From 265c836b36d4d7b3eccee90f18ce40d773fd47ae Mon Sep 17 00:00:00 2001 From: "Kyle J. McKay" Date: Mon, 15 Feb 2021 02:33:30 -0700 Subject: [PATCH] various: provide protected field support bits Enhance print_form_fields to allow passing in a list of protected fields that need to be handled differently. Enhance cgi_fill to not fill fields from a non-existent parameter value (thereby avoiding stepping on the value). Provide a new check_timed_token utility function that works like verify_timed_token except it takes a category name instead of an actual secret. Signed-off-by: Kyle J. McKay --- Girocco/CGI.pm | 16 ++++++++++++++-- Girocco/Project.pm | 3 ++- Girocco/Util.pm | 20 +++++++++++++++++++- 3 files changed, 35 insertions(+), 4 deletions(-) diff --git a/Girocco/CGI.pm b/Girocco/CGI.pm index e576483..946fa0c 100644 --- a/Girocco/CGI.pm +++ b/Girocco/CGI.pm @@ -223,9 +223,17 @@ sub html_esc($;$) { $str; } +# Option 1: +# $instance->print_form_fields({}, {}, @) +# Option 2: +# $instance->print_form_fields({}, {}, {valuemap}, @) +# If ref(3rd-arg) eq 'HASH' it's option 2 otherwise option 1 sub print_form_fields { my $self = shift; - my ($fieldmap, $valuemap, @fields) = @_; + my $fieldmap = shift; + my $protectmap = ref($_[1]) eq 'HASH' ? shift : {}; + my ($valuemap, @fields) = @_; + my $protflag; my $print_form_field = sub { my $field = shift; @@ -234,7 +242,10 @@ sub print_form_fields { $title=' title="'.html_esc($field->[3], 1).'"' } print ''.$field->[0].':'; - if ($field->[2] eq 'text') { + if ($protflag || $protectmap->{$field->[1]}) { + $protflag = 1; + print 'Enter Admin password and use “View All” button to view/edit.'; + } elsif ($field->[2] eq 'text') { print ''; @@ -264,6 +275,7 @@ sub print_form_fields { foreach my $fieldset (map { $fieldmap->{$_} } @fields) { ref($fieldset) eq 'ARRAY' or next; $fieldset = [$fieldset] unless ref($$fieldset[0]) eq 'ARRAY'; + $protflag = 0; foreach (@$fieldset) { defined($$_[0]) && $$_[0] ne "" or next; defined($$_[1]) && $$_[1] ne "" or next; diff --git a/Girocco/Project.pm b/Girocco/Project.pm index 0059d9b..da0c523 100644 --- a/Girocco/Project.pm +++ b/Girocco/Project.pm @@ -682,7 +682,8 @@ sub cgi_fill { my $cgi = $gcgi->cgi; my %allowedfields = map({$_ => 1} @Girocco::Config::project_fields); my $field_enabled = sub { - !exists($metadata_fields->{$_[0]}) || exists($allowedfields{$_[0]})}; + defined($cgi->param($_[0])) && + (!exists($metadata_fields->{$_[0]}) || exists($allowedfields{$_[0]}))}; my $pwd = $cgi->param('pwd'); my $pwd2 = $cgi->param('pwd2'); diff --git a/Girocco/Util.pm b/Girocco/Util.pm index 0cf475a..c23f641 100644 --- a/Girocco/Util.pm +++ b/Girocco/Util.pm @@ -28,7 +28,7 @@ BEGIN { read_config_file_hash is_git_dir git_bool util_path is_shellish read_HEAD_ref git_add_config to_json json_bool from_json ref_indicator get_token_key - get_timed_token get_token_field); + get_timed_token get_token_field check_timed_token); } BEGIN {require "Girocco/extra/capture_command.pl"} @@ -1459,4 +1459,22 @@ sub get_token_field { return ""; } +# just like verify_timed_token except that +# the second argument is a category name instead of +# the actual HMAC "secret" +# $_[0] -> a create_timed_token/get_timed_token to check +# $_[1] -> category name to pass to get_token_key +# $_[2] -> optional instance info to include in "text" +# $_[3] -> duration of validity in seconds (5..2147483647) +# $_[4] -> optional time stamp (secs since unix Epoch) +# if not provided, current time is used +# Returns true if $_[4] falls within the token's validity range +# Returns false for a bad or expired token +sub check_timed_token { + my ($token, $catg, $extra, $duration, $start) = @_; + my $tk = get_token_key($catg); + defined($tk) && $tk ne "" or return undef; + return verify_timed_token($token, $tk, $extra, $duration, $start); +} + 1; -- 2.11.4.GIT