static unsigned char *
get_file_download_text(struct listbox_item *item, struct terminal *term)
{
struct file_download *file_download = item->udata;
unsigned char *uristring;
uristring = get_uri_string(file_download->uri, URI_PUBLIC);
if (uristring) {
#ifdef CONFIG_UTF8
if (term->utf8_cp)
decode_uri(uristring);
else
#endif /* CONFIG_UTF8 */
decode_uri_for_display(uristring);
}
return uristring;
}
/** Check if the URI is obfuscated (bug 382). The problem is said to occur when
* a URI designed to pass access a specific location with a supplied username,
* contains misleading chars prior to the @ symbol.
*
* An attacker can exploit this issue by supplying a malicious URI pointing to
* a page designed to mimic that of a trusted site, and tricking a victim who
* follows a link into believing they are actually at the trusted location.
*
* Only the user ID (and not also the password) is checked because only the
* user ID is displayed in the status bar. */
static int
check_malicious_uri(struct uri *uri)
{
unsigned char *user, *pos;
int warn = 0;
assert(uri->user && uri->userlen);
user = pos = memacpy(uri->user, uri->userlen);
if (!user) return 0;
decode_uri_for_display(user);
while (*pos) {
int length, trailing_dots;
for (length = 0; pos[length] != '\0'; length++)
if (!(isalnum(pos[length]) || pos[length] == '.'))
break;
/* Wind back so that the TLD part is checked correctly. */
for (trailing_dots = 0; trailing_dots < length; trailing_dots++)
if (!length || pos[length - trailing_dots - 1] != '.')
break;
/* Not perfect, but I am clueless as how to do better. Besides
* I don't really think it is an issue for ELinks. --jonas */
if (end_with_known_tld(pos, length - trailing_dots) != -1) {
warn = 1;
break;
}
pos += length;
while (*pos && (!isalnum(*pos) || *pos == '.'))
pos++;
}
mem_free(user);
return warn;
}
static void
download_dialog_layouter(struct dialog_data *dlg_data)
{
struct file_download *file_download = dlg_data->dlg->udata;
struct terminal *term = dlg_data->win->term;
int w = dialog_max_width(term);
int rw = w;
int x, y = 0;
int url_len;
unsigned char *url;
struct download *download = &file_download->download;
struct color_pair *dialog_text_color = get_bfu_color(term, "dialog.text");
unsigned char *msg = get_download_msg(download, term, 1, 1, "\n");
int show_meter = (download_is_progressing(download)
&& download->progress->size >= 0);
#if CONFIG_BITTORRENT
int bittorrent = (file_download->uri->protocol == PROTOCOL_BITTORRENT
&& (show_meter || is_in_state(download->state, S_RESUME)));
#endif
redraw_windows(REDRAW_BEHIND_WINDOW, dlg_data->win);
file_download->dlg_data = dlg_data;
if (!msg) return;
url = get_uri_string(file_download->uri, URI_PUBLIC);
if (!url) {
mem_free(msg);
return;
}
#ifdef CONFIG_UTF8
if (term->utf8_cp)
decode_uri(url);
else
#endif /* CONFIG_UTF8 */
decode_uri_for_display(url);
url_len = strlen(url);
if (show_meter) {
int_lower_bound(&w, DOWN_DLG_MIN);
}
dlg_format_text_do(dlg_data, url, 0, &y, w, &rw,
dialog_text_color, ALIGN_LEFT, 1);
y++;
if (show_meter) y += 2;
#if CONFIG_BITTORRENT
if (bittorrent) y += 2;
#endif
dlg_format_text_do(dlg_data, msg, 0, &y, w, &rw,
dialog_text_color, ALIGN_LEFT, 1);
y++;
dlg_format_buttons(dlg_data, dlg_data->widgets_data,
dlg_data->number_of_widgets, 0, &y, w,
&rw, ALIGN_CENTER, 1);
draw_dialog(dlg_data, w, y);
w = rw;
if (url_len > w) {
/* Truncate too long urls */
url_len = w;
url[url_len] = '\0';
if (url_len > 4) {
url[--url_len] = '.';
url[--url_len] = '.';
url[--url_len] = '.';
}
}
y = dlg_data->box.y + DIALOG_TB + 1;
x = dlg_data->box.x + DIALOG_LB;
dlg_format_text_do(dlg_data, url, x, &y, w, NULL,
dialog_text_color, ALIGN_LEFT, 0);
if (show_meter) {
y++;
draw_progress_bar(download->progress, term, x, y, w, NULL, NULL);
y++;
}
#if CONFIG_BITTORRENT
if (bittorrent) {
y++;
draw_bittorrent_piece_progress(download, term, x, y, w, NULL, NULL);
y++;
}
#endif
y++;
dlg_format_text_do(dlg_data, msg, x, &y, w, NULL,
dialog_text_color, ALIGN_LEFT, 0);
y++;
dlg_format_buttons(dlg_data, dlg_data->widgets_data,
dlg_data->number_of_widgets, x, &y, w,
NULL, ALIGN_CENTER, 0);
mem_free(url);
mem_free(msg);
}