sanitize inputs

author rajbot <raj@archive.org>

Wed, 29 Sep 2010 23:41:16 +0000 (23:41 +0000)

committer rajbot <raj@archive.org>

Wed, 29 Sep 2010 23:41:16 +0000 (23:41 +0000)
author rajbot <raj@archive.org>
Wed, 29 Sep 2010 23:41:16 +0000 (23:41 +0000)
committer rajbot <raj@archive.org>
Wed, 29 Sep 2010 23:41:16 +0000 (23:41 +0000)
diff --git a/BookReader/BookReader.js b/BookReader/BookReader.js

index 9227ac0..ee32b36 100644 (file)
--- a/BookReader/BookReader.js
+++ b/BookReader/BookReader.js
@@ -3840,6 +3840,7 @@ BookReader.prototype.ttsStop = function () {
      soundManager.stopAll();
      soundManager.destroySound('chunk'+this.ttsIndex+'-'+this.ttsPosition);
      this.ttsRemoveHilites();
+    this.ttsRemovePopup();
  
      this.ttsPlaying     = false;
      this.ttsIndex       = null;  //leaf index
diff --git a/BookReaderIA/datanode/BookReaderGetText.py b/BookReaderIA/datanode/BookReaderGetText.py

index 9955968..3883fa8 100644 (file)
--- a/BookReaderIA/datanode/BookReaderGetText.py
+++ b/BookReaderIA/datanode/BookReaderGetText.py
@@ -25,6 +25,7 @@
  from lxml import etree
  import sys
  import json
+import re
  
  minWordsInBlock = 25
  maxWordsInBlock = 50
@@ -33,12 +34,21 @@ path = sys.argv[1]
  pageNum = int(sys.argv[2])
  callback = sys.argv[3]
  
+if not re.match('^/\d{1,2}/items/.+_djvu.xml$', path):
+    sys.exit(-1);
+
+if ('ttsNextPageCB' != callback):
+    callback = 'ttsStartCB'
+
  tree = etree.parse(path)
  
  objects = tree.findall('//OBJECT')
  
  #print 'got %s objects' % len(objects)
  
+if pageNum > (len(objects)-1):
+    sys.exit(-1)
+
  page = objects[pageNum]
  
  lines = page.findall('.//LINE')
diff --git a/BookReaderIA/datanode/BookReaderGetTextWrapper.php b/BookReaderIA/datanode/BookReaderGetTextWrapper.php

index ca4d05b..8e3fd25 100644 (file)
--- a/BookReaderIA/datanode/BookReaderGetTextWrapper.php
+++ b/BookReaderIA/datanode/BookReaderGetTextWrapper.php
@@ -22,9 +22,9 @@ This file is part of BookReader.
  */
  
  //$env = 'LD_LIBRARY_PATH=/petabox/sw/lib/lxml/lib PYTHONPATH=/petabox/sw/lib/lxml/lib/python2.5/site-packages:$PYTHONPATH';
-$path=$_GET['path'];
-$page=$_GET['page'];
-$callback=$_GET['callback'];
+$path     = escapeshellarg($_GET['path']);
+$page     = escapeshellarg($_GET['page']);
+$callback = escapeshellarg($_GET['callback']);
  header('Content-Type: application/javascript');
  passthru("python BookReaderGetText.py $path $page $callback");
  ?>
diff --git a/BookReaderIA/datanode/BookReaderJSIA.php b/BookReaderIA/datanode/BookReaderJSIA.php

index 29f910d..f85ea2b 100644 (file)
--- a/BookReaderIA/datanode/BookReaderJSIA.php
+++ b/BookReaderIA/datanode/BookReaderJSIA.php
@@ -18,6 +18,8 @@ This file is part of BookReader.
      along with BookReader.  If not, see <http://www.gnu.org/licenses/>.
  */
  
+header('Content-Type: application/javascript');
+
  $id = $_REQUEST['id'];
  $itemPath = $_REQUEST['itemPath'];
  $subPrefix = $_REQUEST['subPrefix'];
author	rajbot <raj@archive.org>
	Wed, 29 Sep 2010 23:41:16 +0000 (23:41 +0000)
committer	rajbot <raj@archive.org>
	Wed, 29 Sep 2010 23:41:16 +0000 (23:41 +0000)
BookReader/BookReader.js		patch \| blob \| history
BookReaderIA/datanode/BookReaderGetText.py		patch \| blob \| history
BookReaderIA/datanode/BookReaderGetTextWrapper.php		patch \| blob \| history
BookReaderIA/datanode/BookReaderJSIA.php		patch \| blob \| history