s4
changeset 759:3f0ef9bb1776 feature-world
Merged with default
| author | HIROSE Yuuji <yuuji@gentei.org> |
|---|---|
| date | Sun, 07 Jun 2020 06:15:13 +0900 |
| parents | 369602864de8 f9f88278f6a0 |
| children | d1f60cdc3e1a |
| files | s4-funcs.sh |
| diffstat | 4 files changed, 69 insertions(+), 50 deletions(-) [+] |
line diff
1.1 --- a/examples/sns/form/article.def Sat Jun 06 16:33:23 2020 +0900 1.2 +++ b/examples/sns/form/article.def Sun Jun 07 06:15:13 2020 +0900 1.3 @@ -1,5 +1,5 @@ 1.4 シリアル:id:p:serial: 1.5 -blogID:blogid:f:blog(id): 1.6 +blogID:blogid:pf:blog(id): 1.7 筆者:author:s:author: 1.8 時刻:ctime:s:stamp: 1.9 参照元:parent:s:parent:
2.1 --- a/mpsplit.pl Sat Jun 06 16:33:23 2020 +0900 2.2 +++ b/mpsplit.pl Sun Jun 07 06:15:13 2020 +0900 2.3 @@ -30,7 +30,7 @@ 2.4 if ($fn =~ /^([^\/]*)$/) { 2.5 $fn = $1; 2.6 } 2.7 - $fn =~ s/ /_/g; 2.8 + $fn =~ s/[ <>&\#'\"\&|*?]/_/g; 2.9 $fn =~ s,.*[/\\],,; 2.10 open(OUT, ">$dir/$fn"); 2.11 print OUT $body;
3.1 --- a/s4-blog.sh Sat Jun 06 16:33:23 2020 +0900 3.2 +++ b/s4-blog.sh Sun Jun 07 06:15:13 2020 +0900 3.3 @@ -94,8 +94,9 @@ 3.4 fi 3.5 test -z "$emails" && return 3.6 err notify: user=$user Admins=`getgroupadmins $blogowner` Mode=$mode Emails="[$emails]" 3.7 + quotedowner=`echo $blogowner | nkf -jM | tr -d '\n"'` 3.8 MAIL_FROM=$noreply_from \ 3.9 - SMAIL_TO="`echo "$blogowner" | nkf -jM | tr -d '\n'` readers <$noreply>" \ 3.10 + SMAIL_TO="\"$quotedowner\" readers <$noreply>" \ 3.11 smail "$emails" "${action}通知 $urlbase"<<EOF 3.12 [$blogtitle]板に${action}がありました。 3.13 ※※※このメイルには返信できません(返信は次のURLへ)※※※ 3.14 @@ -413,7 +414,7 @@ 3.15 cat<<EOF 3.16 <tr id="$id"> 3.17 <td class="$tdcls">${picon}__EDIT__<a href="#$aid">#$aid</a> 3.18 -<a href="$hlink+$uid" title="${author%@*}">$uname</a> 3.19 +<a href="$hlink+$uid" title="${author%@*}">`echo $uname|htmlescape`</a> 3.20 <span title="$tm">${reki:-$tm}</span> 3.21 <__NOTIFY__></td> 3.22 EOF 3.23 @@ -544,7 +545,7 @@ 3.24 } 3.25 3.26 lshandout() { 3.27 - # $1=rowid of blog 3.28 + # $1=rowid of blog (numericalized in s4.cgi) 3.29 blog_writable $1 $user 3.30 rc=$? # =0: writable, $BLOG_NOTMEM bit set => not member 3.31 if [ $((rc & $BLOG_NOTMEM)) -gt 0 ] ; then 3.32 @@ -553,10 +554,11 @@ 3.33 time=`getvalbyid blog ctime $1|colrm 11` 3.34 owner=`getvalbyid blog owner $1` 3.35 title=`getvalbyid blog title $1` 3.36 - ge=`gecos $owner` 3.37 + ge=`gecos "$owner"` 3.38 + htmlowner=`echo ${ge:-$owner}|htmlescape` 3.39 fh=$tmpd/formhead 3.40 - echo "$time [$title]@${ge:-$owner}" > $fh 3.41 - lshandoutsub $owner "$@" \ 3.42 + echo "$time [$title]@$htmlowner" > $fh 3.43 + lshandoutsub "$owner" "$@" \ 3.44 |_m4 -D_TITLE_="提出状況" \ 3.45 -D_FORMHEAD_="syscmd(cat $fh)" \ 3.46 -D_FORM_="syscmd(cat)" -D_DUMPHEAD_= -D_DUMPTABLE_= \ 3.47 @@ -1058,15 +1060,16 @@ 3.48 kwd=`echo "$kwd"|htmlescape` 3.49 owner=`getpar owner` 3.50 owner=${owner:-$1} 3.51 + grid=`getpar grid` 3.52 msg="" 3.53 - if [ -n "$owner" ]; then 3.54 + if [ -n "$grid" ]; then 3.55 + grp=`getgroupbyid "$grid"` 3.56 + qgrp=`sqlquote "$grp"` 3.57 + cond="WHERE key='owner' AND val=$qgrp" 3.58 + msg="(`linkhome $grid` グループから)" 3.59 + elif [ -n "$owner" ]; then 3.60 cond="where key='owner' and val='$owner'" 3.61 - if isuser $owner; then 3.62 - msg="(`linkhome $owner` さんの記録から)" 3.63 - else 3.64 - linkhome $owner 1>&3 3.65 - msg="(`linkhome $owner` グループから)" 3.66 - fi 3.67 + msg="(`linkhome $owner` さんの記録から)" 3.68 elif { author=`getpar author`; test -n "$author"; }; then 3.69 atptn=`sqlquotestr $author` 3.70 #kc="$kc${kc:+ AND }author=$atptn" 3.71 @@ -1154,7 +1157,7 @@ 3.72 } 3.73 listblog() ( 3.74 # $1={user,group} 3.75 - qow=`sqlquote $1` 3.76 + qow=`sqlquote "$1"` 3.77 cond="where a.id in (select id from blog_s where key='owner' and val=$qow) order by ctime desc" 3.78 cgi_form searchart<<EOF 3.79 <label>`cgi_text kwd`という語を含む記事をこの一覧から検索</label> 3.80 @@ -1165,7 +1168,7 @@ 3.81 ) 3.82 3.83 blog_addentry() { 3.84 - # $1=GRPname(if it is a group) 3.85 + # $1=GRProwID(if it is a group) 3.86 grprowid=`numericalize $1` 3.87 rowid=`getpar rowid` 3.88 ## err blog_addentry0: rowid=$rowid 3.89 @@ -1174,9 +1177,14 @@ 3.90 else 3.91 owner=`getpar owner` 3.92 fi 3.93 + htmlowner=`echo $owner|htmlescape` 3.94 err blog-add: \$1=$grprowid rowid=$rowid owner=$owner 3.95 if isgroup "$owner"; then 3.96 - groupmode=1 listing=$owner guide="[${owner}]" GF_OWNER=$owner 3.97 + if [ -z "$grprowid" ]; then 3.98 + qgrp=`sqlquote "$owner"` # Inefficient... 3.99 + grprowid=`query "SELECT rowid FROM grp WHERE gname=$qgrp;"` 3.100 + fi 3.101 + groupmode=1 listing=$owner guide="[`linkhome $grprowid`]" GF_OWNER=$owner 3.102 else 3.103 usermode=1 listing=$user guide="[個人]" 3.104 fi 3.105 @@ -1215,7 +1223,7 @@ 3.106 fi 3.107 fi 3.108 echo "${guide}新規話題作成" > $tmpd/title.