi/DeleteConfirm b/DocDB/cgi/DeleteConfirm index 24cabe89..377e570c 100755 --- a/DocDB/cgi/DeleteConfirm +++ b/DocDB/cgi/DeleteConfirm @@ -37,6 +37,7 @@ require "DocumentSQL.pm"; require "RevisionSQL.pm"; require "HTMLUtilities.pm"; +require "UntaintInput.pm"; require "AdministerElements.pm"; require "Security.pm"; diff --git a/DocDB/cgi/DeleteDocument b/DocDB/cgi/DeleteDocument index 392adcbf..ccaa6556 100755 --- a/DocDB/cgi/DeleteDocument +++ b/DocDB/cgi/DeleteDocument @@ -33,6 +33,7 @@ require "ResponseElements.pm"; require "Security.pm"; require "FSUtilities.pm"; require "HTMLUtilities.pm"; +require "UntaintInput.pm"; $query = new CGI; # Global for subroutines $query -> autoEscape(0); diff --git a/DocDB/cgi/DisplayMeeting b/DocDB/cgi/DisplayMeeting index cbaafc15..91b75411 100755 --- a/DocDB/cgi/DisplayMeeting +++ b/DocDB/cgi/DisplayMeeting @@ -36,6 +36,7 @@ require "DocDBGlobals.pm"; require "Messages.pm"; require "HTMLUtilities.pm"; +require "UntaintInput.pm"; require "ResponseElements.pm"; require "Sorts.pm"; require "Scripts.pm"; diff --git a/DocDB/cgi/DocDBInstructions b/DocDB/cgi/DocDBInstructions index c298303c..780d1667 100755 --- a/DocDB/cgi/DocDBInstructions +++ b/DocDB/cgi/DocDBInstructions @@ -31,6 +31,7 @@ use DBI; require "DocDBGlobals.pm"; require "HTMLUtilities.pm"; +require "UntaintInput.pm"; require "Messages.pm"; require "SecuritySQL.pm"; require "Security.pm"; diff --git a/DocDB/cgi/DocTypeAdminister b/DocDB/cgi/DocTypeAdminister index e5a0896b..ee27234d 100755 --- a/DocDB/cgi/DocTypeAdminister +++ b/DocDB/cgi/DocTypeAdminister @@ -33,6 +33,7 @@ require "DocDBGlobals.pm"; require "ResponseElements.pm"; require "Security.pm"; require "HTMLUtilities.pm"; +require "UntaintInput.pm"; require "MiscSQL.pm"; require "DocTypeHTML.pm"; require "Messages.pm"; diff --git a/DocDB/cgi/EditTalkInfo b/DocDB/cgi/EditTalkInfo index a80b955e..04f01b5b 100755 --- a/DocDB/cgi/EditTalkInfo +++ b/DocDB/cgi/EditTalkInfo @@ -37,6 +37,7 @@ require "ResponseElements.pm"; require "Security.pm"; require "MeetingSecurityUtilities.pm"; require "HTMLUtilities.pm"; +require "UntaintInput.pm"; require "DBUtilities.pm"; require "TalkSQL.pm"; diff --git a/DocDB/cgi/EmailAdminister b/DocDB/cgi/EmailAdminister index abedec20..e89a3fc4 100755 --- a/DocDB/cgi/EmailAdminister +++ b/DocDB/cgi/EmailAdminister @@ -37,6 +37,7 @@ require "DocDBGlobals.pm"; require "ResponseElements.pm"; require "Security.pm"; require "HTMLUtilities.pm"; +require "UntaintInput.pm"; require "SecuritySQL.pm"; require "NotificationSQL.pm"; require "Messages.pm"; diff --git a/DocDB/cgi/EmailAdministerForm b/DocDB/cgi/EmailAdministerForm index 40e20641..f7a250df 100755 --- a/DocDB/cgi/EmailAdministerForm +++ b/DocDB/cgi/EmailAdministerForm @@ -36,6 +36,7 @@ require "Scripts.pm"; require "ResponseElements.pm"; require "Security.pm"; require "HTMLUtilities.pm"; +require "UntaintInput.pm"; require "AdministerElements.pm"; require "EmailUserHTML.pm"; require "SecurityHTML.pm"; diff --git a/DocDB/cgi/EmailCreate b/DocDB/cgi/EmailCreate index 4b734e19..455bf4de 100755 --- a/DocDB/cgi/EmailCreate +++ b/DocDB/cgi/EmailCreate @@ -29,6 +29,7 @@ use DBI; require "DocDBGlobals.pm"; require "HTMLUtilities.pm"; +require "UntaintInput.pm"; require "ResponseElements.pm"; $query = new CGI; # Global for subroutines diff --git a/DocDB/cgi/EventAdministerForm b/DocDB/cgi/EventAdministerForm index 4d75f404..71dd3300 100755 --- a/DocDB/cgi/EventAdministerForm +++ b/DocDB/cgi/EventAdministerForm @@ -41,6 +41,7 @@ require "Sorts.pm"; require "DBUtilities.pm"; require "HTMLUtilities.pm"; +require "UntaintInput.pm"; require "MeetingSQL.pm"; require "SecuritySQL.pm"; diff --git a/DocDB/cgi/ExternalDocDBAdministerForm b/DocDB/cgi/ExternalDocDBAdministerForm index 5921f581..18570955 100755 --- a/DocDB/cgi/ExternalDocDBAdministerForm +++ b/DocDB/cgi/ExternalDocDBAdministerForm @@ -39,6 +39,7 @@ require "Sorts.pm"; require "DBUtilities.pm"; require "HTMLUtilities.pm"; +require "UntaintInput.pm"; require "SecuritySQL.pm"; require "XRefHTML.pm"; diff --git a/DocDB/cgi/GroupAdminister b/DocDB/cgi/GroupAdminister index da3335fb..11fd4e42 100755 --- a/DocDB/cgi/GroupAdminister +++ b/DocDB/cgi/GroupAdminister @@ -34,6 +34,7 @@ require "DocDBGlobals.pm"; require "ResponseElements.pm"; require "Security.pm"; require "HTMLUtilities.pm"; +require "UntaintInput.pm"; require "SecuritySQL.pm"; require "GroupHTML.pm"; require "Messages.pm"; diff --git a/DocDB/cgi/JournalAdminister b/DocDB/cgi/JournalAdminister index 8fa56d59..937ff6b6 100755 --- a/DocDB/cgi/JournalAdminister +++ b/DocDB/cgi/JournalAdminister @@ -32,6 +32,7 @@ require "DocDBGlobals.pm"; require "ResponseElements.pm"; require "Security.pm"; require "HTMLUtilities.pm"; +require "UntaintInput.pm"; require "MiscSQL.pm"; require "JournalHTML.pm"; require "Messages.pm"; diff --git a/DocDB/cgi/KeywordGroupAdminister b/DocDB/cgi/KeywordGroupAdminister index 38ddfecd..bfb38b2c 100755 --- a/DocDB/cgi/KeywordGroupAdminister +++ b/DocDB/cgi/KeywordGroupAdminister @@ -33,6 +33,7 @@ require "DocDBGlobals.pm"; require "ResponseElements.pm"; require "Security.pm"; require "HTMLUtilities.pm"; +require "UntaintInput.pm"; require "KeywordSQL.pm"; require "KeywordHTML.pm"; require "Messages.pm"; diff --git a/DocDB/cgi/KeywordListAdminister b/DocDB/cgi/KeywordListAdminister index fee0b9ac..dae6381d 100755 --- a/DocDB/cgi/KeywordListAdminister +++ b/DocDB/cgi/KeywordListAdminister @@ -35,6 +35,7 @@ require "Sorts.pm"; require "ResponseElements.pm"; require "Security.pm"; require "HTMLUtilities.pm"; +require "UntaintInput.pm"; require "KeywordHTML.pm"; require "KeywordSQL.pm"; require "Messages.pm"; diff --git a/DocDB/cgi/ListBy b/DocDB/cgi/ListBy index 52a68ec4..3c27e62f 100755 --- a/DocDB/cgi/ListBy +++ b/DocDB/cgi/ListBy @@ -35,6 +35,7 @@ require "DocDBGlobals.pm"; require "DocumentHTML.pm"; require "SecuritySQL.pm"; require "HTMLUtilities.pm"; +require "UntaintInput.pm"; require "DocumentUtilities.pm"; $query = new CGI; # Global for subroutines From 11fbf82b91fa89cb0bc73fe5d8701eb3da291440 Mon Sep 17 00:00:00 2001 From: Eric Vaandering Date: Thu, 1 Aug 2013 11:35:44 -0500 Subject: [PATCH 084/163] Fix checkboxes on AddFiles, use SafeHTML in journals --- DocDB/cgi/AddFiles | 4 +-- DocDB/cgi/JournalHTML.pm | 74 +++++++++++++++++++++------------------- 2 files changed, 40 insertions(+), 