tazbug view web/bugs.cgi @ rev 35

fix security hole & bug 43
author xfred222
date Wed Dec 19 17:37:44 2012 -0500 (2012-12-19)
parents 8ec2f574923b
children e978d208e75d
line source
1 #!/bin/sh
2 #
3 # TazBug Web interface
4 #
5 # Copyright (C) 2012 SliTaz GNU/Linux - BSD License
6 #
7 . /usr/lib/slitaz/httphelper
8 [ -f "/etc/slitaz/bugs.conf" ] && . /etc/slitaz/bugs.conf
10 # Internal variable
11 bugdir="$TAZBUG/bug"
12 plugins="plugins"
13 sessions="/tmp/bugs/sessions"
14 po=""
16 # Content negotiation for Gettext
17 IFS=","
18 for lang in $HTTP_ACCEPT_LANGUAGE
19 do
20 lang=${lang%;*} lang=${lang# } lang=${lang%-*}
21 case "$lang" in
22 en) LANG="C" ;;
23 de) LANG="de_DE" ;;
24 es) LANG="es_ES" ;;
25 fr) LANG="fr_FR" ;;
26 it) LANG="it_IT" ;;
27 pt) LANG="pt_BR" ;;
28 ru) LANG="ru_RU" ;;
29 zh) LANG="zh_TW" ;;
30 esac
31 if echo "$po" | fgrep -q "$lang"; then
32 break
33 fi
34 done
35 unset IFS
36 export LANG LC_ALL=$LANG
38 # Internationalization: $(gettext "")
39 . /usr/bin/gettext.sh
40 TEXTDOMAIN='tazbug'
41 export TEXTDOMAIN
48 #
49 # Functions
50 #
52 # HTML 5 header.
53 html_header() {
54 cat lib/header.html
55 }
57 # HTML 5 footer.
58 html_footer() {
59 cat << EOT
60 </div>
62 <div id="footer">
63 <a href="$WEB_URL">SliTaz Bugs</a> -
64 <a href="$WEB_URL?README">README</a>
65 </div>
67 </body>
68 </html>
69 EOT
70 }
74 js_redirection_to()
75 {
76 js_log "Redirecting to $1"
77 echo "<script type=\"text/javascript\"> document.location = \"$1\"; </script>"
78 }
81 js_log()
82 {
83 echo "<script type=\"text/javascript\">console.log('$1')</script>";
84 }
87 js_set_cookie()
88 {
89 name=$1
90 value=$2
92 js_log 'Setting cookie.'
93 echo "<script type=\"text/javascript\">"
94 echo "document.cookie = \"$name=$value; expires=0; path=/\"";
95 echo "</script>"
96 }
99 js_unset_cookie()
100 {
101 name=$1
103 js_log 'Unsetting cookie.'
104 echo "<script type=\"text/javascript\">"
105 echo "document.cookie = \"$1=\"\"; expires=-1; path=/";
106 echo "</script>"
107 }
110 # Check if user is auth
111 check_auth() {
112 auth="$(COOKIE auth)"
113 user="$(echo $auth | cut -d ":" -f 1)"
114 md5cookie="$(echo $auth | cut -d ":" -f 2)"
115 [ -f "$sessions/$user" ] && md5session="$(cat $sessions/$user)"
116 if [ "$md5cookie" == "$md5session" ] && [ "$auth" ]; then
117 return 0
118 else
119 return 1
120 fi
121 }
124 # Authentified or not
125 user_box() {
127 IDLOC=""
128 if [[ "$(GET id)" ]] ;then
129 IDLOC="&id=$(GET id)"
130 fi
132 if check_auth; then
133 . $PEOPLE/$user/account.conf
134 cat << EOT
135 <div id="user">
136 <a href="?user=$user">$(get_gravatar $MAIL 20)</a>
137 <a href="?logout">$(gettext 'Log out')</a>
138 </div>
139 EOT
140 else
141 cat << EOT
142 <div id="user">
143 <a href="?login$IDLOC"><img src="images/avatar.png" alt="[ User ]" /></a>
144 <a href="?login$IDLOC">$(gettext 'Log in')</a>
145 </div>
146 EOT
147 fi
148 cat << EOT
150 <div id="search">
151 <form method="get" action="$WEB_URL">
152 <input type="text" name="search" placeholder="$(gettext 'Search')" />
153 <!-- <input type="submit" value="$(gettext 'Search')" /> -->
154 </form>
155 </div>
157 <!-- Content -->
158 <div id="content">
160 EOT
161 }
164 # Login page
