instiki/app/controllers/application.rb
Jacques Distler 5d15e3f39d Security: Instiki 0.16.2
On Webs with file uploads enabled, uploaded files were stored
(in version 0.16.1 and earlier) in the public/ directory.

This was a security threat. A miscreant could upload a .html file.
When a user clicked on the link to the file, it was opened (unsanitized)
in the browser.

As of version 0.16.2, uploaded files are stored in the webs/
directory. Now, when the user clicks on the link, the file is sent
with the

    Content-Disposition: attachment

header set, which causes the file to be downloaded, rather than opened
in the browser. As always, files downloaded from the internets should be
treated with caution. At least, this way, they are not aoutomatically 
opened in the browser.

To move your existing uploaded files to the new location, do a

     rake upgrade_instiki
2009-01-26 00:21:30 -06:00

253 lines
7.3 KiB
Ruby

# The filters added to this controller will be run for all controllers in the application.
# Likewise will all the methods added be available for all controllers.
class ApplicationController < ActionController::Base
# require 'dnsbl_check'
protect_forms_from_spam
before_filter :connect_to_model, :check_authorization, :setup_url_generator, :set_content_type_header, :set_robots_metatag
after_filter :remember_location, :teardown_url_generator
# For injecting a different wiki model implementation. Intended for use in tests
def self.wiki=(the_wiki)
# a global variable is used here because Rails reloads controller and model classes in the
# development environment; therefore, storing it as a class variable does not work
# class variable is, anyway, not much different from a global variable
#$instiki_wiki_service = the_wiki
logger.debug("Wiki service: #{the_wiki.to_s}")
end
def self.wiki
Wiki.new
end
protected
def check_authorization
if in_a_web? and authorization_needed? and not authorized?
redirect_to :controller => 'wiki', :action => 'login', :web => @web_name
return false
end
end
def connect_to_model
@action_name = params['action'] || 'index'
@web_name = params['web']
@wiki = wiki
@author = cookies['author'] || 'AnonymousCoward'
if @web_name
@web = @wiki.webs[@web_name]
if @web.nil?
render(:status => 404, :text => "Unknown web '#{@web_name}'", :layout => 'error')
return false
end
end
end
FILE_TYPES = {
'.exe' => 'application/octet-stream',
'.gif' => 'image/gif',
'.jpg' => 'image/jpeg',
'.pdf' => 'application/pdf',
'.png' => 'image/png',
'.txt' => 'text/plain',
'.tex' => 'text/plain',
'.zip' => 'application/zip'
} unless defined? FILE_TYPES
DISPOSITION = {
'application/octet-stream' => 'attachment',
'image/gif' => 'inline',
'image/jpeg' => 'inline',
'application/pdf' => 'inline',
'image/png' => 'inline',
'text/plain' => 'inline',
'application/zip' => 'attachment'
} unless defined? DISPOSITION
def determine_file_options_for(file_name, original_options = {})
original_options[:type] ||= (FILE_TYPES[File.extname(file_name)] or 'application/octet-stream')
original_options[:disposition] ||= (DISPOSITION[original_options[:type]] or 'attachment')
original_options[:stream] ||= false
original_options
end
def send_file(file, options = {})
determine_file_options_for(file, options)
super(file, options)
end
def password_check(password)
if password == @web.password
cookies[CGI.escape(@web_name)] = password
true
else
false
end
end
def password_error(password)
if password.nil? or password.empty?
'Please enter the password.'
else
'You entered a wrong password. Please enter the right one.'
end
end
def redirect_home(web = @web_name)
if web
redirect_to_page('HomePage', web)
else
redirect_to '/'
end
end
def redirect_to_page(page_name = @page_name, web = @web_name)