38 deletions(-) diff --git a/DocDB/cgi/AddFiles b/DocDB/cgi/AddFiles index 437235f3..b2355f43 100755 --- a/DocDB/cgi/AddFiles +++ b/DocDB/cgi/AddFiles @@ -79,8 +79,8 @@ my $DocumentID = $Untaint -> extract(-as_integer => "docid") || 0; my $Version = $Untaint -> extract(-as_integer => "version") || 0; my $Replace = $Untaint -> extract(-as_printable => "replace") || ""; my $MaxFiles = $Untaint -> extract(-as_integer => "maxfiles") || 0; -my $Replace = $Untaint -> extract(-as_printable => "submitagree") || ""; -my $Replace = $Untaint -> extract(-as_printable => "preservesigs") || ""; +my $SubmitAgree = $Untaint -> extract(-as_printable => "submitagree") || ""; +my $PreserveSigs = $Untaint -> extract(-as_printable => "preservesigs") || ""; my $DocRevID; diff --git a/DocDB/cgi/JournalHTML.pm b/DocDB/cgi/JournalHTML.pm index 9f4513e6..673abf64 100644 --- a/DocDB/cgi/JournalHTML.pm +++ b/DocDB/cgi/JournalHTML.pm @@ -1,16 +1,16 @@ # -# Description: Routines with form elements and other HTML generating +# Description: Routines with form elements and other HTML generating # code pertaining to Journals and References. # # Author: Eric Vaandering (ewv@fnal.gov) -# Modified: +# Modified: # Copyright 2001-2013 Eric Vaandering, Lynn Garren, Adam Bryant # This file is part of DocDB. # DocDB is free software; you can redistribute it and/or modify -# it under the terms of version 2 of the GNU General Public License +# it under the terms of version 2 of the GNU General Public License # as published by the Free Software Foundation. # DocDB is distributed in the hope that it will be useful, @@ -22,69 +22,71 @@ # along with DocDB; if not, write to the Free Software # Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA +require "HTMLUtilities.pm"; + sub JournalSelect (;%) { my (%Params) = @_; - + my $Disabled = $Params{-disabled} || "0"; my $Mode = $Params{-format} || "0"; - + my $Booleans = ""; - + if ($Disabled) { $Booleans .= "-disabled"; - } - + } + my @JournalIDs = keys %Journals; my %JournalLabels = (); foreach my $ID (@JournalIDs) { - $JournalLabels{$ID} = $Journals{$ID}{Abbreviation}; + $JournalLabels{$ID} = SmartHTML({-text => $Journals{$ID}{Abbreviation}},); } @JournalIDs = sort @JournalIDs; #FIXME Sort by abbreviation print FormElementTitle(-helplink => "journal", -helptext => "Journal"); - print $query -> scrolling_list(-name => "journal", -values => \@JournalIDs, - -labels => \%JournalLabels, -size => 10, + print $query -> scrolling_list(-name => "journal", -values => \@JournalIDs, + -labels => \%JournalLabels, -size => 10, -default => $JournalDefault, $Booleans); } sub JournalEntryBox (;%) { my (%Params) = @_; - + my $Disabled = $Params{-disabled} || "0"; my $Mode = $Params{-format} || "0"; - + my $Booleans = ""; - + if ($Disabled) { $Booleans .= "-disabled"; - } + } print "
    \n"; print FormElementTitle(-helplink => "doctypeentry", -helptext => "Short Description"); - print $query -> textfield (-name => 'name', + print $query -> textfield (-name => 'name', -size => 20, -maxlength => 32, $Booleans); print "
