--- loncom/interface/londocs.pm 2020/09/08 19:15:18 1.674 +++ loncom/interface/londocs.pm 2022/09/13 13:54:02 1.680 @@ -1,7 +1,7 @@ # The LearningOnline Network # Documents # -# $Id: londocs.pm,v 1.674 2020/09/08 19:15:18 raeburn Exp $ +# $Id: londocs.pm,v 1.680 2022/09/13 13:54:02 raeburn Exp $ # # Copyright Michigan State University Board of Trustees # @@ -183,6 +183,45 @@ sub default_folderpath { } } +sub validate_folderpath { + my ($supplementalflag) = @_; + if ($env{'form.folderpath'} ne '') { + my @items = split(/\&/,$env{'form.folderpath'}); + my $badpath; + for (my $i=0; $i<@items; $i++) { + my $odd = $i%2; + if (($odd) && (!$supplementalflag) && ($items[$i] !~ /^[^:]*:(|\d+):(|1):(|1):(|1):(|1)$/)) { + $badpath = 1; + } elsif ((!$odd) && ($items[$i] !~ /^(default|supplemental)(|_\d+)$/)) { + $badpath = 1; + } + last if ($badpath); + } + if ($badpath) { + delete($env{'form.folderpath'}); + } + } + return; +} + +sub validate_suppath { + if ($env{'form.supppath'} ne '') { + my @items = split(/\&/,$env{'form.supppath'}); + my $badpath; + for (my $i=0; $i<@items; $i++) { + my $odd = $i%2; + if ((!$odd) && ($items[$i] !~ /^supplemental(|_\d+)$/)) { + $badpath = 1; + } + last if ($badpath); + } + if ($badpath) { + delete($env{'form.supppath'}); + } + } + return; +} + sub dumpcourse { my ($r) = @_; my $crstype = &Apache::loncommon::course_type(); @@ -833,26 +872,27 @@ sub group_import { } my $ext = 'false'; if ($url=~m{^http://} || $url=~m{^https://}) { $ext = 'true'; } - $name = &LONCAPA::map::qtunescape($name); - if ($name eq '') { - $name = &LONCAPA::map::qtunescape(&mt('Web Page')); - } if ($url =~ m{^/uploaded/$coursedom/$coursenum/((?:docs|supplemental)/(?:default|\d+))/new\.html$}) { my $filepath = $1; - my $fname = $name; - if ($fname =~ /^\W+$/) { + my $fname; + if ($name eq '') { + $name = &mt('Web Page'); $fname = 'web'; } else { - $fname =~ s/\W/_/g; - } - if (length($fname) > 15) { - $fname = substr($fname,0,14); + $fname = $name; + $fname=&Apache::lonnet::clean_filename($fname); + if ($fname eq '') { + $fname = 'web'; + } elsif (length($fname) > 15) { + $fname = substr($fname,0,14); + } } + my $title = &Apache::loncommon::cleanup_html($name); my $initialtext = &mt('Replace with your own content.'); my $newhtml = < -$name +$title $initialtext @@ -874,6 +914,7 @@ END return (&mt('Failed to save new web page.'),1); } } + $name = &LONCAPA::map::qtunescape($name); $url = &LONCAPA::map::qtunescape($url); $LONCAPA::map::resources[$residx] = join(':', ($name, $url, $ext, 'normal', 'res')); @@ -3927,7 +3968,7 @@ sub entryline { my $line=&Apache::loncommon::start_data_table_row(); my ($form_start,$form_end,$form_common,$form_param); # Edit commands - my ($esc_path, $path, $symb, $curralias); + my ($esc_path, $path, $symb, $shownsymb, $curralias); if ($env{'form.folderpath'}) { $esc_path=&escape($env{'form.folderpath'}); $path = &HTML::Entities::encode($env{'form.folderpath'},'<>&"'); @@ -4194,36 +4235,16 @@ END } elsif ($url eq "/public/$coursedom/$coursenum/syllabus") { if (($ENV{'SERVER_PORT'} == 443) && ($env{'course.'.$env{'request.course.id'}.'.externalsyllabus'} =~ m{^http://})) { - unless (&Apache::lonnet::uses_sts()) { + unless ((&Apache::lonnet::uses_sts()) || (&Apache::lonnet::waf_allssl($hostname))) { $url .= '?usehttp=1'; } $nomodal = 1; } } - if (&Apache::lonnet::symbverify($symb,$url)) { - my $shownsymb = $symb; - if ($isexternal) { - $url =~ s/\#[^#]+$//; - if ($container eq 'page') { - $url = &Apache::lonnet::clutter($url); - } - } - unless ($env{'request.role.adv'}) { - if ((&LONCAPA::map::getparameter($orderidx,'parameter_hiddenresource'))[0]=~/^yes$/i) { - $url = ''; - } - if (&Apache::lonnet::EXT('resource.0.hiddenresource',$symb) =~ /^yes$/i) { - $url = ''; - $hiddenres = 1; - } - } - if ($url ne '') { - $url.=(($url=~/\?/)?'&':'?').'symb='.&escape($shownsymb); - } - } elsif (!