165 login_page() {
166 IDLOC=""
167 if [[ "$(GET id)" ]] ;then
168 IDLOC="?id=$(GET id)"
169 fi
171 cat << EOT
172 <h2>$(gettext 'Login')</h2>
174 <div id="account-info">
175 <p>$(gettext "No account yet? Please signup using the SliTaz Bugs reporter \
176 on your SliTaz system.")</p>
177 <p>$(gettext "Tip: to attach big files or images, you can use SliTaz Paste \
178 services:") <a href="http://paste.slitaz.org/">paste.slitaz.org</a></p>
179 </div>
181 <div id="login">
182 <form method="post" action="$SCRIPT_NAME">
183 <input type="text" name="auth" placeholder="$(gettext 'User name')" />
184 <input type="password" name="pass" placeholder="$(gettext 'Password')" />
185 <div>
186 <input type="submit" value="$(gettext 'Log in')" />
187 $error
188 </div>
189 </form>
190 </div>
192 <div style="clear: both;"></div>
193 EOT
194 }
197 # Display user public profile.
198 public_people() {
199 cat << EOT
200 <pre>
201 $(eval_gettext 'Real name : $NAME')
202 </pre>
203 EOT
204 }
207 # Display authentified user profile. TODO: change password
208 auth_people() {
209 cat << EOT
210 <pre>
211 $(eval_gettext 'Real name : $NAME')
212 $(eval_gettext 'Email : $MAIL')
213 $(eval_gettext 'Secure key : $KEY')
214 </pre>
215 EOT
216 }
219 # Usage: list_bugs STATUS
220 list_bugs() {
221 bug="$1"
222 echo "<h3>$(eval_gettext '$bug Bug')</h3>"
223 for pr in critical standard
224 do
225 for bug in $(fgrep -H "$1" $bugdir/*/bug.conf | cut -d ":" -f 1)
226 do
227 . $bug
228 id=$(basename $(dirname $bug))
229 if [ "$PRIORITY" == "$pr" ]; then
230 cat << EOT
231 <pre>
232 $(gettext 'Bug title :') <strong>$BUG</strong> <a href="?id=$id">$(gettext 'Show')</a>
233 $(gettext 'ID - Date :') $id - $DATE
234 $(gettext 'Creator :') <a href="?user=$CREATOR">$CREATOR</a>
235 </pre>
236 EOT
237 fi
238 done
239 done
240 }
243 # Stripped down Wiki parser for bug desc and messages which are simply
244 # displayed in <pre>
245 wiki_parser() {
246 sed \
247 -e s"#http://\([^']*\).png#<img src='\0' alt='[ Image ]' />#"g \
248 -e s"#http://\([^']*\).*# <a href='\0'>\1</a>#"g
249 }
252 # Bug page
253 bug_page() {
254 if [ -f "$PEOPLE/$CREATOR/account.conf" ]; then
255 . $PEOPLE/$CREATOR/account.conf
256 else
257 MAIL="default"
258 fi
259 cat << EOT
260 <h2>$(eval_gettext 'Bug $id')</h2>
261 <form method="get" action="$WEB_URL">
263 <p>
264 $(get_gravatar $MAIL 32)
265 <strong>$STATUS</strong>
266 $BUG - $DATE -
267 $(eval_gettext 'Priority $PRIORITY') -
268 $(eval_ngettext '$msgs message' '$msgs messages' $msgs)
269 </p>
271 <pre>
272 $(echo "$DESC" | wiki_parser)
273 </pre>
275 <div id="tools">
276 EOT
277 if check_auth; then
278 if [ "$STATUS" == "OPEN" ]; then
279 cat << EOT
280 <a href="?id=$id&amp;close">$(gettext "Close bug")</a>
281 <a href="?edit=$id">$(gettext "Edit bug")</a>
282 EOT
283 else
284 cat << EOT
285 <a href="?id=$id&amp;open">$(gettext "Re open bug")</a>
286 EOT
287 fi
288 fi
289 cat << EOT
290 </div>
292 <h3>$(gettext "Messages")</h3>
293 EOT
294 [ "$msgs" == "0" ] && gettext "No messages"
295 for msg in $(ls -1tr $bugdir/$id/msg.*)
296 do
297 . $msg
298 if [ "$MSG" ]; then
299 msgid=$(echo $msg | cut -d "." -f 2)
300 del=""
301 # User can delete his post.
302 [ "$user" == "$USER" ] && \
303 del="<a href=\"?id=$id&amp;delmsg=$msgid\">delete</a>"
304 cat << EOT
305 <p><strong>$USER</strong> $DATE $del</p>
306 <pre>
307 $(echo "$MSG" | wiki_parser)
308 </pre>
309 EOT
310 fi
311 unset NAME DATE MSG
312 done
313 if check_auth; then
314 cat << EOT
315 <div>
316 <h3>$(gettext "New message")</h3>
318 <input type="hidden" name="id" value="$id" />
319 <textarea name="msg" rows="8"></textarea>
320 <p><input type="submit" value="$(gettext 'Send message')" /></p>
321 </form>
322 </div>
323 EOT
324 fi
325 }
328 # Write a new message
329 new_msg() {
330 date=$(date "+%Y-%m-%d %H:%M")
331 msgs=$(ls -1 $bugdir/$id/msg.* | wc -l)
332 count=$(($msgs + 1))
333 if check_auth; then
334 USER="$user"
335 fi
336 js_log "Will write message in $bugdir/$id/msg.$count "
337 sed "s/$(echo -en '\r') /\n/g" > $bugdir/$id/msg.$count << EOT
338 USER='$(echo $(GET $USER) | sed -e "s/'/\&#39;/g; s/\\\n/<br\/>/g; s/\\\t/\&#09;/g; s/\%22/\"/g" )'
339 DATE="$date"
340 MSG='$(echo $(GET msg) | sed -e "s/'/\&#39;/g; s/\\\n/<br\/>/g; s/\\\t/\&#09;/g; s/\%22/\"/g" )'
341 EOT
342 }
345 # Create a new Bug
346 new_bug() {
347 count=$(ls -1 $bugdir | wc -l)
348 date=$(date "+%Y-%m-%d %H:%M")
349 # Sanity check, JS may be disabled.
350 [ ! "$(GET bug)" ] && echo "Missing bug title" && exit 1
351 [ ! "$(GET desc)" ] && echo "Missing bug description" && exit 1
352 if check_auth; then
353 USER="$user"
354 fi
355 mkdir -p $bugdir/$count
356 sed "s/$(echo -en '\r') /\n/g" > $bugdir/$count/bug.conf << EOT
357 # SliTaz Bug configuration
359 BUG='$(echo $(GET bug) | sed -e "s/'/\&#39;/g; s/\\\n/<br\/>/g; s/\\\t/\&#09;/g; s/\%22/\"/g" )'
360 STATUS="OPEN"
361 PRIORITY="$(GET priority)"
362 CREATOR="$USER"
363 DATE="$date"
364 PKGS='$(echo $(GET pkgs) | sed -e "s/'/\&#39;/g; s/\\\n/<br\/>/g; s/\\\t/\&#09;/g; s/\%22/\"/g" )''
366 DESC='$(echo $(GET desc) | sed -e "s/'/\&#39;/g; s/\\\n/<br\/>/g; s/\\\t/\&#09;/g; s/\%22/\"/g" )''
367 EOT
368 }
371 # New bug page for the web interface
372 new_bug_page() {
373 cat << EOT
374 <h2>$(gettext "New Bug")</h2>
375 <div id="newbug">
377 <form method="get" action="$WEB_URL" onsubmit="return checkNewBug();">
378 <input type="hidden" name="addbug" />
379 <table>
380 <tbody>
381 <tr>
382 <td>$(gettext "Bug title")*</td>
383 <td><input type="text" name="bug" /></td>
384 </tr>
385 <tr>
386 <td>$(gettext "Description")*</td>
387 <td><textarea name="desc"></textarea></td>
388 </tr>
389 <tr>
390 <td>$(gettext "Packages")</td>
391 <td><input type="text" name="pkgs" /></td>
392 </tr>
393 <tr>
394 <td>$(gettext "Priority")</td>
395 <td>
396 <select name="priority">
397 <option value="standard">$(gettext "Standard")</option>
398 <option value="critical">$(gettext "Critical")</option>
399 </select>
400 <input type="submit" value="$(gettext "Create Bug")" />
401 </td>
402 </tr>
403 </tbody>
404 </table>
405 </form>
407 <p>
408 $(gettext "* field is obligatory. You can also specify affected packages.")