    \n"; print FormElementTitle(-helplink => "doctypeentry", -helptext => "Long Description"); - print $query -> textfield (-name => 'longdesc', + print $query -> textfield (-name => 'longdesc', -size => 40, -maxlength => 255, $Booleans); print "
    \n"; print "\n"; print "\n"; print "\n"; print "\n"; print "\n"; print "
    \n"; print FormElementTitle(-helplink => "journalentry", -helptext => "Full Name"); - print $query -> textfield (-name => 'name', + print $query -> textfield (-name => 'name', -size => 40, -maxlength => 128, $Booleans); print "\n"; print FormElementTitle(-helplink => "journalentry", -helptext => "Publisher"); - print $query -> textfield (-name => 'pub', + print $query -> textfield (-name => 'pub', -size => 40, -maxlength => 64, $Booleans); print "
    \n"; print FormElementTitle(-helplink => "journalentry", -helptext => "Abbreviation"); - print $query -> textfield (-name => 'abbr', + print $query -> textfield (-name => 'abbr', -size => 40, -maxlength => 64, $Booleans); print "\n"; print FormElementTitle(-helplink => "journalentry", -helptext => "URL"); - print $query -> textfield (-name => 'url', + print $query -> textfield (-name => 'url', -size => 40, -maxlength => 240, $Booleans); print "
    \n"; print FormElementTitle(-helplink => "journalentry", -helptext => "Acronym"); - print $query -> textfield (-name => 'acronym', + print $query -> textfield (-name => 'acronym', -size => 8, -maxlength => 8, $Booleans); print "
    \n"; @@ -107,11 +109,11 @@ sub JournalTable (;$) { my @JournalIDs = sort keys %Journals; #FIXME Sort by abbreviation foreach my $ID (@JournalIDs) { print "\n"; - print "$Journals{$ID}{Name}\n"; - print "$Journals{$ID}{Abbreviation}\n"; - print "$Journals{$ID}{Acronym}\n"; - print "$Journals{$ID}{Publisher}\n"; - print "$Journals{$ID}{URL}\n"; + print "".SmartHTML({-text => $Journals{$ID}{Name}},)."\n"; + print "".SmartHTML({-text => $Journals{$ID}{Abbreviation}},)."\n"; + print "".SmartHTML({-text => $Journals{$ID}{Acronym}},)."\n"; + print "".SmartHTML({-text => $Journals{$ID}{Publisher}},)."\n"; + print "".SmartHTML({-text => $Journals{$ID}{URL}, -makeURLs => $TRUE},)."\n"; print "\n"; } print "\n"; @@ -119,7 +121,7 @@ sub JournalTable (;$) { sub ReferenceForm { require "MiscSQL.pm"; - + GetJournals(); my @JournalIDs = keys %Journals; @@ -129,33 +131,33 @@ sub ReferenceForm { } @JournalIDs = sort @JournalIDs; #FIXME Sort by acronym unshift @JournalIDs,0; $JournalLabels{0} = "----"; # Null Journal - my $ElementTitle = FormElementTitle(-helplink => "reference", + my $ElementTitle = FormElementTitle(-helplink => "reference", -helptext => "Journal References"); - print $ElementTitle,"\n"; + print $ElementTitle,"\n"; my @ReferenceIDs = (@ReferenceDefaults,0); - + print "\n"; - foreach my $ReferenceID (@ReferenceIDs) { + foreach my $ReferenceID (@ReferenceIDs) { print "\n"; my $JournalDefault = $RevisionReferences{$ReferenceID}{JournalID}; my $VolumeDefault = $RevisionReferences{$ReferenceID}{Volume} ; my $PageDefault = $RevisionReferences{$ReferenceID}{Page} ; print ""; print ""; print "\n"; + print "\n"; } print "
