From b52db895457e3b2470409a892e0de944e23ea4be Mon Sep 17 00:00:00 2001
From: Urban Müller
Date: Wed, 18 Nov 2015 15:39:20 +0100
Subject: security: whitelist legal chars

---
 itjs.class | 7 +++++--
 1 file changed, 5 insertions(+), 2 deletions(-)

(limited to 'itjs.class')

diff --git a/itjs.class b/itjs.class
index c54abd3..8e79fad 100644
--- a/itjs.class
+++ b/itjs.class
@@ -134,9 +134,12 @@ static function filenames($filelist)
 		"PIE.htc" => "$libsearch/doc/PIE.htc",
 	);
 
-	foreach (array_filter(explode(",", basename($filelist))) as $file)
+	if (it::match("[^-\w.=?&,]", basename($filelist)))
+		it::error("bad filelist $filelist");
+
+	foreach (it::match("[-\w.=?&]+", basename($filelist), array('all' => true)) as $file)
 	{
-		$filenames = $special[$file] ?: (file_exists("$path/" . it::replace(array('[\?\x00].*' => ""), $file)) ? "$path/$file" : "$libsearch/itjs/$file");
+		$filenames = $special[$file] ?: (file_exists("$path/$file") ? "$path/$file" : "$libsearch/itjs/$file");
 
 		foreach (explode(",", $filenames) as $filename)
 			if (!$seen[$filename]++)
-- 
cgit v1.2.3


From 5e6edc6bf5ba3d7dde7b861029ce6ac79787bb30 Mon Sep 17 00:00:00 2001
From: Urban Müller
Date: Sun, 22 Nov 2015 23:56:15 +0100
Subject: currently generated filelists are fine

---
 itjs.class | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

(limited to 'itjs.class')

diff --git a/itjs.class b/itjs.class
index 8e79fad..539f97b 100644
--- a/itjs.class
+++ b/itjs.class
@@ -134,7 +134,7 @@ static function filenames($filelist)
 		"PIE.htc" => "$libsearch/doc/PIE.htc",
 	);
 
-	if (it::match("[^-\w.=?&,]", basename($filelist)))
+	if (it::is_devel() && it::match("[^-\w.=?&,]", basename($filelist)))
 		it::error("bad filelist $filelist");
 
 	foreach (it::match("[-\w.=?&]+", basename($filelist), array('all' => true)) as $file)
-- 
cgit v1.2.3


From 815aeeaff940a0981ecace49dc6353f35cf448a3 Mon Sep 17 00:00:00 2001
From: Urban Müller
Date: Thu, 26 Nov 2015 18:47:28 +0100
Subject: correctly create checksums on devel, benefit from implied lib/itjs

---
 itjs.class | 17 ++++-------------
 1 file changed, 4 insertions(+), 13 deletions(-)

(limited to 'itjs.class')

diff --git a/itjs.class b/itjs.class
index 539f97b..903f9bc 100644
--- a/itjs.class
+++ b/itjs.class
@@ -115,7 +115,7 @@ static function encode($values)
 static function filenames($filelist)
 {
 	$result = array();
-	$path = $GLOBALS['ULTRAHOME'] . "/itjs";
+	$local = $GLOBALS['ULTRAHOME'] . "/itjs";
 	$itjs = "/www/server/phpinclude/itools/itjs";
 	$libsearch = strlen($GLOBALS['debug_lib']) > 1 ? "/www/lib-" . $GLOBALS['debug_lib'] . ".search.ch" : "/www/lib.search.ch";
 	$special = array(
@@ -124,22 +124,13 @@ static function filenames($filelist)
 		"state.html" => "$itjs/state.html",
 		"error.gif" => "$itjs/error.gif",
 		"search.css" => "$libsearch/doc/search.css",
-		"searchlib.js" => "$libsearch/itjs/searchlib.js",
-		"sl_state.js" => "$libsearch/itjs/sl_state.js",
-		"sl_dropdown.js" => "$libsearch/itjs/sl_dropdown.js",
-		"sl_collapse.js" => "$libsearch/itjs/sl_collapse.js",
-		"sl_adid_debug.js" => "$libsearch/itjs/sl_adid_debug.js",
-		"locateme.js" => "$libsearch/itjs/locateme.js",
 		"prettyprint.css" => "$libsearch/doc/prettyprint.css",
 		"PIE.htc" => "$libsearch/doc/PIE.htc",
 	);
 
-	if (it::is_devel() && it::match("[^-\w.=?&,]", basename($filelist)))
-		it::error("bad filelist $filelist");
-
-	foreach (it::match("[-\w.=?&]+", basename($filelist), array('all' => true)) as $file)
+	foreach (it::match("[-\w.=?&]+", basename($filelist), array('all' => true)) as $file) # split by comma but ignore illegal chars
 	{
-		$filenames = $special[$file] ?: (file_exists("$path/$file") ? "$path/$file" : "$libsearch/itjs/$file");
+		$filenames = $special[$file] ?: (file_exists("$local/$file") ? "$local/$file" : "$libsearch/itjs/$file");
 
 		foreach (explode(",", $filenames) as $filename)
 			if (!$seen[$filename]++)
@@ -201,7 +192,7 @@ static function checksum($fnlist, $p = array())
 {
 	$p += array('short_expire' => true);
 
-	$filenames = array_merge(is_array($fnlist) ? $fnlist : itjs::filenames($fnlist), array("/www/lib.search.ch/var/jquery-ui/dist/minified/jquery.ui.core.min.js", "/www/lib.search.ch/var/jquery/dist/jquery.min.js")); # jquery files included by lib/jquery.js
+	$filenames = array_merge(itjs::filenames(join(",", (array)$fnlist)), array("/www/lib.search.ch/var/jquery-ui/dist/minified/jquery.ui.core.min.js", "/www/lib.search.ch/var/jquery/dist/jquery.min.js")); # jquery files included by lib/jquery.js
 	$key = "itjs_" . md5(join("", it::map('"$v" . @filemtime("$v")', $filenames)));
 
 	if ($p['short_expire'] && (time() - max(@array_map('filemtime', $filenames)) < 60))
-- 
cgit v1.2.3


From 17131f9ef8dfb33271a031978d66a2cde1d6f18e Mon Sep 17 00:00:00 2001
From: Urban Müller
Date: Mon, 7 Dec 2015 15:25:58 +0100
Subject: separate directory to avoid permission and expiration problems

---
 itjs.class | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

(limited to 'itjs.class')

diff --git a/itjs.class b/itjs.class
index 903f9bc..18c7a18 100644
--- a/itjs.class
+++ b/itjs.class
@@ -204,7 +204,7 @@ static function checksum($fnlist, $p = array())
 function crcurl($url, $p = array())
 {
 	if (it::match('^http', $url)) # remote url, must fetch to crc
-		list($fn, $short_expire) = array(it_url::get_cache(array('url' => $url, 'maxage' => 3600) + $p), false);
+		list($fn, $short_expire) = array(it_url::get_cache(array('url' => $url, 'maxage' => 3600, 'id' => "itjs_crcurl") + $p), false);
 	else
 		list($fn, $short_expire) = array(($m = it::match("^//(\w+)(/.*)", $url)) ? "/www/$m[0].search.ch" . $m[1] : $GLOBALS['ULTRAHOME'] . $url, true);;
 
-- 
cgit v1.2.3