[LON-CAPA-cvs] cvs: loncom /publisher lonpubdir.pm lonpublisher.pm

www www at source.lon-capa.org
Sat Oct 22 11:16:20 EDT 2011


www		Sat Oct 22 15:16:20 2011 EDT

  Modified files:              
    /loncom/publisher	lonpubdir.pm lonpublisher.pm 
  Log:
  Bug #1320: the passed filename should always be of the type
  /priv/domain/user/...
  instead of being different for different handlers
  
  
Index: loncom/publisher/lonpubdir.pm
diff -u loncom/publisher/lonpubdir.pm:1.130 loncom/publisher/lonpubdir.pm:1.131
--- loncom/publisher/lonpubdir.pm:1.130	Sat Oct 22 12:34:01 2011
+++ loncom/publisher/lonpubdir.pm	Sat Oct 22 15:16:20 2011
@@ -1,7 +1,7 @@
 # The LearningOnline Network with CAPA
 # Construction Space Directory Lister
 #
-# $Id: lonpubdir.pm,v 1.130 2011/10/22 12:34:01 www Exp $
+# $Id: lonpubdir.pm,v 1.131 2011/10/22 15:16:20 www Exp $
 #
 # Copyright Michigan State University Board of Trustees
 #
@@ -521,7 +521,7 @@
     my $title=' ';
     my $publish_button=&mt('Publish');
     my $cstr_dir = $r->dir_config('lonDocRoot').'/priv/'.$udom.'/'.$uname.'/'.$thisdisfn.'/';
-    my $linkfilename='/priv'.$thisdisfn.'/'.$filename;
+    my $linkfilename=&HTML::Entities::encode('/priv'.$thisdisfn.'/'.$filename,'<>&"');
 
     if (-e $resdir.'/'.$filename) {
         my $same=0;
@@ -657,8 +657,8 @@
 '<option value="cleanup">'.&mt('Clean up').'</option>'.
 '<option value="print">'.&mt('Print').'</option>'.
 '</select>
-<input type="hidden" name="filename" value="/~'.
- &HTML::Entities::encode($uname.$thisdisfn.'/'.$filename,'<>&"').'" />
+<input type="hidden" name="filename" value="/priv'.
+ &HTML::Entities::encode($thisdisfn.'/'.$filename,'<>&"').'" />
  <input type="hidden" name="dispfilename" value="'.
  &HTML::Entities::encode($filename).'" /></form>';
     $$numres ++;
Index: loncom/publisher/lonpublisher.pm
diff -u loncom/publisher/lonpublisher.pm:1.267 loncom/publisher/lonpublisher.pm:1.268
--- loncom/publisher/lonpublisher.pm:1.267	Wed Jun  2 19:09:42 2010
+++ loncom/publisher/lonpublisher.pm	Sat Oct 22 15:16:20 2011
@@ -1,7 +1,7 @@
 # The LearningOnline Network with CAPA
 # Publication Handler
 #
-# $Id: lonpublisher.pm,v 1.267 2010/06/02 19:09:42 www Exp $
+# $Id: lonpublisher.pm,v 1.268 2011/10/22 15:16:20 www Exp $
 #
 # Copyright Michigan State University Board of Trustees
 #
@@ -2087,59 +2087,34 @@
 # -------------------------------------------------------------- Check filename
 
     my $fn=&unescape($env{'form.filename'});
+    ($cuname,$cudom)=&Apache::loncacc::constructaccess($fn);
+# ----------------------------------------------------- Do we have permissions?
+     unless (($cuname) && ($cudom)) {
+       $r->log_reason($env{'user.name'}.' at '.$env{'user.domain'}.
+                      ' trying to publish file '.$env{'form.filename'}.
+                      ' - not authorized', 
+                      $r->filename); 
+       return HTTP_NOT_ACCEPTABLE;
+     }
+# ----------------------------------------------------------------- Get docroot
+    $docroot=$r->dir_config('lonDocRoot');
 
-    ($cuname,$cudom)=
-	&Apache::loncacc::constructaccess($fn,$r->dir_config('lonDefDomain'));
 
 # special publication: default.meta file
     if ($fn=~/\/default.meta$/) {
 	return &defaultmetapublish($r,$fn,$cuname,$cudom); 
     }
     $fn=~s/\.meta$//;
-  
+
+# sanity test on the filename 
+ 
     unless ($fn) { 
 	$r->log_reason($cuname.' at '.$cudom.
 		       ' trying to publish empty filename', $r->filename); 
 	return HTTP_NOT_FOUND;
     } 
 