$$ 3.109 - listblog $listing > $tmpd/listblog.$$ 3.110 + listblog "$listing" > $tmpd/listblog.$$ 3.111 genform $formdir/blog.def \ 3.112 | _m4 -D_TITLE_="spaste(\`$tmpd/title.$$')" \ 3.113 -D_FORMHEAD_="序文は簡単に詳しくはコメントに" \ 3.114 @@ -1235,6 +1243,7 @@ 3.115 fi 3.116 title=`getvalbyid blog title $rowid` 3.117 owner=`getvalbyid blog owner $rowid` 3.118 + htmlowner=`echo $owner|htmlescape` 3.119 qowner=`sqlquotestr "$owner"` 3.120 if [ -z "$title" ]; then 3.121 echo "日記番号指定が無効です。" | html p 3.122 @@ -1256,7 +1265,7 @@ 3.123 else 3.124 grprowid=`query "select rowid from grp where gname=$qowner;"` 3.125 subtitle="グループ 3.126 - <a href=\"?grp+$grprowid\" accesskey=\"h\" title=\"H\">$owner</a> での話題 3.127 + <a href=\"?grp+$grprowid\" accesskey=\"h\" title=\"H\">$htmlowner</a> での話題 3.128 `query \"SELECT printf('(チーム:%s)', val)\ 3.129 FROM blog_s 3.130 WHERE id=(SELECT id FROM blog WHERE rowid=$rowid) 3.131 @@ -1276,7 +1285,7 @@ 3.132 blog_notify_reply $rowid $user "$text" $act 3.133 if [ -n "$grprowid" ]; then 3.134 qgrp=$(sqlquote "$owner") 3.135 - dbsetbyid grp $owner wtime "`date '+%F %T'`" 3.136 + dbsetbyid grp "$owner" wtime "`date '+%F %T'`" 3.137 else 3.138 dbsetbyid user "$user" wtime "`date '+%F %T'`" 3.139 fi 3.140 @@ -1291,7 +1300,7 @@ 3.141 fi 3.142 fi 3.143 def=$formdir/article.def 3.144 - echo "$title" > $tmpd/title.$$ 3.145 + echo "$title" | htmlescape > $tmpd/title.$$ 3.146 echo "$subtitle$frozen_flag" > $tmpd/subtitle.$$ 3.147 ${BLOG_SHOW:-blog_showentry} blog $rowid \ 3.148 | _m4 -D_TITLE_="spaste(\`$tmpd/title.$$')" \
4.1 --- a/s4-funcs.sh Sat Jun 06 16:33:23 2020 +0900 4.2 +++ b/s4-funcs.sh Sun Jun 07 06:15:13 2020 +0900 4.3 @@ -68,6 +68,8 @@ 4.4 blogreadflagrowid=0 4.5 blogcutoffflagrowid=-1 4.6 whatsnewdays=${WHATS_NEW_DAYS:-14} 4.7 +main_session=`date +%F-$$` 4.8 +session=$main_session 4.9 4.10 tconfs="" 4.11 imgcached=cache/img.`date +%Y/%m` 4.12 @@ -573,15 +575,18 @@ 4.13 [ -n "`query $sql`" ] || return 2 4.14 } 4.15 linkhome() { 4.16 - # $1=UserOrGroup 4.17 - echo -n '<a href="?' 4.18 + # $1=UserOrGroupRowid 4.19 + echo -n "<a href=\"$myname?" 