redirect_to :web => web, :controller => 'wiki', :action => 'show',
:id => (page_name or 'HomePage')
end
def remember_location
if request.method == :get and
response.headers['Status'] == '200 OK' and not \
%w(locked save back file pic import).include?(action_name)
session[:return_to] = request.request_uri
logger.debug "Session ##{session.object_id}: remembered URL '#{session[:return_to]}'"
end
end
def rescue_action_in_public(exception)
if exception.instance_of?(CGI::Session::CookieStore::TamperedWithCookie)
render :text => 'Stale session. Please reload the page.', :status =>500, :layout => 'error'
else
render :status => 500, :text => <<-EOL
<html xmlns="http://www.w3.org/1999/xhtml"><body>
<h2>Internal Error</h2>
<p>An application error occurred while processing your request.</p>
<!-- \n#{exception.to_s.is_utf8? ? exception.to_s.gsub!(/-{2,}/, '- -') : ''}\n#{exception.backtrace.join("\n")}\n -->
</body></html>
EOL
end
end
def return_to_last_remembered
# Forget the redirect location
redirect_target, session[:return_to] = session[:return_to], nil
tried_home, session[:tried_home] = session[:tried_home], false
# then try to redirect to it
if redirect_target.nil?
if tried_home
raise 'Application could not render the index page'
else
logger.debug("Session ##{session.object_id}: no remembered redirect location, trying home")
redirect_home
end
else
logger.debug("Session ##{session.object_id}: " +
"redirect to the last remembered URL #{redirect_target}")
redirect_to(redirect_target)
end
end
public
def set_content_type_header
response.charset = 'utf-8'
if %w(atom_with_content atom_with_headlines).include?(action_name)
response.content_type = Mime::ATOM
elsif %w(tex).include?(action_name)
response.content_type = Mime::TEXT
elsif xhtml_enabled?
if request.user_agent =~ /Validator/ or request.env.include?('HTTP_ACCEPT') &&
Mime::Type.parse(request.env["HTTP_ACCEPT"]).include?(Mime::XHTML)
response.content_type = Mime::XHTML
elsif request.user_agent =~ /MathPlayer/
response.charset = nil
response.content_type = Mime::XHTML
response.extend(MathPlayerHack)
else
response.content_type = Mime::HTML
end
else
response.content_type = Mime::HTML
end
end
def xhtml_enabled?
in_a_web? and (@web.markup == :markdownMML or @web.markup == :markdownPNG or @web.markup == :markdown)
end
protected
def set_robots_metatag
if controller_name == 'wiki' and %w(show published).include? action_name
@robots_metatag_value = 'index,follow'
else
@robots_metatag_value = 'noindex,nofollow'
end
end
def setup_url_generator
PageRenderer.setup_url_generator(UrlGenerator.new(self))
end
def teardown_url_generator
PageRenderer.teardown_url_generator
end
def wiki
self.class.wiki
end
private
def in_a_web?
not @web_name.nil?
end
def authorization_needed?
not %w( login authenticate feeds published atom_with_headlines atom_with_content).include?(action_name)
end
def authorized?
@web.nil? or
@web.password.nil? or
cookies[CGI.escape(@web_name)] == @web.password or
password_check(params['password']) or
(@web.published? and action_name == 's5')
end
end
module Mime
# Fix HTML
#HTML = Type.new "text/html", :html, %w( application/xhtml+xml )
self.class.const_set("HTML", Type.new("text/html", :html) )
# Add XHTML
XHTML = Type.new "application/xhtml+xml", :xhtml
# Fix xhtml and html lookups
LOOKUP["text/html"] = HTML
LOOKUP["application/xhtml+xml"] = XHTML
end
module MathPlayerHack
def charset=(encoding)
self.headers["Content-Type"] = "#{content_type || Mime::HTML}"
end
end
module Instiki
module VERSION #:nodoc:
MAJOR = 0
MINOR = 16
TINY = 2
SUFFIX = '(MML+)'
PRERELEASE = false
if PRERELEASE
STRING = [MAJOR, MINOR].join('.') + PRERELEASE + SUFFIX
else
STRING = [MAJOR, MINOR, TINY].join('.') + SUFFIX
end
end
end