Fixed form parsing and template escaping

8 years ago · a6a9f827de
parent 363384c445
commit a6a9f827de
2 changed files with 53 additions and 60 deletions
--- a/binnit.go
+++ b/binnit.go
@ -21,26 +21,23 @@
 *
 */

-
 package main

 import (
+	"binnit/paste"
+	"flag"
 	"fmt"
+	"html"
+	"io"
 	"log"
 	"net/http"
 	"os"
 	"path/filepath"
 	"time"
-	"io"
-	"binnit/paste"
-	"flag"
 )

-
 var conf_file = flag.String("c", "./binnit.cfg", "Configuration file for binnit")

-
-
 var p_conf = Config{
 	server_name: "localhost",
 	bind_addr:   "0.0.0.0",
@ -51,8 +48,6 @@ var p_conf = Config{
 	log_file:    "./binnit.log",
 }

-
-
 func min(a, b int) int {

 	if a > b {
@ -82,6 +77,10 @@ func handle_get_paste(w http.ResponseWriter, r *http.Request) {

 		title, date, content, err := paste.Retrieve(paste_name)

+		title = html.EscapeString(title)
+		date = html.EscapeString(date)
+		content = html.EscapeString(content)
+		
 		if err == nil {
 			s, err := prepare_paste_page(title, date, content, p_conf.templ_dir)
 			if err == nil {
@ -101,8 +100,10 @@ func handle_get_paste(w http.ResponseWriter, r *http.Request) {

 func handle_put_paste(w http.ResponseWriter, r *http.Request) {

+	err1 := r.ParseForm()
+	err2 := r.ParseMultipartForm(int64(2 * p_conf.max_size))

-	if err := r.ParseForm(); err != nil {
+	if err1 != nil && err2 != nil {
 		// Invalid POST -- let's serve the default file
 		http.ServeFile(w, r, p_conf.templ_dir+"/index.html")
 	} else {
@ -121,12 +122,13 @@ func handle_put_paste(w http.ResponseWriter, r *http.Request) {

 		ID, err := paste.Store(title, date, content, p_conf.paste_dir)

+		log.Printf("   title: %s\npaste: %s\n", title, content)
 		log.Printf("   ID: %s; err: %s\n", ID, err)

 		if err == nil {
 			hostname := p_conf.server_name
 			if show := req_body.Get("show"); show != "1" {
-				fmt.Fprintf(w, "http://%s/%s", hostname, ID)
+				fmt.Fprintf(w, "http://%s/%s\n", hostname, ID)
 				return
 			} else {
 				fmt.Fprintf(w, "<html><body>Link: <a href='http://%s/%s'>http://%s/%s</a></body></html>",
@ -139,7 +141,6 @@ func handle_put_paste(w http.ResponseWriter, r *http.Request) {
 	}
 }

-
 func req_handler(w http.ResponseWriter, r *http.Request) {

 	switch r.Method {
@ -152,11 +153,8 @@ func req_handler(w http.ResponseWriter, r *http.Request) {
 	}
 }

-
-
 func main() {

-	
 	flag.Parse()

 	parse_config(*conf_file, &p_conf)
@ -168,7 +166,6 @@ func main() {
 	}
 	defer f.Close()

-	
 	log.SetOutput(io.Writer(f))
 	log.SetPrefix("[binnit]: ")
 	log.SetFlags(log.Ldate | log.Ltime | log.Lmicroseconds)
--- a/templ.go
+++ b/templ.go
@ -21,7 +21,6 @@
 *
 */

-
 /*
 *
 * minimal Templating support for binnit
@ -35,11 +34,11 @@ import (
 	"io/ioutil"
 	"os"
 	"regexp"
-	"strings"
 	"strconv"
+	"strings"
 )

-func format_rows(content string) (string) {
+func format_rows(content string) string {

 	var ret string

@ -57,7 +56,6 @@ func format_rows(content string) (string) {
 	return ret
 }

-
 func prepare_paste_page(title, date, content, templ_dir string) (string, error) {

 	s := ""
@ -83,21 +81,19 @@ func prepare_paste_page(title, date, content, templ_dir string) (string, error)
 	f_templ, err := os.Open(templ_file)
 	defer f_templ.Close()

-	
 	if cont, err := ioutil.ReadFile(templ_file); err == nil {
 		tmpl := string(cont)
-		// ...and replace  {{CONTENT}} with the paste itself!
 		re, _ := regexp.Compile("{{TITLE}}")
-		tmpl = string(re.ReplaceAll([]byte(tmpl), []byte(title)))
+		tmpl = string(re.ReplaceAllLiteralString(tmpl, title))

 		re, _ = regexp.Compile("{{DATE}}")
-		tmpl = string(re.ReplaceAll([]byte(tmpl), []byte(date)))
+		tmpl = string(re.ReplaceAllLiteralString(tmpl, date))

 		re, _ = regexp.Compile("{{CONTENT}}")
-		tmpl = string(re.ReplaceAll([]byte(tmpl), []byte(format_rows(content))))
+		tmpl = string(re.ReplaceAllLiteralString(tmpl, format_rows(content)))

 		re, _ = regexp.Compile("{{RAW_CONTENT}}")
-		tmpl = string(re.ReplaceAll([]byte(tmpl), []byte(content)))
+		tmpl = string(re.ReplaceAllLiteralString(tmpl, content))

 		s += tmpl