409 </p>
411 </div>
412 EOT
413 }
416 # Edit/Save a bug configuration file
417 edit_bug() {
418 cat << EOT
419 <h2>$(eval_gettext 'Edit Bug $bug')</h2>
420 <div id="edit">
422 <form method="get" action="$WEB_URL">
423 <textarea name="bugconf">$(cat $bugdir/$bug/bug.conf)</textarea>
424 <input type="hidden" name="bug" value="$bug" />
425 <input type="submit" value="$(gettext 'Save configuration')" />
426 </form>
428 </div>
429 EOT
430 }
433 save_bug() {
434 bug="$(GET bug)"
435 content="$(GET bugconf)"
436 sed "s|\"|'|" | sed "s/$(echo -en '\r') /\n/g" > $bugdir/$bug/bug.conf << EOT
437 $content
438 EOT
439 }
442 # Close a fixed bug
443 close_bug() {
444 sed -i s'/OPEN/CLOSED/' $bugdir/$id/bug.conf
445 }
448 # Re open an old bug
449 open_bug() {
450 sed -i s'/CLOSED/OPEN/' $bugdir/$id/bug.conf
451 }
454 # Get and display Gravatar image: get_gravatar email size
455 # Link to profile: <a href="http://www.gravatar.com/$md5">...</a>
456 get_gravatar() {
457 email=$1
458 size=$2
459 [ "$size" ] || size=48
460 url="http://www.gravatar.com/avatar"
461 md5=$(md5crypt $email)
462 echo "<img src=\"$url/$md5?d=identicon&amp;s=$size\" alt=\"\" />"
463 }
466 # Create a new user in AUTH_FILE and PEOPLE
467 new_user_config() {
468 mail="$(GET mail)"
469 pass="$(GET pass)"
470 key=$(echo -n "$user:$mail:$pass" | md5sum | awk '{print $1}')
471 echo "Server Key generated"
472 echo "$user:$pass" >> $AUTH_FILE
473 mkdir -pm0700 $PEOPLE/$user/
474 cat > $PEOPLE/$user/account.conf << EOT
475 # SliTaz user configuration
476 #
478 NAME="$(GET name)"
479 USER="$user"
480 MAIL="$mail"
481 KEY="$key"
483 COMMUNITY="$(GET scn)"
484 LOCATION="$(GET location)"
485 RELEASES="$(GET releases)"
486 PACKAGES="$(GET packages)"
487 EOT
488 chmod 0600 $PEOPLE/$user/account.conf
489 if [ ! -f $PEOPLE/$user/account.conf ]; then
490 echo "ERROR: User creation failed!"
491 fi;
492 }
497 ###################################################
498 # POST actions
499 ###################################################
501 case " $(POST) " in
502 *\ auth\ *)
503 header
504 html_header
505 # Authenticate user. Create a session file in $sessions to be used
506 # by check_auth. We have the user login name and a peer session
507 # md5 string in the COOKIE.
508 user="$(POST auth)"
509 pass="$(echo -n "$(POST pass)" | md5sum | awk '{print $1}')"
511 IDLOC=""
512 if [[ "$(GET id)" ]] ;then
513 IDLOC="&id=$(GET id)"
514 fi
516 if [ ! -f $AUTH_FILE ] ; then
517 js_log "$AUTH_FILE (defined in \$AUTH_FILE) have not been found."
