5d15e3f39d
On Webs with file uploads enabled, uploaded files were stored (in version 0.16.1 and earlier) in the public/ directory. This was a security threat. A miscreant could upload a .html file. When a user clicked on the link to the file, it was opened (unsanitized) in the browser. As of version 0.16.2, uploaded files are stored in the webs/ directory. Now, when the user clicks on the link, the file is sent with the Content-Disposition: attachment header set, which causes the file to be downloaded, rather than opened in the browser. As always, files downloaded from the internets should be treated with caution. At least, this way, they are not aoutomatically opened in the browser. To move your existing uploaded files to the new location, do a rake upgrade_instiki
253 lines
7.3 KiB
Ruby
253 lines
7.3 KiB
Ruby
# The filters added to this controller will be run for all controllers in the application.
|
|
# Likewise will all the methods added be available for all controllers.
|
|
class ApplicationController < ActionController::Base
|
|
# require 'dnsbl_check'
|
|
protect_forms_from_spam
|
|
before_filter :connect_to_model, :check_authorization, :setup_url_generator, :set_content_type_header, :set_robots_metatag
|
|
after_filter :remember_location, :teardown_url_generator
|
|
|
|
# For injecting a different wiki model implementation. Intended for use in tests
|
|
def self.wiki=(the_wiki)
|
|
# a global variable is used here because Rails reloads controller and model classes in the
|
|
# development environment; therefore, storing it as a class variable does not work
|
|
# class variable is, anyway, not much different from a global variable
|
|
#$instiki_wiki_service = the_wiki
|
|
logger.debug("Wiki service: #{the_wiki.to_s}")
|
|
end
|
|
|
|
def self.wiki
|
|
Wiki.new
|
|
end
|
|
|
|
protected
|
|
|
|
def check_authorization
|
|
if in_a_web? and authorization_needed? and not authorized?
|
|
redirect_to :controller => 'wiki', :action => 'login', :web => @web_name
|
|
return false
|
|
end
|
|
end
|
|
|
|
def connect_to_model
|
|
@action_name = params['action'] || 'index'
|
|
@web_name = params['web']
|
|
@wiki = wiki
|
|
@author = cookies['author'] || 'AnonymousCoward'
|
|
if @web_name
|
|
@web = @wiki.webs[@web_name]
|
|
if @web.nil?
|
|
render(:status => 404, :text => "Unknown web '#{@web_name}'", :layout => 'error')
|
|
return false
|
|
end
|
|
end
|
|
end
|
|
|
|
FILE_TYPES = {
|
|
'.exe' => 'application/octet-stream',
|
|
'.gif' => 'image/gif',
|
|
'.jpg' => 'image/jpeg',
|
|
'.pdf' => 'application/pdf',
|
|
'.png' => 'image/png',
|
|
'.txt' => 'text/plain',
|
|
'.tex' => 'text/plain',
|
|
'.zip' => 'application/zip'
|
|
} unless defined? FILE_TYPES
|
|
|
|
DISPOSITION = {
|
|
'application/octet-stream' => 'attachment',
|
|
'image/gif' => 'inline',
|
|
'image/jpeg' => 'inline',
|
|
'application/pdf' => 'inline',
|
|
'image/png' => 'inline',
|
|
'text/plain' => 'inline',
|
|
'application/zip' => 'attachment'
|
|
} unless defined? DISPOSITION
|
|
|
|
def determine_file_options_for(file_name, original_options = {})
|
|
original_options[:type] ||= (FILE_TYPES[File.extname(file_name)] or 'application/octet-stream')
|
|
original_options[:disposition] ||= (DISPOSITION[original_options[:type]] or 'attachment')
|
|
original_options[:stream] ||= false
|
|
original_options
|
|
end
|
|
|
|
def send_file(file, options = {})
|
|
determine_file_options_for(file, options)
|
|
super(file, options)
|
|
end
|
|
|
|
def password_check(password)
|
|
if password == @web.password
|
|
cookies[CGI.escape(@web_name)] = password
|
|
true
|
|
else
|
|
false
|
|
end
|
|
end
|
|
|
|
def password_error(password)
|
|
if password.nil? or password.empty?
|
|
'Please enter the password.'
|
|
else
|
|
'You entered a wrong password. Please enter the right one.'