$env{'request.role.adv'}) { - my $checkencrypt; + my ($checkencrypt,$shownurl); + if (!$env{'request.role.adv'}) { if (((&LONCAPA::map::getparameter($orderidx,'parameter_encrypturl'))[0]=~/^yes$/i) || - $isencrypted || (&Apache::lonnet::EXT('resource.0.encrypturl',$symb) =~ /^yes$/i)) { + ($isencrypted) || (&Apache::lonnet::EXT('resource.0.encrypturl',$symb) =~ /^yes$/i)) { $checkencrypt = 1; } elsif (ref($navmapref)) { unless (ref($$navmapref)) { @@ -4231,26 +4252,43 @@ END } if (ref($$navmapref)) { if (lc($$navmapref->get_mapparam($symb,undef,"0.encrypturl")) eq 'yes') { - $checkencrypt = 1; + $checkencrypt = 1; } } } - if ($checkencrypt) { - my $shownsymb = &Apache::lonenc::encrypted($symb); - my $shownurl = &Apache::lonenc::encrypted($url); - if (&Apache::lonnet::symbverify($shownsymb,$shownurl)) { - $url = $shownurl.(($shownurl=~/\?/)?'&':'?').'symb='.&escape($shownsymb); - if ($env{'request.enc'} ne '') { - delete($env{'request.enc'}); - } - } else { - $url=''; - } + } + if ($checkencrypt) { + my $currenc = $env{'request.enc'}; + $env{'request.enc'} = 1; + $shownsymb = &Apache::lonenc::encrypted($symb); + $shownurl = &Apache::lonenc::encrypted($url); + if (&Apache::lonnet::symbverify($symb,$url)) { + $url = $shownurl; } else { - $url=''; + $url = ''; + } + $env{'request.enc'} = $currenc; + } elsif (&Apache::lonnet::symbverify($symb,$url)) { + $shownsymb = $symb; + if ($isexternal) { + $url =~ s/\#[^#]+$//; + if ($container eq 'page') { + $url = &Apache::lonnet::clutter($url); + } + } + $shownurl = $url; + } + unless ($env{'request.role.adv'}) { + if ((&LONCAPA::map::getparameter($orderidx,'parameter_hiddenresource'))[0]=~/^yes$/i) { + $url = ''; + } + if (&Apache::lonnet::EXT('resource.0.hiddenresource',$symb) =~ /^yes$/i) { + $url = ''; + $hiddenres = 1; } - } else { - $url=''; + } + if ($url ne '') { + $url = $shownurl.(($shownurl=~/\?/)?'&':'?').'symb='.&escape($shownsymb); } } } elsif ($supplementalflag) { @@ -4259,7 +4297,7 @@ END $url = $1; $anchor = $2; if (($url =~ m{^(|/adm/wrapper)/ext/(?!https:)}) && ($ENV{'SERVER_PORT'} == 443)) { - unless (&Apache::lonnet::uses_sts()) { + unless ((&Apache::lonnet::uses_sts()) || (&Apache::lonnet::waf_allssl($hostname))) { if ($hostname ne '') { $url = 'http://'.$hostname.$url; } @@ -4271,7 +4309,7 @@ END } elsif ($url =~ m{^\Q/public/$coursedom/$coursenum/syllabus\E}) { if (($ENV{'SERVER_PORT'} == 443) && ($env{'course.'.$env{'request.course.id'}.'.externalsyllabus'} =~ m{^http://})) { - unless (&Apache::lonnet::uses_sts()) { + unless ((&Apache::lonnet::uses_sts()) || (&Apache::lonnet::waf_allssl($hostname))) { if ($hostname ne '') { $url = 'http://'.$hostname.$url; } @@ -4410,7 +4448,7 @@ $form_end; &Apache::lonhtmlcommon::jump_to_editres($cfile,$home, $switchserver, $forceedit, - undef,$symb, + undef,$symb,$shownsymb, &escape($env{'form.folderpath'}), $renametitle,$hostname, '','',1,$suppanchor); @@ -5544,35 +5582,11 @@ sub handler { if ($env{'form.tools'}) { $toolsflag=1; } if ($env{'form.folderpath'} ne '') { - my @items = split(/\&/,$env{'form.folderpath'}); - my $badpath; - for (my $i=0; $i<@items; $i++) { - my $odd = $i%2; - if (($odd) && (!$supplementalflag) && ($items[$i] !~ /^[^:]*:(|\d+):(|1):(|1):(|1):(|1)$/)) { - $badpath = 1; - } elsif ((!$odd) && ($items[$i] !~ /^(default|supplemental)(|_\d+)$/)) { - $badpath = 1; - } - last if ($badpath); - } - if ($badpath) { - delete($env{'form.folderpath'}); - } + &validate_folderpath($supplementalflag); } if ($env{'form.supppath'} ne '') { - my @items = split(/\&/,$env{'form.supppath'}); - my $badpath; - for (my $i=0; $i<@items; $i++) { - my $odd = $i%2; - if ((!$odd) && ($items[$i] !