    Journal: \n"; - print $query -> popup_menu(-name => "journal", -values => \@JournalIDs, + print $query -> popup_menu(-name => "journal", -values => \@JournalIDs, -labels => \%JournalLabels, -default => $JournalDefault); print "Volume: \n"; - print $query -> textfield (-name => 'volume', - -size => 8, -maxlength => 8, + print $query -> textfield (-name => 'volume', + -size => 8, -maxlength => 8, -default => $VolumeDefault); print "Page: \n"; - print $query -> textfield (-name => 'page', - -size => 8, -maxlength => 16, + print $query -> textfield (-name => 'page', + -size => 8, -maxlength => 16, -default => $PageDefault); - print "
    \n"; } From 956ae7d61a8c8f69901ee6b93dcc2696e4d0fceb Mon Sep 17 00:00:00 2001 From: Eric Vaandering Date: Thu, 1 Aug 2013 15:14:28 -0500 Subject: [PATCH 085/163] SmartHTML for security group table, selector, and links --- DocDB/cgi/GroupAdministerForm | 25 ++++++++----- DocDB/cgi/SecurityHTML.pm | 69 ++++++++++++++++++----------------- 2 files changed, 51 insertions(+), 43 deletions(-) diff --git a/DocDB/cgi/GroupAdministerForm b/DocDB/cgi/GroupAdministerForm index bf216923..e04983ef 100755 --- a/DocDB/cgi/GroupAdministerForm +++ b/DocDB/cgi/GroupAdministerForm @@ -1,17 +1,17 @@ #! /usr/bin/env perl # -# Description: This script provides a form to administer groups in +# Description: This script provides a form to administer groups in # the DocDB and shows the relationships between groups. # # Author: Eric Vaandering (ewv@fnal.gov) -# Modified: +# Modified: # Copyright 2001-2013 Eric Vaandering, Lynn Garren, Adam Bryant # This file is part of DocDB. # DocDB is free software; you can redistribute it and/or modify -# it under the terms of version 2 of the GNU General Public License +# it under the terms of version 2 of the GNU General Public License # as published by the Free Software Foundation. # DocDB is distributed in the hope that it will be useful, @@ -23,7 +23,7 @@ # along with DocDB; if not, write to the Free Software # Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA -use CGI qw(-nosticky); +use CGI qw(-nosticky); use DBI; require "DocDBGlobals.pm"; @@ -46,7 +46,7 @@ $dbh = DBI -> connect('DBI:mysql:'.$db_name.':'.$db_host,$db_rouser,$db_ropass GetSecurityGroups(); print $query -> header( -charset => $HTTP_ENCODING ); -DocDBHeader("Group Administration","",-scripts => ["PopUps","GroupAdminDisable"]); +DocDBHeader("Group Administration","",-scripts => ["PopUps","GroupAdminDisable"]); @ErrorStack = (); @WarnStack = (); @@ -92,14 +92,14 @@ print "\n"; print "\n"; print ''; -SecurityScroll(-name => 'parent', -disabled => $TRUE, +SecurityScroll(-name => 'parent', -disabled => $TRUE, -helplink => 'parent', -helptext => 'Group'); -print "\n"; +print "\n"; print ''; SecurityScroll(-name => 'child', -disabled => $TRUE, -multiple => $TRUE, -helplink => 'child', -helptext => 'Subordinates'); print "
    \n"; -print $query -> checkbox(-name => "removesubs", -value => 'removesubs', +print $query -> checkbox(-name => "removesubs", -value => 'removesubs', -label => '', -disabled => 'disabled'); print "Remove all"; print "\n"; @@ -132,7 +132,12 @@ my @GroupIDs = sort numerically keys %SecurityGroups; print ''; foreach my $GroupID (@GroupIDs) { print "\n"; - print "\n"; + print "\n"; print "\n"; print "\n"; -} +} print "
    $SecurityGroups{$GroupID}{NAME}
