# HG changeset patch # User jbe # Date 1415641738 -3600 # Node ID 9461c738ea0b9ab42cbce558271568e0ae2ddb0f # Parent 68d91f47bb9814852ffc68b5fdac9c028999b841 Backported support for pseudonymous access to fastpath image interface from version 3.0.3 diff -r 68d91f47bb98 -r 9461c738ea0b fastpath/getpic.c --- a/fastpath/getpic.c Thu Jul 10 01:02:36 2014 +0200 +++ b/fastpath/getpic.c Mon Nov 10 18:48:58 2014 +0100 @@ -23,6 +23,9 @@ const char *sql_member_image_params[2]; #ifndef PUBLIC_ACCESS +#ifdef PUBLIC_AVATAR_ACCESS + int authorization_required = 0; +#endif char *cookies; regex_t session_ident_regex; ssize_t start, length; @@ -35,40 +38,48 @@ PGresult *dbr; args_string = getenv("QUERY_STRING"); -#ifdef PUBLIC_ACCESS if (!args_string) { fputs("Status: 403 Access Denied\n\n", stdout); return 0; } -#else - cookies = getenv("HTTP_COOKIE"); - if (!args_string || !cookies) { + + member_id = strtok(args_string, "+"); + image_type = strtok(NULL, "+"); + if (!member_id || !image_type) { fputs("Status: 403 Access Denied\n\n", stdout); return 0; } -#endif - - member_id = strtok(args_string, "+"); - image_type = strtok(NULL, "+"); sql_member_image_params[0] = member_id; sql_member_image_params[1] = image_type; #ifndef PUBLIC_ACCESS - if (regcomp(&session_ident_regex, "(^|[; \t])liquid_feedback_session=([0-9A-Za-z]+)", REG_EXTENDED) != 0) { - // shouldn't happen - abort(); - } - if (regexec(&session_ident_regex, cookies, 3, session_ident_regmatch, 0) != 0) { - fputs("Status: 403 Access Denied\n\n", stdout); - return 0; +#ifdef PUBLIC_AVATAR_ACCESS + if (strcmp(image_type, "avatar")) { + authorization_required = 1; +#endif + cookies = getenv("HTTP_COOKIE"); + if (!args_string || !cookies) { + fputs("Status: 403 Access Denied\n\n", stdout); + return 0; + } + if (regcomp(&session_ident_regex, "(^|[; \t])liquid_feedback_session=([0-9A-Za-z]+)", REG_EXTENDED) != 0) { + // shouldn't happen + abort(); + } + if (regexec(&session_ident_regex, cookies, 3, session_ident_regmatch, 0) != 0) { + fputs("Status: 403 Access Denied\n\n", stdout); + return 0; + } + start = session_ident_regmatch[2].rm_so; + length = session_ident_regmatch[2].rm_eo - session_ident_regmatch[2].rm_so; + session_ident = malloc(length + 1); + if (!session_ident) abort(); // shouldn't happen + strncpy(session_ident, cookies + start, length); + session_ident[length] = 0; + sql_session_params[0] = session_ident; +#ifdef PUBLIC_AVATAR_ACCESS } - start = session_ident_regmatch[2].rm_so; - length = session_ident_regmatch[2].rm_eo - session_ident_regmatch[2].rm_so; - session_ident = malloc(length + 1); - if (!session_ident) abort(); // shouldn't happen - strncpy(session_ident, cookies + start, length); - session_ident[length] = 0; - sql_session_params[0] = session_ident; +#endif #endif conn = PQconnectdb(GETPIC_CONNINFO); @@ -83,20 +94,26 @@ } #ifndef PUBLIC_ACCESS - dbr = PQexecParams(conn, - "SELECT NULL FROM session JOIN member ON member.id = session.member_id WHERE session.ident = $1 AND member.active", - 1, NULL, sql_session_params, NULL, NULL, 0 - ); - if (PQresultStatus(dbr) != PGRES_TUPLES_OK) { - fputs(PQresultErrorMessage(dbr), stderr); - PQfinish(conn); - return 1; +#ifdef PUBLIC_AVATAR_ACCESS + if (authorization_required) { +#endif + dbr = PQexecParams(conn, + "SELECT NULL FROM session JOIN member ON member.id = session.member_id WHERE session.ident = $1 AND member.active", + 1, NULL, sql_session_params, NULL, NULL, 0 + ); + if (PQresultStatus(dbr) != PGRES_TUPLES_OK) { + fputs(PQresultErrorMessage(dbr), stderr); + PQfinish(conn); + return 1; + } + if (PQntuples(dbr) != 1) { + fputs("Status: 403 Access Denied\n\n", stdout); + PQfinish(conn); + return 0; + } +#ifdef PUBLIC_AVATAR_ACCESS } - if (PQntuples(dbr) != 1) { - fputs("Status: 403 Access Denied\n\n", stdout); - PQfinish(conn); - return 0; - } +#endif #endif dbr = PQexecParams(conn,