4.20 if isuser $1; then 4.21 err "select 'home+'||rowid from user where name='$1';" 4.22 query "select 'home+'||rowid from user where name='$1';" 4.23 + name=`gecos $1|htmlescape` 4.24 else 4.25 + _grid=`numericalize "$1"` 4.26 echo -n "grp+$1" 4.27 + name=`query "SELECT gname FROM grp WHERE rowid=$_grid;"|htmlescape` 4.28 fi 4.29 - echo "\">`gecos $1`</a>" 4.30 + echo "\">$name</a>" 4.31 } 4.32 hreflink() { 4.33 # s4 specific notation: 4.34 @@ -704,10 +709,12 @@ 4.35 ) 4.36 setpar() { 4.37 # 2020/5/14 Add dirty code to cache essential params 4.38 - case "$1" in 4.39 - user) _user="$v" ;; 4.40 - skey) _skey="$v" ;; 4.41 - esac 4.42 + if [ x"$session" = x"$main_session" ]; then 4.43 + case "$1" in 4.44 + user) _user="$v" ;; 4.45 + skey) _skey="$v" ;; 4.46 + esac 4.47 + fi 4.48 query "replace into par values('$session', '$1', '$2', \"$3\");" 4.49 } 4.50 replpar() { 4.51 @@ -716,7 +723,7 @@ 4.52 getpar() { 4.53 # err GETPAR=$1, _user=$_user 4.54 val="" 4.55 - if false; then # 2020/6/3 Temporary disabled for joingrp() 4.56 + if [ x"$session" = x"$main_session" ]; then 4.57 case "$1" in # Dirty cache mechanism for high-load average 4.58 user) val=$_user ;; 4.59 skey) val=$_skey ;; 4.60 @@ -1054,7 +1061,8 @@ 4.61 } 4.62 htmlescape() { 4.63 sed -e 's/\&/\&/g' -e 's/"/\"/g' -e "s/'/\'/g" \ 4.64 - -e "s/</\</g; s/>/\>/g" -e 's/`/\`/g' -e 's/(/\(/g' 4.65 + -e "s/</\</g; s/>/\>/g" -e 's/`/\`/g' -e 's/(/\(/g' \ 4.66 + -e 's/`/\`/' 4.67 } 4.68 enascii() { 4.69 if [ -z "$enascii" ]; then 4.70 @@ -1262,8 +1270,11 @@ 4.71 rcptheader=`echo $1|tr ' ' '\n'|sort -u|sed '2,$s/^/To: /g'` 4.72 subj=`echo $2|nkf -jM|tr -d '\n'` 4.73 sender=${SENDER:-$admin} 4.74 + # Do not call m4 with directly passing text 4.75 + _r=$tmpd/rcpt 4.76 + echo -n "${SMAIL_TO:-$rcptheader}" > $_r 4.77 replyto=${REPLYTO:+"Reply-to: $REPLYTO$LF"} 4.78 - (_m4 -D_RCPT_="${SMAIL_TO:-$rcptheader}" -D_REPLYTO_="$replyto" -D_SUBJ_="\`$subj'" -D_FROM_="$from" $msgdir/mail-header.m4 4.79 + (_m4 -D_RCPT_="spaste(\`$_r')" -D_REPLYTO_="$replyto" -D_SUBJ_="\`$subj'" -D_FROM_="$from" $msgdir/mail-header.m4 4.80 cat $3 | nkf -jd ) | sendmail -f $sender $rcpt 4.81 } 4.82 smail_queue_flush() { 4.83 @@ -1293,7 +1304,6 @@ 4.84 ORDER by time; 4.85 EOF 4.86 then 4.87 - echo rowid=$rid 4.88 cat <<-EOF | sq $workdb 4.89 DELETE FROM smailq 4.90 WHERE rcpts=(SELECT rcpts FROM smailq WHERE rowid=$rid) 4.91 @@ -1442,7 +1452,6 @@ 4.92 4.93 4.94 cgiinit() { 4.95 - session=`date +%F-$$` 4.96 tmpd=`tmpd=$tmpdir mktempd` 4.97 tmpf=$tmpd/stream.