Fossil

Check-in [600accbe]
Login

Many hyperlinks are disabled.
Use anonymous login to enable hyperlinks.

Overview
Comment:Make sure the TH1 interp is available before trying to use it.
Downloads: Tarball | ZIP archive | SQL archive
Timelines: family | ancestors | descendants | both | dynamicCsp
Files: files | file ages | folders
SHA3-256:600accbec3aeff10fee269a0957cf68c8f81e19f6fb0badd088f87b54b8a2d20
User & Date: mistachkin 2019-02-17 07:47:43
Context
2019-02-18
19:09
When rendering the default header via TH1, allow the default Content-Security-Policy content to be overridden via the 'default_csp' variable. Also, add the 'nonce' command to TH1. check-in: 8a65cd18 user: mistachkin tags: trunk
2019-02-17
07:47
Make sure the TH1 interp is available before trying to use it. Closed-Leaf check-in: 600accbe user: mistachkin tags: dynamicCsp
07:16
Add the 'nonce' command to TH1. Improve clarity of the 'default_csp' variable handling and add comments. check-in: 68e6b07e user: mistachkin tags: dynamicCsp
Changes
Hide Diffs Unified Diffs Ignore Whitespace Patch

Changes to src/style.c.

408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
static void style_init_th1_vars(const char *zTitle){
  const char *zNonce = style_nonce();
  /*
  ** Do not overwrite the TH1 variable "default_csp" if it exists, as this
  ** allows it to be properly overridden via the TH1 setup script (i.e. it
  ** is evaluated before the header is rendered).
  */
  if( !Th_ExistsVar(g.interp, "default_csp", -1) ){
    char *zDfltCsp = sqlite3_mprintf("default-src 'self' data: ; "
                                     "script-src 'self' 'nonce-%s' ; "
                                     "style-src 'self' 'unsafe-inline'",
                                     zNonce);
    Th_Store("default_csp", zDfltCsp);
    sqlite3_free(zDfltCsp);
  }
  Th_Store("nonce", zNonce);
  Th_Store("project_name", db_get("project-name","Unnamed Fossil Project"));
  Th_Store("project_description", db_get("project-description",""));
  if( zTitle ) Th_Store("title", zTitle);
  Th_Store("baseurl", g.zBaseURL);
  Th_Store("secureurl", fossil_wants_https(1)? g.zHttpsURL: g.zBaseURL);
  Th_Store("home", g.zTop);







<
|
|
|
|
|
|
<







408
409
410
411
412
413
414

415
416
417
418
419
420

421
422
423
424
425
426
427
static void style_init_th1_vars(const char *zTitle){
  const char *zNonce = style_nonce();
  /*
  ** Do not overwrite the TH1 variable "default_csp" if it exists, as this
  ** allows it to be properly overridden via the TH1 setup script (i.e. it
  ** is evaluated before the header is rendered).
  */

  char *zDfltCsp = sqlite3_mprintf("default-src 'self' data: ; "
                                   "script-src 'self' 'nonce-%s' ; "
                                   "style-src 'self' 'unsafe-inline'",
                                   zNonce);
  Th_MaybeStore("default_csp", zDfltCsp);
  sqlite3_free(zDfltCsp);

  Th_Store("nonce", zNonce);
  Th_Store("project_name", db_get("project-name","Unnamed Fossil Project"));
  Th_Store("project_description", db_get("project-description",""));
  if( zTitle ) Th_Store("title", zTitle);
  Th_Store("baseurl", g.zBaseURL);
  Th_Store("secureurl", fossil_wants_https(1)? g.zHttpsURL: g.zBaseURL);
  Th_Store("home", g.zTop);

Changes to src/th_main.c.

2123
2124
2125
2126
2127
2128
2129














2130
2131
2132
2133
2134
2135
2136
      Th_Trace("th1-setup {%h} => %h<br />\n", g.th1Setup,
               Th_ReturnCodeName(rc, 0));
    }
  }
  g.th1Flags &= ~TH_INIT_MASK;
  g.th1Flags |= (flags & TH_INIT_MASK);
}















/*
** Store a string value in a variable in the interpreter.
*/
void Th_Store(const char *zName, const char *zValue){
  Th_FossilInit(TH_INIT_DEFAULT);
  if( zValue ){







>
>
>
>
>
>
>
>
>
>
>
>
>
>







2123
2124
2125
2126
2127
2128
2129
2130
2131
2132
2133
2134
2135
2136
2137
2138
2139
2140
2141
2142
2143
2144
2145
2146
2147
2148
2149
2150
      Th_Trace("th1-setup {%h} => %h<br />\n", g.th1Setup,
               Th_ReturnCodeName(rc, 0));
    }
  }
  g.th1Flags &= ~TH_INIT_MASK;
  g.th1Flags |= (flags & TH_INIT_MASK);
}

/*
** Store a string value in a variable in the interpreter if the variable
** does not already exist.
*/
void Th_MaybeStore(const char *zName, const char *zValue){
  Th_FossilInit(TH_INIT_DEFAULT);
  if( zValue && !Th_ExistsVar(g.interp, zName, -1) ){
    if( g.thTrace ){
      Th_Trace("maybe_set %h {%h}<br />\n", zName, zValue);
    }
    Th_SetVar(g.interp, zName, -1, zValue, strlen(zValue));
  }
}

/*
** Store a string value in a variable in the interpreter.
*/
void Th_Store(const char *zName, const char *zValue){
  Th_FossilInit(TH_INIT_DEFAULT);
  if( zValue ){