Commit 86602b53 authored by Gary Wong's avatar Gary Wong

Fix ProtoGENI slice history page to return plain text manifest page.

The old approach included the manifests directly in the HTML, which
caused two problems: (1) any manifest XML element that isn't valid HTML
could get modified by the browswer; (2) a malicious user could insert
arbitrary HTML to be executed by an admin's browsers when visiting the
user's manifest.
parent 0e33660b
<?php
#
# Copyright (c) 2000-2014 University of Utah and the Flux Group.
# Copyright (c) 2000-2015 University of Utah and the Flux Group.
#
# {{{EMULAB-LICENSE
#
......@@ -83,13 +83,6 @@ if ($ISCLRHOUSE) {
}
echo "</form>\n";
function GeneratePopupDiv($id, $text) {
return "<div id=\"$id\" ".
"style='display:none;width:700;height:400;overflow:auto;'>\n" .
"$text\n".
"</div>\n";
}
if (1) {
$myindex = $index;
$dblink = GetDBLink(($ch ? "ch" : "cm"));
......@@ -151,7 +144,6 @@ if (1) {
"Destroyed" => "Destroyed",
"Manifest" => "Manifest"));
$rows = array();
$popups = array();
if (mysql_num_rows($query_result)) {
while ($row = mysql_fetch_array($query_result)) {
......@@ -196,41 +188,21 @@ if (1) {
}
$url .= "$slice_info</a>";
$manifest_url = "<a href='manifesthistory.php?uuid=$uuid'>manifest</a>";
$tablerow = array("idx" => $idx,
"hrn" => $url,
"creator" => $creator_info,
"created" => $created,
"destroyed" => $destroyed);
$manifest_result =
DBQueryFatal("select * from manifest_history ".
"where aggregate_uuid='$uuid' ".
"order by idx desc limit 1", $dblink);
if (mysql_num_rows($manifest_result)) {
$mrow = mysql_fetch_array($manifest_result);
$manifest = $mrow["manifest"];
"destroyed" => $destroyed,
"manifest" => $manifest_url );
$stuff = GeneratePopupDiv("manifest$idx", $manifest);
$popups[] = $stuff;
$tablerow["manifest"] =
"<a href='#' title='' ".
"onclick='PopUpWindowFromDiv(\"manifest$idx\");'".
">manifest</a>\n";
}
else {
$tablerow["Manifest"] = "Unknown";
}
$rows[] = $tablerow;
$myindex = $idx;
}
list ($html, $button) = TableRender($table, $rows);
echo $html;
foreach ($popups as $i => $popup) {
echo "$popup\n";
}
$query_result =
DBQueryFatal("select count(*) from aggregate_history as a ".
"where `type`='Aggregate' and a.idx<$myindex $clause ",
......
<?php
#
# Copyright (c) 2015 University of Utah and the Flux Group.
#
# {{{EMULAB-LICENSE
#
# This file is part of the Emulab network testbed software.
#
# This file is free software: you can redistribute it and/or modify it
# under the terms of the GNU Affero General Public License as published by
# the Free Software Foundation, either version 3 of the License, or (at
# your option) any later version.
#
# This file is distributed in the hope that it will be useful, but WITHOUT
# ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
# FITNESS FOR A PARTICULAR PURPOSE. See the GNU Affero General Public
# License for more details.
#
# You should have received a copy of the GNU Affero General Public License
# along with this file. If not, see <http://www.gnu.org/licenses/>.
#
# }}}
#
include("defs.php3");
include_once("geni_defs.php");
include("table_defs.php");
#
#
# Only known and logged in users allowed.
#
$this_user = CheckLoginOrDie();
$uid = $this_user->uid();
$isadmin = ISADMIN();
#
# Verify Page Arguments.
#
$optargs = OptionalPageArguments("uuid", PAGEARG_STRING,
"ch", PAGEARG_BOOLEAN);
if (!isset($uuid)) {
$uuid = "";
}
if (!isset($ch)) {
$ch = 0;
}
if (! ($isadmin || STUDLY())) {
PAGEHEADER("Geni History");
USERERROR("You do not have permission to view Geni manifest history!", 1);
PAGEFOOTER();
} else {
$dblink = GetDBLink(($ch ? "ch" : "cm"));
$manifest_result = DBQueryFatal("select manifest from manifest_history ".
"where aggregate_uuid='$uuid' ".
"order by idx desc limit 1", $dblink);
if (mysql_num_rows($manifest_result)) {
$mrow = mysql_fetch_array($manifest_result);
$manifest = $mrow["manifest"];
header( "Content-Type: text/xml" );
print "$manifest";
} else {
PAGEHEADER("Geni History");
USERERROR("Manifest not found.", 1);
PAGEFOOTER();
}
}
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment