Fixed form parsing and template escaping

binnit.go

@@ -21,26 +21,23 @@
  *
  */
 
-
 package main
 
 import (
+	"binnit/paste"
+	"flag"
 	"fmt"
+	"html"
+	"io"
 	"log"
 	"net/http"
 	"os"
 	"path/filepath"
 	"time"
-	"io"
-	"binnit/paste"
-	"flag"
 )
 
-
 var conf_file = flag.String("c", "./binnit.cfg", "Configuration file for binnit")
 
-
-
 var p_conf = Config{
 	server_name: "localhost",
 	bind_addr:   "0.0.0.0",
@@ -51,8 +48,6 @@ var p_conf = Config{
 	log_file:    "./binnit.log",
 }
 
-
-
 func min(a, b int) int {
 
 	if a > b {
@@ -82,6 +77,10 @@ func handle_get_paste(w http.ResponseWriter, r *http.Request) {
 
 		title, date, content, err := paste.Retrieve(paste_name)
 
+		title = html.EscapeString(title)
+		date = html.EscapeString(date)
+		content = html.EscapeString(content)
+		
 		if err == nil {
 			s, err := prepare_paste_page(title, date, content, p_conf.templ_dir)
 			if err == nil {
@@ -101,8 +100,10 @@ func handle_get_paste(w http.ResponseWriter, r *http.Request) {
 
 func handle_put_paste(w http.ResponseWriter, r *http.Request) {
 
+	err1 := r.ParseForm()
+	err2 := r.ParseMultipartForm(int64(2 * p_conf.max_size))
 
-	if err := r.ParseForm(); err != nil {
+	if err1 != nil && err2 != nil {
 		// Invalid POST -- let's serve the default file
 		http.ServeFile(w, r, p_conf.templ_dir+"/index.html")
 	} else {
@@ -121,12 +122,13 @@ func handle_put_paste(w http.ResponseWriter, r *http.Request) {
 
 		ID, err := paste.Store(title, date, content, p_conf.paste_dir)
 
+		log.Printf("   title: %s\npaste: %s\n", title, content)
 		log.Printf("   ID: %s; err: %s\n", ID, err)
 
 		if err == nil {
 			hostname := p_conf.server_name
 			if show := req_body.Get("show"); show != "1" {
-				fmt.Fprintf(w, "http://%s/%s", hostname, ID)
+				fmt.Fprintf(w, "http://%s/%s\n", hostname, ID)
 				return
 			} else {
 				fmt.Fprintf(w, "<html><body>Link: <a href='http://%s/%s'>http://%s/%s</a></body></html>",
@@ -139,7 +141,6 @@ func handle_put_paste(w http.ResponseWriter, r *http.Request) {
 	}
 }
 
-
 func req_handler(w http.ResponseWriter, r *http.Request) {
 
 	switch r.Method {
@@ -152,11 +153,8 @@ func req_handler(w http.ResponseWriter, r *http.Request) {
 	}
 }
 
-
-
 func main() {
 
-	
 	flag.Parse()
 
 	parse_config(*conf_file, &p_conf)
@@ -168,7 +166,6 @@ func main() {
 	}
 	defer f.Close()
 
-	
 	log.SetOutput(io.Writer(f))
 	log.SetPrefix("[binnit]: ")
 	log.SetFlags(log.Ldate | log.Ltime | log.Lmicroseconds)

templ.go

@@ -21,7 +21,6 @@
  *
  */
 
-
 /*
  *
  * minimal Templating support for binnit
@@ -35,11 +34,11 @@ import (
 	"io/ioutil"
 	"os"
 	"regexp"
-	"strings"
 	"strconv"
+	"strings"
 )
 
-func format_rows(content string) (string) {
+func format_rows(content string) string {
 
 	var ret string
 
@@ -57,7 +56,6 @@ func format_rows(content string) (string) {
 	return ret
 }
 
-
 func prepare_paste_page(title, date, content, templ_dir string) (string, error) {
 
 	s := ""
@@ -83,21 +81,19 @@ func prepare_paste_page(title, date, content, templ_dir string) (string, error)
 	f_templ, err := os.Open(templ_file)
 	defer f_templ.Close()
 
-	
 	if cont, err := ioutil.ReadFile(templ_file); err == nil {
 		tmpl := string(cont)
-		// ...and replace  {{CONTENT}} with the paste itself!
 		re, _ := regexp.Compile("{{TITLE}}")
-		tmpl = string(re.ReplaceAll([]byte(tmpl), []byte(title)))
+		tmpl = string(re.ReplaceAllLiteralString(tmpl, title))
 
 		re, _ = regexp.Compile("{{DATE}}")
-		tmpl = string(re.ReplaceAll([]byte(tmpl), []byte(date)))
+		tmpl = string(re.ReplaceAllLiteralString(tmpl, date))
 
 		re, _ = regexp.Compile("{{CONTENT}}")
-		tmpl = string(re.ReplaceAll([]byte(tmpl), []byte(format_rows(content))))
+		tmpl = string(re.ReplaceAllLiteralString(tmpl, format_rows(content)))
 
 		re, _ = regexp.Compile("{{RAW_CONTENT}}")
-		tmpl = string(re.ReplaceAll([]byte(tmpl), []byte(content)))
+		tmpl = string(re.ReplaceAllLiteralString(tmpl, content))
 
 		s += tmpl