| 1 |
diff --git a/wwwroot/cgi-bin/awredir.pl b/wwwroot/cgi-bin/awredir.pl |
| 2 |
index 35ee82d..f1e4cd2 100755 |
| 3 |
--- a/wwwroot/cgi-bin/awredir.pl |
| 4 |
+++ b/wwwroot/cgi-bin/awredir.pl |
| 5 |
@@ -8,6 +8,8 @@ |
| 6 |
|
| 7 |
#use DBD::mysql; |
| 8 |
use Digest::MD5 qw(md5 md5_hex md5_base64); |
| 9 |
+use HTML::Entities; |
| 10 |
+use URI::Escape; |
| 11 |
|
| 12 |
|
| 13 |
#------------------------------------------------------- |
| 14 |
@@ -116,26 +118,27 @@ if ($ENV{QUERY_STRING} =~ /tag=\"?([^\"&]+)\"?/) { $Tag=$1; } |
| 15 |
|
| 16 |
$Key='NOKEY'; |
| 17 |
if ($ENV{QUERY_STRING} =~ /key=\"?([^\"&]+)\"?/) { $Key=$1; } |
| 18 |
+$KeyEncoded=HTML::Entities::encode($Key); |
| 19 |
|
| 20 |
# Extract url to redirect to |
| 21 |
$Url=$ENV{QUERY_STRING}; |
| 22 |
if ($Url =~ /url=\"([^\"]+)\"/) { $Url=$1; } |
| 23 |
elsif ($Url =~ /url=(.+)$/) { $Url=$1; } |
| 24 |
$Url = DecodeEncodedString($Url); |
| 25 |
-$UrlParam=$Url; |
| 26 |
+$UrlEncoded=HTML::Entities::encode($Url); |
| 27 |
|
| 28 |
-if (! $UrlParam) { |
| 29 |
+if (! $Url) { |
| 30 |
error("Error: Bad use of $PROG. To redirect an URL with $PROG, use the following syntax:<br><i>/cgi-bin/$PROG.pl?url=http://urltogo</i>"); |
| 31 |
} |
| 32 |
|
| 33 |
+if ($KEYFORMD5 && ($Key ne md5_hex($KEYFORMD5.$Url))) { |
| 34 |
+# error("Error: Bad value for parameter key=".$Key." to allow a redirect to ".$UrlEncoded." - ".$KEYFORMD5." - ".md5_hex($KEYFORMD5.$UrlEncoded) ); |
| 35 |
+ error("Error: Bad value for parameter key=".$KeyEncoded." to allow a redirect to ".$UrlEncoded.". Key must be hexadecimal md5(KEYFORMD5.".$UrlEncoded.") where KEYFORMD5 is value hardcoded into awredir.pl. Note: You can remove use of key by setting KEYFORMD5 to empty string in script awredir.pl"); |
| 36 |
+} |
| 37 |
+ |
| 38 |
if ($Url !~ /^http/i) { $Url = "http://".$Url; } |
| 39 |
if ($DEBUG) { print LOGFILE "Url=$Url\n"; } |
| 40 |
|
| 41 |
-if ($KEYFORMD5 && ($Key ne md5_hex($KEYFORMD5.$UrlParam))) { |
| 42 |
-# error("Error: Bad value for parameter key=".$Key." to allow a redirect to ".$UrlParam." - ".$KEYFORMD5." - ".md5_hex($KEYFORMD5.$UrlParam) ); |
| 43 |
- error("Error: Bad value for parameter key=".$Key." to allow a redirect to ".$UrlParam.". Key must be hexadecimal md5(KEYFORMD5.".$UrlParam.") where KEYFORMD5 is value hardcoded into awredir.pl. Note: You can remove use of key by setting KEYFORMD5 to empty string in script awredir.pl"); |
| 44 |
-} |
| 45 |
- |
| 46 |
|
| 47 |
# Get date |
| 48 |
($nowsec,$nowmin,$nowhour,$nowday,$nowmonth,$nowyear,$nowwday,$nowyday,$nowisdst) = localtime(time); |
| 49 |
@@ -151,14 +154,17 @@ if ($TRACEBASE == 1) { |
| 50 |
if ($ENV{REMOTE_ADDR} !~ /$EXCLUDEIP/) { |
| 51 |
if ($DEBUG == 1) { print LOGFILE "Execution requete Update sur BASE=$BASE, USER=$USER, PASS=$PASS\n"; } |
| 52 |
my $dbh = DBI->connect("DBI:mysql:$BASE", $USER, $PASS) || die "Can't connect to DBI:mysql:$BASE: $dbh->errstr\n"; |
| 53 |
- my $sth = $dbh->prepare("UPDATE T_LINKS set HITS_LINKS = HIT_LINKS+1 where URL_LINKS = '$Url'"); |
| 54 |
- $sth->execute || error("Error: Unable execute query:$dbh->err, $dbh->errstr"); |
| 55 |
+ my $sth = $dbh->prepare("UPDATE T_LINKS set HITS_LINKS = HIT_LINKS+1 where URL_LINKS = ?"); |
| 56 |
+ $sth->execute($Url) || error("Error: Unable execute query:$dbh->err, $dbh->errstr"); |
| 57 |
$sth->finish; |
| 58 |
$dbh->disconnect; |
| 59 |
if ($DEBUG == 1) { print LOGFILE "Execution requete Update - OK\n"; } |
| 60 |
} |
| 61 |
} |
| 62 |
|
| 63 |
+$Url=uri_escape($Url, "^A-Za-z0-9\-\._~/:"); |
| 64 |
+$Tag=uri_escape($Tag); |
| 65 |
+ |
| 66 |
if ($TRACEFILE == 1) { |
| 67 |
if ($ENV{REMOTE_ADDR} !~ /$EXCLUDEIP/) { |
| 68 |
open(FICHIER,">>$TXTDIR/$TXTFILE") || error("Error: Enable to open trace file $TXTDIR/$TXTFILE: $!"); |
Parent Directory
| 
Revision Log