$$ 4.98 tmpfiles=$tmpfiles" $tmpd" 4.99 @@ -1952,7 +1961,7 @@ 4.100 } 4.101 4.102 search_form() { 4.103 - # $1 = { author=<AUTHOR> | grp=<GROUP> } 4.104 + # $1 = { author=<AUTHOR> | grid=<GroupRowid> } 4.105 # $2(optional) = pre-input keywords 4.106 help="(1)空白区切りの単語で本文検索 4.107 (2)@YYYY-MM-DD 日付け(シェルパターン可)で日付け検索 4.108 @@ -1974,10 +1983,9 @@ 4.109 placeholder="このユーザの書込検索" 4.110 help="★★ $g さんの書き込みから検索します$nl$help" 4.111 ;; 4.112 - grp=*) 4.113 - a=`echo "${1#grp=}"|htmlescape` 4.114 - g=`gecos ${1#grp=}` 4.115 - auth="<input type=\"hidden\" name=\"owner\" value=\"$a\">" 4.116 + grid=*) 4.117 + a=`echo "${1#grid=}"`; a=$((0 + $a)) 4.118 + auth="<input type=\"hidden\" name=\"grid\" value=\"$a\">" 4.119 placeholder="このグループからの検索" 4.120 ;; 4.121 esac 4.122 @@ -2303,7 +2311,8 @@ 4.123 # $1=icon-file, $2=Href $3=title $4...=anchor 4.124 src=$1 4.125 href=$2; title=$3; shift 3 4.126 - echo "<a href=\"$href\"><img title=\"$title\" src=\"$src\">$@</a>" 4.127 + anchor=`echo $@|htmlescape` 4.128 + echo "<a href=\"$href\"><img title=\"$title\" src=\"$src\">$anchor</a>" 4.129 ) 4.130 listentry() ( 4.131 # $1=user/group $2=SearchKeyword $3=condition(if any) $4=grprowid(if in grp) 4.132 @@ -2496,6 +2505,7 @@ 4.133 # err newlnk=$lnk regmode=$regmode 4.134 icondir=$dir/$id 4.135 # Pick up only last icon 4.136 + htmlname=`echo $name|htmlescape` 4.137 echo "<div class=\"iconlist xy$thumbxy $type $ownerp\"> 4.138 <p class=\"tag _$tag\">$tag</p>" \ 4.139 | _m4 $tagconv 4.140 @@ -2523,7 +2533,7 @@ 4.141 iconhref2 "$dir/$deficon" "$hrb+$lnk" "$gecos" 4.142 fi 4.143 fi 4.144 - echo "<br>$name${ownerp:+<br>($ownerp)}" 4.145 + echo "<br>$htmlname${ownerp:+<br>($ownerp)}" 4.146 echo "</div>" 4.147 done 4.148 echo "</div>" # End of List-entry div 4.149 @@ -2564,7 +2574,7 @@ 4.150 ismember="" # bodyclass="group" 4.151 fi 4.152 bodyclass="$bodyclass grouphome" 4.153 - echo "<div class=\"search\">`search_form grp=\"$htmlgrp\"`</div>"> $sf 4.154 + echo "<div class=\"search\">`search_form grid=\"$grid\"`</div>"> $sf 4.155 echo "グループ $htmlgrp" > $tf 4.156 4.157 showgroupsub $formdir/grp.def "$grid" | \ 4.158 @@ -2729,6 +2739,7 @@ 4.159 err GRP_ACTION:IN 4.160 grid=${1:-`getpar grp`} 4.161 grp=`getgroupbyid "$grid"` 4.162 + htmlgrp=`echo "$grp" | htmlescape` 4.163 myuid=`query "SELECT rowid FROM user WHERE name='$user';"` 4.164 if [ -z "$grp" ]; then 4.165 echo "無効な指定です。" | html p; return 4.166 @@ -2736,7 +2747,7 @@ 4.167 if ! ismember $user "$grp"; then 4.168 echo "加入者のみに許可された操作です。" | html p; return 4.169 fi 4.170 - echo "グループ $grp 個別選択操作" \ 4.171 + echo "グループ $grp 個別選択操作" \ 4.172 | _m4 -D_TITLE_="syscmd(\`cat')" \ 4.173 -D_BODYCLASS_="`grp_getbodyclass \"$grp\"`" \ 4.174 $layout/html.m4.html 4.175 @@ -2944,7 +2955,7 @@ 4.176 ORDER BY gecos;" 4.177 ## err grpaction: "`echo \"$sql\"`" 4.178 tf=$tmpd/title.