From 1ca2b4e1c959b0e473fb8548e330f3e241c8785a Mon Sep 17 00:00:00 2001
From: Eudyptula <eitan@mosenkis.net>
Date: Fri, 17 Jul 2009 14:47:27 -0400
Subject: Rearranged logviewer for security

---
 frontend/classes/ansi.php   |  2 +-
 frontend/include/header.php |  2 +-
 frontend/pages/logview.php  | 39 ++++++++++++++++++++++++---------------
 frontend/routing.csv        |  2 +-
 4 files changed, 27 insertions(+), 18 deletions(-)

diff --git a/frontend/classes/ansi.php b/frontend/classes/ansi.php
index 45c0462..947904b 100644
--- a/frontend/classes/ansi.php
+++ b/frontend/classes/ansi.php
@@ -3,7 +3,7 @@ class ansi_to_html {
 	var $spans=0;
 	public function process($txt) {
 		// Clear to end of line
-		$txt=str_replace("\x1b[K", '', $txt);
+		$txt=str_replace(array("\x1b[K", "\n", "\t", ' '), array('', "<br/>\n", str_repeat('&nbsp;', 8), '&nbsp;'), $txt);
 		// Backspace
 		while (($i=strpos($txt, chr(8))) !== false) {
 			if ($i == 0) {
diff --git a/frontend/include/header.php b/frontend/include/header.php
index 81e8d7b..d4f9bea 100644
--- a/frontend/include/header.php
+++ b/frontend/include/header.php
@@ -38,7 +38,7 @@ if (isset($S['head'])) {
 echo '<li><a href="'.url().'">Home</a></li>';
 echo '<li><a href="'.url('create').'">New configuration</a></li>';
 echo '<li><a href="'.url('configurations').'">Manage configurations</a></li>';
-echo '<li><a href="'.url('logs').'">Log viewer</a></li>';
+echo '<li><a href="'.url('builds').'">My builds</a></li>';
 if (isset($S['user'])) {
 	if ($conf['invite'] && ($S['user']->has_flag('a') || $conf['invite'] != 'admin'))
 		echo '<li><a href="'.url('invite').'">Invite</a></li>';
diff --git a/frontend/pages/logview.php b/frontend/pages/logview.php
index 5107381..10c85dd 100644
--- a/frontend/pages/logview.php
+++ b/frontend/pages/logview.php
@@ -1,17 +1,27 @@
 <?php
 function init_logview() {
-	global $S;
+	global $S, $request;
 	$S['title']='Log Viewer';
+	if (!isset($S['user'])) return 'login';
+	if (isset($request['build']) && strlen($request['build']) == 6 && ctype_alnum($request['build'])) {
+		$r=$S['pdo']->query('SELECT * FROM `builds` WHERE `id`="'.$request['build'].'"');
+		if ($r->rowCount()) {
+			$S['logview']['build']=new sql_build($r->fetch(PDO::FETCH_ASSOC));
+			if (!owner_or_admin($S['logview']['build']->owner)) return '404'; // TODO permission denied
+		} else
+			return '404';
+		if (isset($request['task']) && is_numeric($request['task'])) {
+			$r=$S['pdo']->query('SELECT * FROM `tasks` WHERE `build`="'.$request['build'].'" AND `order`='.$request['task']);
+			if ($r->rowCount()) {
+				$S['logview']['task']=new sql_task($r->fetch(PDO::FETCH_ASSOC));
+			} // else return '404'; // Just goes to the build if task is missing
+		}
+	}
 }
 function body_logview() {
 	global $S, $request, $conf;
-	if (isset($request['build'], $request['task']) && preg_match('/^[a-zA-Z0-9]{6}$/', $request['build']) && is_numeric($request['task'])) {
-		$r=$S['pdo']->query('SELECT * FROM `tasks` WHERE `build`=\''.$request['build'].'\' AND `order`='.$request['task']);