    ($SecurityGroups{$GroupID}{Description})    		"; + print SmartHTML({-text => $SecurityGroups{$GroupID}{NAME}},); + $SecurityGroups{$GroupID}{NAME} + print "
    ("; + print SmartHTML({-text => $SecurityGroups{$GroupID}{Description}},); + print ")    		\n"; print "Dominant groups:\n"; PrintGroupParents($GroupID); @@ -146,7 +151,7 @@ foreach my $GroupID (@GroupIDs) { PrintGroupPermissions($GroupID); print "
    \n"; print "

    \n"; diff --git a/DocDB/cgi/SecurityHTML.pm b/DocDB/cgi/SecurityHTML.pm index 9b540913..68843a2e 100644 --- a/DocDB/cgi/SecurityHTML.pm +++ b/DocDB/cgi/SecurityHTML.pm @@ -3,14 +3,14 @@ # Description: Routines which supply HTML and form elements related to security # # Author: Eric Vaandering (ewv@fnal.gov) -# Modified: +# Modified: # Copyright 2001-2013 Eric Vaandering, Lynn Garren, Adam Bryant # This file is part of DocDB. # DocDB is free software; you can redistribute it and/or modify -# it under the terms of version 2 of the GNU General Public License +# it under the terms of version 2 of the GNU General Public License # as published by the Free Software Foundation. # DocDB is distributed in the hope that it will be useful, @@ -27,13 +27,14 @@ sub SecurityScroll (%) { require "Sorts.pm"; require "Scripts.pm"; require "FormElements.pm"; - + require "HTMLUtilities.pm"; + my (%Params) = @_; - + my $AddPublic = $Params{-addpublic} || $FALSE; my $HelpLink = $Params{-helplink} || ""; my $HelpText = $Params{-helptext} || "Groups"; - my $Multiple = $Params{-multiple}; + my $Multiple = $Params{-multiple}; my $Name = $Params{-name} || "groups"; my $Format = $Params{-format} || "short"; my $Size = $Params{-size} || 10; @@ -42,55 +43,56 @@ sub SecurityScroll (%) { my @Default = @{$Params{-default}}; my %Options = (); - + if ($Disabled) { $Options{-disabled} = "disabled"; - } + } &GetSecurityGroups; - + unless (@GroupIDs) { @GroupIDs = keys %SecurityGroups; } - + my %GroupLabels = (); foreach my $GroupID (@GroupIDs) { - $GroupLabels{$GroupID} = $SecurityGroups{$GroupID}{NAME}; + SmartHTML({-text => $SecurityGroups{$GroupID}{NAME}},); + $GroupLabels{$GroupID} = SmartHTML({-text => $SecurityGroups{$GroupID}{NAME}},); if ($Format eq "full") { - $GroupLabels{$GroupID} .= " [".$SecurityGroups{$GroupID}{Description}."]"; + $GroupLabels{$GroupID} .= " [".SmartHTML({-text => $SecurityGroups{$GroupID}{Description}},)."]"; } - } - + } + if ($AddPublic) { # Add dummy security code for "Public" - my $ID = 0; - push @GroupIDs,$ID; + my $ID = 0; + push @GroupIDs,$ID; $GroupLabels{$ID} = "Public"; } - + @GroupIDs = sort numerically @GroupIDs; - if ($HelpLink) { + if ($HelpLink) { my $BoxTitle = &FormElementTitle(-helplink => $HelpLink, -helptext => $HelpText); print $BoxTitle; } - - print $query -> scrolling_list(-name => $Name, -values => \@GroupIDs, - -labels => \%GroupLabels, + + print $query -> scrolling_list(-name => $Name, -values => \@GroupIDs, + -labels => \%GroupLabels, -size => $Size, -multiple => $Multiple, -default => \@Default, %Options); }; sub SecurityListByID { my (@GroupIDs) = @_; - + print "
    \n"; if ($EnhancedSecurity) { print "Viewable by:
    \n"; - } else { + } else { print "Accessible by:
    \n"; - } - + } + print "