$$ 4.179 - echo "グループ[<a href=\"?grp+$grid\">$grp</a>]参加メンバーに対する操作" > $tf 4.180 + echo "グループ[<a href=\"?grp+$grid\">$htmlgrp</a>]参加メンバーに対する操作" > $tf 4.181 cmmsg="`cgi_radio rm commission id=\"cmadmin\"`<label accesskey=\"f\" 4.182 title=\"Shortcut: f${nl}Add to Administrator of the Group\" 4.183 for=\"cmadmin\">管理者委任</label> 4.184 @@ -3027,7 +3038,7 @@ 4.185 ${isowner:+$cmmsg$excmsg} 4.186 `cgi_radio rm close id="x"`<label for="x" accesskey="x">×</label> 4.187 </div> 4.188 -<h4>$grp 参加者一覧</h4>$fromtonote 4.189 +<h4>$htmlgrp 参加者一覧</h4>$fromtonote 4.190 <table class="td2r thl"> 4.191 `sq $db -header -html "$sql"` 4.192 </table> 4.193 @@ -3261,11 +3272,11 @@ 4.194 return 4.195 fi 4.196 grp=`getgroupbyid $rowid` 4.197 - members=`collectemail $grp` 4.198 + members=`collectemail "$grp"` 4.199 myuid=`query "SELECT rowid FROM user WHERE name='$user';"` 4.200 mailfrom=`email4groupbyuid "$grp" "$myuid" | sed -e 1q -e 's/[ ,].*//'` 4.201 mailfrom="`gecos "$user"` <$mailfrom>" 4.202 - sj="グループ $grp 宛メッセージ(from `gecos $user`)" 4.203 + sj="グループ「$grp」宛メッセージ(from `gecos $user`)" 4.204 msg=$(cat<<-EOF 4.205 $urlbase?grp+$rowid 4.206 グループ $grp に所属する 4.207 @@ -3280,7 +3291,6 @@ 4.208 MAIL_FROM=$mailfrom \ 4.209 SENDER=$noreply \ 4.210 REPLYTO=$mailfrom \ 4.211 - SMAIL_TO="`echo "$grp" | nkf -jM | tr -d '\n'` readers <$m>" \ 4.212 smail "$m" "$sj" 4.213 done 4.214 cat<<EOF 4.215 @@ -3296,7 +3306,7 @@ 4.216 if [ -z "$2" ]; then 4.217 echo "bye bye" | html p; return 4.218 fi 4.219 - t_usr=`session=$2 getpar user` 4.220 + t_usr=`session=$2 getpar adduser` 4.221 t_grp=`session=$2 getpar group` 4.222 ## err joingrpadmit: t_usr=$t_usr, t_grp=$t_grp 4.223 _m4 -D_TITLE_="joingrp" $layout/html.m4.html 4.224 @@ -3334,7 +3344,7 @@ 4.225 jss="joingrp-`date +%s`-`genrandom 12`" 4.226 addsession $jss +${memoplimitdays}days 4.227 query "replace into par values('$jss', 'group', 'string', `sqlquote \"$1\"`), 4.228 -('$jss', 'user', 'string', `sqlquote \"$user\"`);" 4.229 +('$jss', 'adduser', 'string', `sqlquote \"$user\"`);" 4.230 smail "$(collectemail `getgroupadmins $1`)" "Join request to $1"<<EOF 4.231 $url 4.232 $user さんから