| Commit message (Collapse) | Author | Age | Files | Lines |
|
|
|
|
| |
Unsigned operations and conversions to unsigned types always wrap/narrow
without checks, so no need to manually mask/cast/etc. them.
|
|
|
|
|
|
|
|
|
|
| |
std's version is known to be broken on versions we still support, and it
makes no sense to use different decoders anyway.
(This does introduce a bit of a dependency hell, because js/base64
depends on js/javascript which tries to bring in the entire QuickJS
runtime. So we move that out into twtstr, and manually convert a
Result[string, string] to DOMException in js/base64.)
|
|
|
|
|
| |
We no longer modify the file system inside the sandbox, so this
permission is simply not needed.
|
|
|
|
|
|
|
|
|
|
|
|
| |
This fixes setTimeout/setInterval causing crashes.
Note: timerfd_gettime is not actually used by Nim right now.
However, it seems like a good idea to add it to the set in case a
future Nim version needs it, as it does no harm.
We still do not allow signalfd, because it would let rogue buffers
override our SIGSYS handler. (Not sure if this really matters, but
we don't need it for now anyway.)
|
|
|
|
|
|
|
|
|
| |
glibc apparently calls fstat from fread, and we didn't allow it in
seccomp. So:
* allow fstat in the sandbox; no reason not to, and it seems too big of
a footgun to assume we never call fread
* use read(2) in http; no need for buffered i/o here
|
| |
|
|
|
|
|
|
|
|
|
| |
* do not use std's parse*Int; they accept weird stuff that we do not
want to accept in any case
* fix bug in parseHost where a parseIpv4 failure would result in an
empty host
* do not use isDigit, isAlphaAscii
* improve parse*IntImpl error handling
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
We use libseccomp, which is now a semi-mandatory dependency on Linux.
(You can still build without it, but only if you pass a scary long flag
to make.)
For this to work I had to disable getTimezoneOffset, which would
otherwise call localtime_r which in turn reads in some files from
/usr/share/zoneinfo. To allow this we would have to give unrestricted
openat(2) access to buffer processes, which is unacceptable.
(Giving websites access to the local timezone is a fingerprinting vector
so if this ever gets fixed then it should be an opt-in config setting.)
This patch also includes misc fixes to buffer cloning, and fixes the
LIBEXECDIR override in the makefile so that it is actually useful.
|
| |
|
|
|
|
|
|
| |
* separate params with ; (semicolon) instead of , (colon)
* reduce screaming snake case use
* wrap long lines
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
I wish they didn't change this. unsafeAddr may be a confusing name,
but it's more powerful than addr. Merging them violates the principle
of least power.
e.g. say I get n thru a param, and shadow it
proc x(n: int) =
var n = n + 1
a screen or two later I call
mutates_variable_in_c(addr i)
then later I no longer need to add 1, so I remove the var line.
In Nim 1.6 the compiler refuses to compile, I can instantly find the
bug. In 2.0 it does... whatever?? Maybe for an int it "works", for an
object it likely doesn't. Certainly not something I'd enjoy debugging.
|
| |
|
|
|
|
| |
it's a waste of space; we don't use these *that* much.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
pledge is a bit more fine-grained than Capsicum's capability mode,
so the buffer & http ("network") sandboxes are now split up into
two parts.
I applied the same hack as in FreeBSD for overriding the buffer
selector kqueue, because a) I didn't want to request sysctl promise
b) I'm not sure if it would even work and c) if it breaks on OpenBSD,
then it's broken on FreeBSD too, so there's a greater chance of
discovering the bug.
|
|
|
|
|
|
|
| |
Use content type attributes so e.g. git.cgi can set the title even with
a text/x-ansi content type.
(This commit also fixes some bugs in content type attribute handling.)
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
It's the sandboxing system of FreeBSD. Quite pleasant to work with.
(Just trying to figure out the basics with this one before tackling the
abomination that is seccomp.)
Indeed, the only non-trivial part was getting newSelector to work with
Capsicum. Long story short it doesn't, so we use an ugly pointer cast +
assignment. But even that is stdlib's "fault", not Capsicum's.
This also gets rid of that ugly SocketPath global.
|
|
|
|
|
|
| |
Better (and simpler) than storing them all over the place.
extra: change lmDownload text to match w3m
|
|
|
|
|
| |
this is unfortunately truncated on Linux, but I don't care enough to
hack around this
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This has its own problems, but application/octet-stream has the horrible
consequence that opening any local file with an unrecognized type
automatically quits the browser.
(FWIW, w3m also falls back to text/plain, so it's not such an unreasonable
default.)
The proper solution would be to a) fix the bug that makes the browser
auto-quit and b) show a "what to do" prompt for unrecognized file types
(and allow users to override it, preferably on a per-protocol basis.)
|
| |
|
| |
|
|
|
|
|
|
|
| |
Better compute the values we need on-demand at the call sites; this way,
we can pass through content type attributes to mailcap too.
(Also, remove a bug where applyResponse was called twice.)
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Originally we had several loader processes so that the loader did not
need asynchronity for loading several buffers at once. Since then, the
scope of what loader does has been reduced significantly, and with
that loader has become mostly asynchronous.
This patch finishes the above work as follows:
* We only fork a single loader process for the browser. It is a waste of
resources to do otherwise, and would have made future work on a
download manager very difficult.
* loader becomes (almost) fully async. Now the only sync part is a)
processing commands and b) waiting for clients to consume responses.
b) is a bit more problematic than a), but should not cause problems
unless some other horrible bug exists in a client. (TODO: make it
fully async.)
This gives us a noticable improvement in CSS loading speed, since all
resources can now be queried at once (even before the previous ones
are connected).
* Buffers now only get processes when the *connection* is finished. So
headers, status code, etc. are handled by the client, and the buffer
is forked when the loader starts streaming the response body.
As a result, mailcap entries can simply dup2 the first UNIX domain
socket connection as their stdin. This allows us to remove the ugly
(and slow) `canredir' hack, which required us to send file handles on
a tour accross the entire codebase.
* The "cache" has been reworked somewhat:
- Since canredir is gone, buffer-level requests usually start
in a suspended state, and are explicitly resumed only after
the client could decide whether it wants to cache the response.
- Instead of a flag on Request and the URL as the cache key,
we now use a global counter and the special `cache:' scheme.
* misc fixes: referer_from is now actually respected by buffers (not
just the pager), load info display should work slightly better, etc.
|
|
|
|
|
|
| |
* put attrs pointer in state
* simplify width()
* use unsigned int as ptint to avoid UB
|
|
|
|
|
|
| |
* rename buffer enums
* fix isAscii for char 0x80
* remove dead code from URL
|
|
|
|
|
|
|
| |
I've gotten tired of not being able to search for forward slashes.
Now it works like in vim, and you can also set default ignore case in
the config.
|
|
|
|
|
|
|
| |
* fix failed assertion on non-ha-column half-width chars followed by
handakuten with text-transform: full-width
* fix dquot full-width conversion
* fix lone half-width han/dakuten conversion
|
|
|
|
|
|
| |
* move out half width <-> full width converters
* snake_case -> camelCase
* improve toScreamingSnakeCase slicing
|
|
|
|
|
| |
* use functions like until
* do not call atEnd for every line, use boolean readLine instead
|
|
|
|
|
|
|
|
|
|
|
|
| |
* Add functions for moving to the beginning/end of words (vi `b', `e').
* As it turns out, there are many possible interpretations of what a
word is. Now we have a function for each reasonable interpretation,
and the default settings match those of vi (and w3m in w3m.toml).
(Exception: it's still broken on line boundaries... TODO)
* Remove `bounds` from lineedit, it was horrible API design and mostly
useless. In the future, an API similar to what pager now has could
be added.
* Update docs, and fix some spacing issues with symbols in the tables.
|
|
|
|
| |
Even if it were used, it's UB...
|
|
|
|
|
|
|
|
|
|
| |
* Fix incorrect internal definition of the fragment percent-encode set
* urlenc, urldec: these are simple utility programs mainly for use
with shell local CGI scripts. (Sadly the printf + xargs solution is
not portable.)
* Pass libexec directory as an env var to local CGI scripts
* Update trans.cgi to use urldec and add an example for combining
it with selections
|
| |
|
|
|
|
| |
Also for reducing compilation time.
|
|
|
|
| |
much better
|
|
|
|
|
|
| |
* actually search Combining for isCombining
* fix searchInMap
* fix cmpRange of url
|
|
|
|
| |
so we do not have to import unicode
|
|
|
|
|
|
|
| |
* Makefile: fix parallel build, add new binaries to install target
* twtstr: split out libunicode-related stuff to luwrap
* config: quote default gopher2html URL env var for unquote
* adapter/: get rid of types/url dependency, use CURL url in all cases
|
|
|
|
|
| |
Avoid computing e.g. charwidth data for http which does not need it
at all.
|
| |
|
|
|
|
| |
Also case-sensitive, but for now that is the same as normal matching...
|
|
|
|
|
|
|
| |
Probably not fully correct, but it's a good start.
Includes proprietary extension -cha-half-width, which converts
full-width characters to half-width ones.
|
|
|
|
|
|
|
|
|
| |
* Paths are now parsed through an unified code path with some useful
additions like environment variable substitution.
* Fix a bug in parseConfigValue where strings would be appended to
existing arrays (and not override them).
* Fix beforeLast calling afterLast for some reason.
* Add a default CGI directory.
|
| |
|
| |
|
|
|
|
|
|
|
|
| |
* tolower: strutils toLowerAscii is good enough for the cases where
we need it. Also, it's easy to confuse with unicode toLower and
vice versa.
* isWhitespace: in AsciiWhitespace is more idiomatic. Also has a
naming collision with unicode toLower.
|
| |
|
|
|
|
| |
Maybe it's easier to avoid accidentally including like this
|
| |
|