From 4c14a2e93ce4c2ac9f523deb7ae1ec2396a0aaa2 Mon Sep 17 00:00:00 2001
From: default <nobody@localhost>
Date: Mon, 14 Aug 2023 09:32:17 +0200
Subject: Sanitize local user names in the greeting page.

---
 httpd.c | 101 +++++++++++++++++++++++++++++++++++-----------------------------
 1 file changed, 55 insertions(+), 46 deletions(-)

(limited to 'httpd.c')

diff --git a/httpd.c b/httpd.c
index 1145abd..85f098c 100644
--- a/httpd.c
+++ b/httpd.c
@@ -36,7 +36,7 @@ const char *nodeinfo_2_0_template = ""
     "\"localPosts\":%d},"
     "\"openRegistrations\":false,\"metadata\":{}}";
 
-d_char *nodeinfo_2_0(void)
+xs_str *nodeinfo_2_0(void)
 /* builds a nodeinfo json object */
 {
     xs *users   = user_list();
@@ -47,66 +47,75 @@ d_char *nodeinfo_2_0(void)
 }
 
 
-int server_get_handler(xs_dict *req, char *q_path,
-                       char **body, int *b_size, char **ctype)
-/* basic server services */
+static xs_str *greeting_html(void)
+/* processes and returns greeting.html */
 {
-    int status = 0;
+    /* try to open greeting.html */
+    xs *fn = xs_fmt("%s/greeting.html", srv_basedir);
+    FILE *f;
+    xs_str *s = NULL;
 
-    (void)req;
+    if ((f = fopen(fn, "r")) != NULL) {
+        s = xs_readall(f);
+        fclose(f);
 
-    /* is it the server root? */
-    if (*q_path == '\0') {
-        /* try to open greeting.html */
-        xs *fn = xs_fmt("%s/greeting.html", srv_basedir);
-        FILE *f;
+        /* replace %host% */
+        s = xs_replace_i(s, "%host%", xs_dict_get(srv_config, "host"));
 
-        if ((f = fopen(fn, "r")) != NULL) {
-            d_char *s = xs_readall(f);
-            fclose(f);
+        const char *adm_email = xs_dict_get(srv_config, "admin_email");
+        if (xs_is_null(adm_email) || *adm_email == '\0')
+            adm_email = "the administrator of this instance";
 
-            status = 200;
+        /* replace %admin_email */
+        s = xs_replace_i(s, "%admin_email%", adm_email);
 
-            /* replace %host% */
-            s = xs_replace_i(s, "%host%", xs_dict_get(srv_config, "host"));
+        /* does it have a %userlist% mark? */
+        if (xs_str_in(s, "%userlist%") != -1) {
+            const char *host = xs_dict_get(srv_config, "host");
+            xs *list = user_list();
+            xs_list *p;
+            xs_str *uid;
+            xs *ul = xs_str_new("<ul class=\"snac-user-list\">\n");
 
-            const char *adm_email = xs_dict_get(srv_config, "admin_email");
-            if (xs_is_null(adm_email) || *adm_email == '\0')
-                adm_email = "the administrator of this instance";
+            p = list;
+            while (xs_list_iter(&p, &uid)) {
+                snac user;
 
-            /* replace %admin_email */
-            s = xs_replace_i(s, "%admin_email%", adm_email);
+                if (user_open(&user, uid)) {
+                    xs *uname = encode_html(xs_dict_get(user.config, "name"));
 
-            /* does it have a %userlist% mark? */
-            if (xs_str_in(s, "%userlist%") != -1) {
-                char *host = xs_dict_get(srv_config, "host");
-                xs *list = user_list();
-                char *p, *uid;
-                xs *ul = xs_str_new("<ul class=\"snac-user-list\">\n");
+                    xs *u = xs_fmt(
+                        "<li><a href=\"%s\">@%s@%s (%s)</a></li>\n",
+                            user.actor, uid, host, uname);
 
-                p = list;
-                while (xs_list_iter(&p, &uid)) {
-                    snac snac;
+                    ul = xs_str_cat(ul, u);
 
-                    if (user_open(&snac, uid)) {
-                        xs *u = xs_fmt(
-                            "<li><a href=\"%s\">@%s@%s (%s)</a></li>\n",
-                                snac.actor, uid, host,
-                                xs_dict_get(snac.config, "name"));
+                    user_free(&user);
+                }
+            }
 
-                        ul = xs_str_cat(ul, u);
+            ul = xs_str_cat(ul, "</ul>\n");
 
-                        user_free(&snac);
-                    }
-                }
+            s = xs_replace_i(s, "%userlist%", ul);
+        }
+    }
 
-                ul = xs_str_cat(ul, "</ul>\n");
+    return s;
+}
 
-                s = xs_replace_i(s, "%userlist%", ul);
-            }
 
-            *body = s;
-        }
+int server_get_handler(xs_dict *req, const char *q_path,
+                       char **body, int *b_size, char **ctype)
+/* basic server services */
+{
+    int status = 0;
+
+    (void)req;
+
+    /* is it the server root? */
+    if (*q_path == '\0') {
+        if ((*body = greeting_html()) != NULL)
+            status = 200;
     }
     else
     if (strcmp(q_path, "/susie.png") == 0 || strcmp(q_path, "/favicon.ico") == 0 ) {
@@ -150,7 +159,7 @@ void httpd_connection(FILE *f)
     xs *req;
     char *method;
     int status   = 0;
-    d_char *body = NULL;
+    xs_str *body = NULL;
     int b_size   = 0;
     char *ctype  = NULL;
     xs *headers  = xs_dict_new();
-- 
cgit v1.2.3