-		if ($r->rowCount() == 0) {
-			echo print_error('Not found', 'Build '.$request['build'].'/task '.$request['task'].' was not found.');
-			return;
-		}
-		$task=new sql_task($r->fetch(PDO::FETCH_ASSOC));
+	if (isset($S['logview']['task'])) {
+		$task=&$S['logview']['task'];
 		echo '<div style="font-size: 130%">'.$task->display().'</div>';
 		echo '<a href="'.url('logs/'.$task->build).'">Back</a><br/>';
 		$page=isset($request['page']) && is_numeric($request['page'])?$request['page']:1;
@@ -39,9 +49,9 @@ function body_logview() {
 			$ansi=new ansi_to_html();
 			while ($entry=$r->fetch(PDO::FETCH_ASSOC)) {
 				$entry=new sql_buildlog_entry($entry);
-//				$text=str_replace(array("\n", "\t"), array("<br/>\n", str_repeat('&nbsp;', 4)), htmlentities($entry->text));
-//				echo '<a name="entry_'.$task->order.'_'.$entry->order.'"'.($entry->stream=='stderr'?' style="color: red" ':'').' title="'.strtoupper($entry->stream).', entry #'.$entry->order.' @ '.date('D j M Y @ H:i:s', $entry->timestamp).' UTC">'.$text.'</a>';
-				echo $ansi->process(str_replace(array("\n", ' ', "\t"), array("<br/>\n", '&nbsp;', str_repeat('&nbsp;', 8)), $entry->text));
+				//				$text=str_replace(array("\n", "\t"), array("<br/>\n", str_repeat('&nbsp;', 4)), htmlentities($entry->text));
+				//				echo '<a name="entry_'.$task->order.'_'.$entry->order.'"'.($entry->stream=='stderr'?' style="color: red" ':'').' title="'.strtoupper($entry->stream).', entry #'.$entry->order.' @ '.date('D j M Y @ H:i:s', $entry->timestamp).' UTC">'.$text.'</a>';
+				echo $ansi->process($entry->text);
 				// TODO handle tabs properly, move all this into ansi_to_html
 			}
 			echo $ansi->reset(); // Clear any leftover <span>s
@@ -55,20 +65,19 @@ function body_logview() {
 				echo print_warning('No output');
 			}
 		}
-	} elseif (isset($request['build']) && preg_match('/[a-z0-9]{6}/', $request['build'])) {
-		$build=new sql_build($request['build']);
+	} elseif (isset($S['logview']['build'])) {
+		$build=&$S['logview']['build'];
 		echo $build->display();
 		$r=$S['pdo']->query('SELECT * FROM `tasks` WHERE `build`="'.$request['build'].'" ORDER BY `order` ASC');
 		if ($r->rowCount() == 0) {
 			echo '<b>No tasks found.</b>';
 		}
-		$i=0;
 		while ($task=$r->fetch(PDO::FETCH_ASSOC)) {
 			$task=new sql_task($task);
 			echo $task->display();
 		}
 	} else {
-		$r=$S['pdo']->query('SELECT * FROM `builds` ORDER BY `ctime` IS NULL ASC, `ctime` ASC, `status` DESC');
+		$r=$S['pdo']->query('SELECT * FROM `builds` WHERE `owner`='.$S['user']->id.' ORDER BY `ctime` IS NULL ASC, `ctime` ASC, `status` DESC');
 		if ($r->rowCount() == 0) {
 			echo print_warning('No builds found.');
 		}
diff --git a/frontend/routing.csv b/frontend/routing.csv
index 7737b69..7312364 100644
--- a/frontend/routing.csv
+++ b/frontend/routing.csv
@@ -12,7 +12,7 @@
 # Home
 ^$	welcome
 # Logs
-^logs$	logview
+^builds$	logview
 ^logs/([a-z0-9]{6})$	logview	build
 ^logs/([a-z0-9]{6})/([0-9]+)$	logview	build	task
 ^logs/([a-z0-9]{6})/([0-9]+)/([0-9]+)$	logview	build	task	page
-- 
cgit v1.2.3-65-gdbad