518 js_redirection_to "$WEB_URL?login$IDLOC"
519 fi;
521 valid=$(fgrep "${user}:" $AUTH_FILE | cut -d ":" -f 2)
522 if [ "$pass" == "$valid" ] && [ "$pass" != "" ]; then
523 if [[ "$(GET id)" ]] ;then
524 IDLOC="?id=$(GET id)"
525 fi
526 md5session=$(echo -n "$$:$user:$pass:$$" | md5sum | awk '{print $1}')
527 mkdir -p $sessions
528 echo "$md5session" > $sessions/$user
529 js_set_cookie 'auth' "$user:$md5session"
530 js_log "Login authentification have been executed & accepted :)"
531 js_redirection_to "$WEB_URL$IDLOC"
532 else
533 js_log "Login authentification have been executed & refused"
534 js_redirection_to "$WEB_URL?login&error$IDLOC"
535 fi
537 html_footer
538 ;;
539 esac
541 #
542 # Plugins
543 #
544 for p in $(ls -1 $plugins)
545 do
546 [ -f "$plugins/$p/$p.conf" ] && . $plugins/$p/$p.conf
547 [ -x "$plugins/$p/$p.cgi" ] && . $plugins/$p/$p.cgi
548 done
553 ###################################################
554 # GET actions
555 ###################################################
557 case " $(GET) " in
558 *\ README\ *)
559 header
560 html_header
561 user_box
562 echo '<h2>README</h2>'
563 echo '<pre>'
564 cat /usr/share/doc/tazbug/README
565 echo '</pre>'
566 html_footer ;;
567 *\ closed\ *)
568 # Show all closed bugs.
569 header
570 html_header
571 user_box
572 list_bugs CLOSED
573 html_footer ;;
574 *\ login\ *)
575 # The login page
576 [ "$(GET error)" ] && \
577 error="<span class='error'>$(gettext 'Bad login or pass')</span>"
578 header
579 html_header
580 user_box
581 login_page
582 html_footer ;;
583 *\ logout\ *)
584 header
585 html_header
586 if check_auth; then
587 rm -f "$sessions/$user"
588 js_unset_cookie 'auth'
589 js_redirection_to "$WEB_URL"
591 fi ;;
592 *\ user\ *)
593 # User profile
594 header
595 html_header
596 user_box
597 . $PEOPLE/"$(GET user)"/account.conf
598 echo "<h2>$(get_gravatar $MAIL) $(GET user)</h2>"
599 if check_auth && [ "$(GET user)" == "$user" ]; then
600 auth_people
601 else
602 public_people
603 fi
604 html_footer ;;
605 *\ newbug\ *)
606 # Add a bug from web interface.
607 header
608 html_header
609 user_box
610 if check_auth; then
611 new_bug_page
612 else
613 echo "<p>$(gettext 'You must be logged in to post a new bug')</p>"
614 fi
615 html_footer ;;
616 *\ addbug\ *)
617 # Add a bug from web interface.
618 header
619 html_header
620 if check_auth; then
621 new_bug
622 js_redirection_to "$WEB_URL?id=$count"
623 fi ;;
624 *\ edit\ *)
625 bug="$(GET edit)"
626 header
627 html_header
628 user_box
629 edit_bug
630 html_footer ;;
631 *\ bugconf\ *)
632 header
633 html_header
634 if check_auth; then
635 save_bug
636 js_redirection_to "$WEB_URL?id=$bug"
637 fi ;;
638 *\ id\ *)
639 # Empty deleted messages to keep msg count working.
640 header
641 html_header
642 id="$(GET id)"
643 [ "$(GET close)" ] && close_bug
644 [ "$(GET open)" ] && open_bug
645 [ "$(GET msg)" ] && new_msg
646 [ "$(GET delmsg)" ] && rm -f $bugdir/$id/msg.$(GET delmsg) && \
647 touch $bugdir/$id/msg.$(GET delmsg)
648 msgs=$(fgrep MSG= $bugdir/$id/msg.* | wc -l)
649 user_box
650 . $bugdir/$id/bug.conf
651 bug_page
652 html_footer ;;
653 *\ signup\ *)
654 # Signup
655 header "Content-type: text/plain;"
656 user="$(GET signup)"
657 echo "Requested user login : $user"
658 if fgrep -q "$user:" $AUTH_FILE; then
659 echo "ERROR: User already exists" && exit 1
660 else
662 echo "Creating account for : $(GET name)"
663 new_user_config
664 fi ;;
665 *\ key\ *)
666 # Let user post new bug or message with crypted key (no gettext)
667 #
668 # Testing only and is security acceptable ?