|
|
end
|
|
end
|
|
|
|
def redirect_home(web = @web_name)
|
|
if web
|
|
redirect_to_page('HomePage', web)
|
|
else
|
|
redirect_to '/'
|
|
end
|
|
end
|
|
|
|
def redirect_to_page(page_name = @page_name, web = @web_name)
|
|
redirect_to :web => web, :controller => 'wiki', :action => 'show',
|
|
:id => (page_name or 'HomePage')
|
|
end
|
|
|
|
def remember_location
|
|
if request.method == :get and
|
|
response.headers['Status'] == '200 OK' and not \
|
|
%w(locked save back file pic import).include?(action_name)
|
|
session[:return_to] = request.request_uri
|
|
logger.debug "Session ##{session.object_id}: remembered URL '#{session[:return_to]}'"
|
|
end
|
|
end
|
|
|
|
def rescue_action_in_public(exception)
|
|
if exception.instance_of?(CGI::Session::CookieStore::TamperedWithCookie)
|
|
render :text => 'Stale session. Please reload the page.', :status =>500, :layout => 'error'
|
|
else
|
|
render :status => 500, :text => <<-EOL
|
|
<html xmlns="http://www.w3.org/1999/xhtml"><body>
|
|
<h2>Internal Error</h2>
|
|
<p>An application error occurred while processing your request.</p>
|
|
<!-- \n#{exception.to_s.is_utf8? ? exception.to_s.gsub!(/-{2,}/, '- -') : ''}\n#{exception.backtrace.join("\n")}\n -->
|
|
</body></html>
|
|
EOL
|
|
end
|
|
end
|
|
|
|
def return_to_last_remembered
|
|
# Forget the redirect location
|
|
redirect_target, session[:return_to] = session[:return_to], nil
|
|
tried_home, session[:tried_home] = session[:tried_home], false
|
|
|
|
# then try to redirect to it
|
|
if redirect_target.nil?
|
|
if tried_home
|
|
raise 'Application could not render the index page'
|
|
else
|
|
logger.debug("Session ##{session.object_id}: no remembered redirect location, trying home")
|
|
redirect_home
|
|
end
|
|
else
|
|
logger.debug("Session ##{session.object_id}: " +
|
|
"redirect to the last remembered URL #{redirect_target}")
|
|
redirect_to(redirect_target)
|
|
end
|
|
end
|
|
|
|
public
|
|
|
|
def set_content_type_header
|
|
response.charset = 'utf-8'
|
|
if %w(atom_with_content atom_with_headlines).include?(action_name)
|
|
response.content_type = Mime::ATOM
|
|
elsif %w(tex).include?(action_name)
|
|
response.content_type = Mime::TEXT
|
|
elsif xhtml_enabled?
|
|
if request.user_agent =~ /Validator/ or request.env.include?('HTTP_ACCEPT') &&
|
|
Mime::Type.parse(request.env["HTTP_ACCEPT"]).include?(Mime::XHTML)
|
|
response.content_type = Mime::XHTML
|
|
elsif request.user_agent =~ /MathPlayer/
|
|
response.charset = nil
|
|
response.content_type = Mime::XHTML
|
|
response.extend(MathPlayerHack)
|
|
else
|
|
response.content_type = Mime::HTML
|
|
end
|
|
else
|
|
response.content_type = Mime::HTML
|
|
end
|
|
end
|
|
|
|
def xhtml_enabled?
|
|
in_a_web? and (@web.markup == :markdownMML or @web.markup == :markdownPNG or @web.markup == :markdown)
|
|
end
|
|
|
|
protected
|
|
|
|
def set_robots_metatag
|
|
if controller_name == 'wiki' and %w(show published).include? action_name
|
|
@robots_metatag_value = 'index,follow'
|
|
else
|
|
@robots_metatag_value = 'noindex,nofollow'
|
|
end
|
|
end
|
|
|
|
def setup_url_generator
|
|
PageRenderer.setup_url_generator(UrlGenerator.new(self))
|
|
end
|
|
|
|
def teardown_url_generator
|
|
PageRenderer.teardown_url_generator
|
|
end
|
|
|
|
def wiki
|
|
self.class.wiki
|
|
end
|
|
|
|
private
|
|
|
|
def in_a_web?
|
|
not @web_name.nil?
|
|
end
|
|
|
|
def authorization_needed?
|
|
not %w( login authenticate feeds published atom_with_headlines atom_with_content).include?(action_name)
|
|
end
|
|
|
|
def authorized?
|
|
@web.nil? or
|
|
@web.password.nil? or
|
|
cookies[CGI.escape(@web_name)] == @web.password or
|
|
password_check(params['password']) or
|
|
(@web.published? and action_name == 's5')
|
|
end
|
|
|
|
end
|
|
|
|
module Mime
|
|
# Fix HTML
|
|
#HTML = Type.new "text/html", :html, %w( application/xhtml+xml )
|
|
self.class.const_set("HTML", Type.new("text/html", :html) )
|
|
|
|
# Add XHTML
|
|
XHTML = Type.new "application/xhtml+xml", :xhtml
|
|
|
|
# Fix xhtml and html lookups
|
|
LOOKUP["text/html"] = HTML
|
|
LOOKUP["application/xhtml+xml"] = XHTML
|
|
end
|
|
|
|
module MathPlayerHack
|
|
def charset=(encoding)
|
|
self.headers["Content-Type"] = "#{content_type || Mime::HTML}"
|
|
end
|
|
end
|
|
|
|
module Instiki
|
|
module VERSION #:nodoc:
|
|
MAJOR = 0
|
|
MINOR = 16
|
|
TINY = 2
|
|
SUFFIX = '(MML+)'
|
|
PRERELEASE = false
|
|
if PRERELEASE
|
|
STRING = [MAJOR, MINOR].join('.') + PRERELEASE + SUFFIX
|
|
else
|
|
STRING = [MAJOR, MINOR, TINY].join('.') + SUFFIX
|
|
end
|
|
end
|
|
end
|