~ /^supplemental(|_\d+)$/)) { - $badpath = 1; - } - last if ($badpath); - } - if ($badpath) { - delete($env{'form.supppath'}); - } + &validate_suppath(); } my $script=''; @@ -5631,6 +5645,9 @@ sub handler { } else { undef($env{'form.folderpath'}); } + if ($env{'form.folderpath'} ne '') { + &validate_folderpath($supplementalflag); + } } # If we are not allowed to make changes, all we can see are supplemental docs @@ -7304,7 +7321,7 @@ sub editing_js { if ($backtourl =~ m{^\Q/public/$coursedom/$coursenum/syllabus\E}) { if (($ENV{'SERVER_PORT'} == 443) && ($env{'course.'.$env{'request.course.id'}.'.externalsyllabus'} =~ m{^http://})) { - unless (&Apache::lonnet::uses_sts()) { + unless ((&Apache::lonnet::uses_sts()) || (&Apache::lonnet::waf_allssl($hostname))) { if ($hostname ne '') { $backtourl = 'http://'.$hostname.$backtourl; } @@ -7313,7 +7330,7 @@ sub editing_js { } } elsif ($backtourl =~ m{^/adm/wrapper/ext/(?!https:)}) { if (($ENV{'SERVER_PORT'} == 443) && ($hostname ne '')) { - unless (&Apache::lonnet::uses_sts()) { + unless ((&Apache::lonnet::uses_sts()) || (&Apache::lonnet::waf_allssl($hostname))) { if ($hostname ne '') { $backtourl = 'http://'.$hostname.$backtourl; } @@ -7359,7 +7376,7 @@ sub editing_js { function makenewfolder(targetform,folderseq) { var foldername=prompt('$js_lt{"p_mnf"}','$js_lt{"t_mnf"}'); if (foldername) { - targetform.importdetail.value=escape(foldername)+"="+folderseq; + targetform.importdetail.value=encodeURIComponent(foldername)+"="+folderseq; targetform.submit(); } } @@ -7367,7 +7384,7 @@ function makenewfolder(targetform,folder function makenewpage(targetform,folderseq) { var pagename=prompt('$js_lt{"p_mnp"}','$js_lt{"t_mnp"}'); if (pagename) { - targetform.importdetail.value=escape(pagename)+"="+folderseq; + targetform.importdetail.value=encodeURIComponent(pagename)+"="+folderseq; targetform.submit(); } } @@ -7376,7 +7393,7 @@ function makeexamupload() { var title=prompt('$js_lt{"p_mxu"}'); if (title) { this.document.forms.newexamupload.importdetail.value= - escape(title)+'=/res/lib/templates/examupload.problem'; + encodeURIComponent(title)+'=/res/lib/templates/examupload.problem'; this.document.forms.newexamupload.submit(); } } @@ -7385,7 +7402,7 @@ function makesmppage() { var title=prompt('$js_lt{"p_msp"}'); if (title) { this.document.forms.newsmppg.importdetail.value= - escape(title)+'=/adm/$udom/$uname/new/smppg'; + encodeURIComponent(title)+'=/adm/$udom/$uname/new/smppg'; this.document.forms.newsmppg.submit(); } } @@ -7400,7 +7417,7 @@ function makewebpage(type) { } if (title) { var webpage = formname.importdetail.value; - formname.importdetail.value = escape(title)+'='+webpage; + formname.importdetail.value = encodeURIComponent(title)+'='+webpage; formname.submit(); } } @@ -7409,7 +7426,7 @@ function makesmpproblem() { var title=prompt('$js_lt{"p_msb"}'); if (title) { this.document.forms.newsmpproblem.importdetail.value= - escape(title)+'=/res/lib/templates/simpleproblem.problem'; + encodeURIComponent(title)+'=/res/lib/templates/simpleproblem.problem'; this.document.forms.newsmpproblem.submit(); } } @@ -7418,7 +7435,7 @@ function makedropbox() { var title=prompt('$js_lt{"p_mdb"}'); if (title) { this.document.forms.newdropbox.importdetail.value= - escape(title)+'=/res/lib/templates/DropBox.problem'; + encodeURIComponent(title)+'=/res/lib/templates/DropBox.problem'; this.document.forms.newdropbox.submit(); } } @@ -7427,7 +7444,7 @@ function makebulboard() { var title=prompt('$js_lt{"p_mbb"}'); if (title) { this.document.forms.newbul.importdetail.value= - escape(title)+'=/adm/$udom/$uname/new/bulletinboard'; + encodeURIComponent(title)+'=/adm/$udom/$uname/new/bulletinboard'; this.document.forms.newbul.submit(); } } @@ -8551,7 +8568,7 @@ function validImportCrsRes() { url += fname; } var title = document.crsresimportform.crsrestitle.value; - document.crsresimportform.importdetail.value=escape(title)+'='+escape(url); + document.crsresimportform.importdetail.value=encodeURIComponent(title)+'='+encodeURIComponent(url); return true; }