669 #
670 key="$(GET key)"
671 id="$(GET bug)"
672 header "Content-type: text/plain;"
673 echo "Checking secure key..."
674 if fgrep -qH $key $PEOPLE/*/account.conf; then
675 conf=$(fgrep -H $key $PEOPLE/*/account.conf | cut -d ":" -f 1)
676 . $conf
677 echo "Authentified: $NAME ($USER)"
678 case " $(GET) " in
679 *\ msg\ *)
680 [ ! "$id" ] && echo "Missing bug ID" && exit 0
681 echo "Posting new message to bug: $id"
682 echo "Message: $(GET msg)"
683 new_msg ;;
684 *\ bug\ *)
685 echo "Adding new bug: $(GET bug)"
686 echo "Description: $(GET desc)"
687 new_bug ;;
688 esac
689 else
690 echo "Not a valid SliTaz user key"
691 exit 0
692 fi ;;
693 *\ search\ *)
694 header
695 html_header
696 user_box
697 cat << EOT
698 <h2>$(gettext "Search")</h2>
699 <form method="get" action="$WEB_URL">
700 <input type="text" name="search" />
701 <input type="submit" value="$(gettext 'Search')" />
702 </form>
703 <div>
704 EOT
706 #found=0 JS to notify or write results nb under the search box.
707 for bug in $bugdir/*
708 do
709 result=$(fgrep -i "$(GET search)" $bug/*)
710 if [ "$result" ]; then
711 #found=$(($found + 1))
712 id=${bug#bug/}
713 echo "<p><strong>Bug $id</strong> <a href=\"?id=$id\">"$(gettext 'Show')"</a></p>"
714 echo '<pre>'
715 fgrep -i "$(GET search)" $bugdir/$id/* | \
716 sed s"/$(GET search)/<span class='ok'>$(GET search)<\/span>/"g
717 echo '</pre>'
718 else
719 get_search=$(GET search)
720 echo "<p>$(eval_gettext 'No result found for: $get_search')</p>"
721 fi
722 done
723 echo '</div>'
724 html_footer ;;
725 *)
726 # Default page.
727 bugs=$(ls -1 $bugdir | wc -l)
728 close=$(fgrep "CLOSED" $bugdir/*/bug.conf | wc -l)
729 fixme=$(fgrep "OPEN" $bugdir/*/bug.conf | wc -l)
730 msgs=$(find $bugdir -name msg.* ! -size 0 | wc -l)
731 pct=0
732 [ $bugs -gt 0 ] && pct=$(( ($close * 100) / $bugs ))
733 header
734 html_header
735 user_box
736 cat << EOT
738 <h2>$(gettext "Summary")</h2>
740 <p>
741 $(eval_ngettext 'Bug: $bugs in total -' 'Bugs: $bugs in total -' $bugs)
742 $(eval_ngettext '$close fixed -' '$close fixed -' $close)
743 $(eval_ngettext '$fixme to fix -' '$fixme to fix -' $fixme)
744 $(eval_ngettext '$msgs message' '$msgs messages' $msgs)
745 </p>
747 <div class="pctbar">
748 <div class="pct" style="width: ${pct}%;">${pct}%</div>
749 </div>
751 <p>$(gettext "Please read the <a href=\"?README\">README</a> for help and more \
752 information. You may also be interested by the SliTaz \
753 <a href=\"http://roadmap.slitaz.org/\">Roadmap</a> and the packages \
754 <a href=\"http://cook.slitaz.org/\">Cooker</a>. To perform a search \
755 enter your term and press ENTER.")
756 </p>
758 <div id="tools">
759 <a href="?closed">$(gettext 'View closed bugs')</a>
760 EOT
761 if check_auth; then
762 echo "<a href='?newbug'>$(gettext 'Create a new bug')</a>"
763 fi
764 cat << EOT
765 </div>
766 EOT
767 list_bugs OPEN
768 html_footer ;;
769 esac
771 exit 0