-    unless (($cuname) && ($cudom)) {
-	$r->log_reason($cuname.' at '.$cudom.
-		       ' trying to publish file '.$env{'form.filename'}.
-		       ' ('.$fn.') - not authorized', 
-		       $r->filename); 
-	return HTTP_NOT_ACCEPTABLE;
-    }
-
-    my $home=&Apache::lonnet::homeserver($cuname,$cudom);
-    my $allowed=0;
-    my @ids=&Apache::lonnet::current_machine_ids();
-    foreach my $id (@ids) { if ($id eq $home) { $allowed = 1; }  }
-    unless ($allowed) {
-	$r->log_reason($cuname.' at '.$cudom.
-		       ' trying to publish file '.$env{'form.filename'}.
-		       ' ('.$fn.') - not homeserver ('.$home.')', 
-		       $r->filename); 
-	return HTTP_NOT_ACCEPTABLE;
-    }
-
-    $fn=~s{^http://[^/]+}{};
-    $fn=~s{^/~($match_username)}{/home/$1/public_html};
-
-    my $targetdir='';
-    $docroot=$r->dir_config('lonDocRoot'); 
-    if ($1 ne $cuname) {
-	$r->log_reason($cuname.' at '.$cudom.
-		       ' trying to publish unowned file '.
-		       $env{'form.filename'}.' ('.$fn.')', 
-		       $r->filename); 
-	return HTTP_NOT_ACCEPTABLE;
-    } else {
-	$targetdir=$docroot.'/res/'.$cudom;
-    }
-                                 
-  
-    unless (-e $fn) { 
+    unless (-e $docroot.$fn) { 
 	$r->log_reason($cuname.' at '.$cudom.
 		       ' trying to publish non-existing file '.
 		       $env{'form.filename'}.' ('.$fn.')', 
@@ -2194,31 +2169,18 @@
                   &Apache::loncommon::CSTR_pageheader()) # FIXME crumbs broken?
     );
 
-
-    my $thisfn=$fn;
-
-    my $thistarget=$thisfn;
-      
-    $thistarget=~s/^\/home/$targetdir/;
-    $thistarget=~s/\/public\_html//;
-
-    my $thisdistarget=$thistarget;
-    $thisdistarget=~s/^\Q$docroot\E//;
-
-    my $thisdisfn=$thisfn;
-    $thisdisfn=~s/^\/home\/\Q$cuname\E\/public_html\///;
+    my $thisdisfn=&HTML::Entities::encode($fn,'<>&"');
+    my $thistarget=$fn;
+    $thistarget=~s/^\/priv\//\/res\//;
+    my $thisdistarget=&HTML::Entities::encode($thistarget,'<>&"');
 
     if ($fn=~/\/$/) {
 # -------------------------------------------------------- This is a directory
 	&publishdirectory($r,$fn,$thisdisfn);
-	$r->print('<hr /><a href="/priv/'
-		  .$cuname.'/'.$thisdisfn
-		  .'">'.&mt('Return to Directory').'</a>');
-
-
+	$r->print('<hr /><a href="'.$thisdisfn.'">'.&mt('Return to Directory').'</a>');
     } else {
 # ---------------------- Evaluate individual file, and then output information.
-	$thisfn=~/\.(\w+)$/;
+	$fn=~/\.(\w+)$/;
 	my $thistype=$1;
 	my $thisembstyle=&Apache::loncommon::fileembstyle($thistype);
         if ($thistype eq 'page') {  $thisembstyle = 'rat'; }
@@ -2242,7 +2204,7 @@
                  .'<tt>'
                  );
 	$r->print(<<ENDCAPTION);
-<a href='javascript:void(window.open("/~$cuname/$thisdisfn","cat","height=300,width=500,scrollbars=1,resizable=1,menubar=0,location=1"))'>
+<a href='javascript:void(window.open("$thisdisfn","cat","height=300,width=500,scrollbars=1,resizable=1,menubar=0,location=1"))'>
 $thisdisfn</a>
 ENDCAPTION
         $r->print('</tt>'
@@ -2265,7 +2227,7 @@
             $r->print(&Apache::lonhtmlcommon::row_closure()
                      .&Apache::lonhtmlcommon::row_title(&mt('Diffs')));
 	    $r->print(<<ENDDIFF);
-<a href='javascript:void(window.open("/adm/diff?filename=/~$cuname/$thisdisfn&versiontwo=priv","cat","height=300,width=500,scrollbars=1,resizable=1,menubar=0,location=1"))'>
+<a href='javascript:void(window.open("/adm/diff?filename=$thisdisfn&versiontwo=priv","cat","height=300,width=500,scrollbars=1,resizable=1,menubar=0,location=1"))'>
 ENDDIFF
             $r->print(&mt('Diffs with Current Version').'</a>');
 	}
@@ -2274,17 +2236,17 @@
                  .&Apache::lonhtmlcommon::end_pick_box()
                  );
   
-# ------------------ Publishing from $thisfn to $thistarget with $thisembstyle.
+# ---------------------- Publishing from $fn to $thistarget with $thisembstyle.
 
 	unless ($env{'form.phase'} eq 'two') {
 # ---------------------------------------------------------- Parse for problems
 	    my ($warningcount,$errorcount);
 	    if ($thisembstyle eq 'ssi') {
-		($warningcount,$errorcount)=&checkonthis($r,$thisfn);
+		($warningcount,$errorcount)=&checkonthis($r,$fn);
 	    }
 	    unless ($errorcount) {
 		my ($outstring,$error)=
-		    &publish($thisfn,$thistarget,$thisembstyle);
+		    &publish($fn,$thistarget,$thisembstyle);
 		$r->print($outstring);
 	    } else {
 		$r->print('<h3 class="LC_error">'.
@@ -2292,7 +2254,7 @@
 			  '</h3>');
 	    }
 	} else {
-	    &phasetwo($r,$thisfn,$thistarget,$thisembstyle,$thisdistarget); 
+	    &phasetwo($r,$fn,$thistarget,$thisembstyle,$thisdistarget); 
 	}
     }
     $r->print(&Apache::loncommon::end_page());




More information about the LON-CAPA-cvs mailing list