patches/webschleuder.patch


1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160

diff --git a/contrib/enable_webschleuder.rb b/contrib/enable_webschleuder.rb
old mode 100644
new mode 100755
index 32e20c6..f72dd94
--- a/contrib/enable_webschleuder.rb
+++ b/contrib/enable_webschleuder.rb
@@ -40,17 +40,18 @@ class EnableWebschleuder
 
   def self.usage 
     puts "Usage:
-#{File.basename($0)} listname password (-encrypted) (-override)"
+#{File.basename($0)} listname [-encrypted] [-override]"
    exit 1
   end
 end
 
 listname = ARGV.shift
-password = ARGV.shift
-EnableWebschleuder.usage unless listname and password
+EnableWebschleuder.usage unless listname
 encrypted = override = false
 while nextarg = ARGV.shift
    encrypted = (nextarg == '-encrypted') unless encrypted
    override = (nextarg == '-override') unless override
 end
-EnableWebschleuder.enable(listname,password,encrypted,override)
+print "Password for list" + listname + '' if STDIN.fcntl(Fcntl::F_GETFL, 0) != 0
+password = gets
+EnableWebschleuder.enable(listname,password.chomp,encrypted,override)
diff --git a/webschleuder.rb b/webschleuder.rb
index c90db2f..6259836 100755
--- a/webschleuder.rb
+++ b/webschleuder.rb
@@ -23,8 +23,8 @@ require 'webschleuder/errors'
 
 
 module Webschleuder
-    set :secret, Webschleuder::Models::WebConfig.loadconfig.session_secret
     include Camping::Session
+    secret Webschleuder::Models::WebConfig.loadconfig.session_secret
 
     def r404(path)
       "Sorry, but I can't find #{path}."
diff --git a/webschleuder/controllers.rb b/webschleuder/controllers.rb
index c84348c..4e85625 100755
--- a/webschleuder/controllers.rb
+++ b/webschleuder/controllers.rb
@@ -21,7 +21,7 @@ module Webschleuder::Controllers
       end
     end
 
-    class Login < R '/([^/]*)/login'
+    class Login < R '/schleuder/([^/]*)/login'
         def get(listname)
             prepare
             @myself = self
@@ -48,7 +48,7 @@ module Webschleuder::Controllers
         end
     end
 
-    class Logout < R '/([^/]*)/logout'
+    class Logout < R '/schleuder/([^/]*)/logout'
         def get(listname)
             return unless authenticate
             $list = nil
@@ -60,7 +60,7 @@ module Webschleuder::Controllers
         end
     end
 
-    class ListIndex < R '/([^/?]+)'
+    class ListIndex < R '/schleuder/([^/?]+)'
       def get(listname)
         return unless authenticate
         @myself = self
@@ -69,7 +69,7 @@ module Webschleuder::Controllers
       end
     end
 
-    class Index < R '/'
+    class Index < R '/schleuder/'
         def get()
           prepare
           # catch get-params from startpage-jumpform
@@ -83,7 +83,7 @@ module Webschleuder::Controllers
         end
     end
 
-    class Users < R '/([^/]*)/users'
+    class Users < R '/schleuder/([^/]*)/users'
         def get(listname)
             return unless authenticate
             @users = User.loadusers
@@ -123,7 +123,7 @@ module Webschleuder::Controllers
         end
     end
 
-    class Listconfig < R '/([^/]*)/listconfig'
+    class Listconfig < R '/schleuder/([^/]*)/listconfig'
         def get(listname)
             return unless authenticate
             @config = SchleuderConfig.loadlistconfig
@@ -162,7 +162,7 @@ module Webschleuder::Controllers
         end
     end
 
-    class Keys < R '/([^/]*)/keys', '/([^/]*)/keys/([^/]*)', '/([^/]*)/keys/([^/]*)/(.*)'
+    class Keys < R '/schleuder/([^/]*)/keys', '/schleuder/([^/]*)/keys/([^/]*)', '/schleuder/([^/]*)/keys/([^/]*)/(.*)'
         def get(listname, action=nil, keyid=nil)
             return unless authenticate
             case action
@@ -238,7 +238,7 @@ module Webschleuder::Controllers
         end
     end
 
-    class Password < R '/([^/]*)/password'
+    class Password < R '/schleuder/([^/]*)/password'
 
         def get(listname)
             return unless authenticate
diff --git a/webschleuder/helpers.rb b/webschleuder/helpers.rb
index 3aafedc..2f619cd 100755
--- a/webschleuder/helpers.rb
+++ b/webschleuder/helpers.rb
@@ -1,3 +1,4 @@
+require "rack/utils"
 module Webschleuder::Helpers
 
     def prepare
@@ -7,16 +8,14 @@ module Webschleuder::Helpers
         # TODO: further input parsing (against XSS etc.)
         #
         # what does the request look like?
-        request = @env['REQUEST_URI'].split('/')
-        # throw away first element as it is empty
-        request.shift
+        request = @env['REQUEST_URI'].gsub(/^\/schleuder\//,'').split('/')
 
         $appconf = Webschleuder::Models::SchleuderConfig.loadconfig
         $webappconf = Webschleuder::Models::WebConfig.loadconfig
 
         @state.flash = {:info => [], :error => []} unless @state.flash.is_a?Hash
 
-        listname = request.first || ''
+        listname = Rack::Utils.unescape(request.first || '')
         listdir = File.join($appconf.lists_dir, listname)
 
         if !listname.empty? and File.directory?(listdir)
diff --git a/webschleuder/webschleuder_config.rb b/webschleuder/webschleuder_config.rb
index 08f595b..b89004f 100644
--- a/webschleuder/webschleuder_config.rb
+++ b/webschleuder/webschleuder_config.rb
@@ -47,7 +47,7 @@ module Webschleuder
     private
 
     def _write(data,filename)
-      if File.open(filename, 'w') { |f| f << data }
+      if File.open(filename, File::WRONLY|File::CREAT, 0600) { |f| f << data }
         true
       else
         false